Leading an effective Static Application Security Testing (SAST) program

The Secure Development Lifecycle (SDLC) is the process of applying a variety of security activities to software under development with the intent of producing robust and more reliable software. These activities are varied, and can be applied at different stages of the development lifecycle. One important activity is Static Application Security Testing (SAST), a testing methodology that analyzes source code of software to identify potential security issues. Typically, this process is conducted using specialized SAST tools and is often integrated into a continuous integration and continuous delivery/deployment (CI/CD) pipeline.

SAST is important, and conducting it early in the development lifecycle allows teams to identify and address code-related security issues before software moves into production where addressing such issues becomes significantly more costly. Doing SAST may sound trivial, simply running a tool over a source code repository, but it comes with a variety of challenges, including choosing the right tool, preparing for scalability, integrating into workflows, managing triage, and fostering cross-team collaboration. This article highlights key considerations for effective SAST implementation.

Understand your requirements first

Many teams might simply search for a scanner that supports their programming language, download it, run it against the source code, store the results, and consider the task complete. While this approach is quick and checks some compliance boxes, it is unlikely to produce valuable results. To implement SAST correctly, you must first identify the requirements of your organization. This means understanding the current security posture of your product and prioritizing applications for testing based on a thorough risk assessment, considering factors such as business impact, data sensitivity, and exposure to external threats. With this foundation, define the goals of your SAST program. These goals could be specific to your organization or team, however, some high-level goals could be as simple as reducing the number of security vulnerabilities with each release, achieving compliance standards, or cultivating a culture of secure development among developers. At all times, ensure the SAST goals align with broader organizational security objectives.

Choose the right tools

With software embedded into all aspects of our lives, development environments have become more complex than ever. Developers work with a variety of languages, libraries, tools, and frameworks, often leveraging open source code to avoid re-inventing the wheel. To integrate SAST seamlessly, it is essential to choose tools that support and integrate with your existing technology stack. This may require using multiple SAST tools to support diverse environments. At a minimum, your SAST tool should be compatible with your CI/CD pipelines, code repositories, and technologies such as Jenkins, containers, and cloud infrastructure.

Scalability is another critical consideration. Software is ever-growing with new code, repositories, and developers being added to meet evolving needs. The tools selected must be capable of handling growth while integrating into your existing infrastructure, such as Identity and Access Management (IAM) systems and Single Sign-On (SSO) without requiring extensive reconfiguration.

1. Conduct pilot runs before the full rollout

Even minor changes to the development workflow can result in significant disruptions. Rolling out a SAST program without proper consideration can lead to inefficiencies and resistance from teams. Instead, start with a pilot program with one or two teams who are willing to participate. Ideally, teams that embrace new technology and push boundaries.

Pilot runs allow you to assess the tool's accuracy, usability, and ease of integration into your pipelines. Feedback from these runs helps address challenges, fine-tune configurations, and document processes for onboarding additional teams. This feedback also provides an opportunity to validate earlier decisions about tool selection or explore alternative tools that may better suit your workflows.

2. Establish a security policy

With the broader rollout of SAST, establishing a clear security policy is essential. Not all issues flagged are equal. It is important to define what constitutes a critical, high, medium, or low severity issue in the context of the software under production, your organizational goals, its users, and risk profile. You also need to define clear guidelines on remediation timelines based on the category of the issue. This requires considering the issue's impact, available mitigations, and the potential to remediate it in the future. Clear guidelines minimize confusion and help drive more consistent practices across teams.

3. CI/CD integration and shifting left

Once the SAST tool demonstrates value and usability, integrate the tool into your CI/CD pipelines so that it runs in an automated fashion to facilitate continuous security checks. These scans can be run as part of the regular build process in a way that your regular workflows are not disrupted.

Encourage developers to "shift-left" by integrating the SAST tool into their chosen Integrated Development Environment (IDEs) so issues are caught while the code is being written, long before the merge or pull request. This provides developers with immediate feedback on security issues, saving a lot of time. This also helps a security-first mindset among the developers, as opposed to it being an afterthought, being done at the very end of the development lifecycle.

4. Foster collaboration

Creating resilient software is a joint collaboration between multiple teams, primarily between security and engineering teams. Security teams can conduct training sessions and produce internal documentation specifically for development teams looking to onboarding teams to the SAST journey in a quick and effective way. With their vast experience, security teams are in a position to guide engineering teams on the best practices to follow.

Today's development teams are dynamic and need quick assistance when it comes to addressing blockers stifling their ability to innovate. Effective collaboration requires open communication channels and readily available resources, such as FAQs, to address development teams' concerns quickly.

5. Address common challenges

SAST is not new, and although it has been around for a long time, it still presents many common challenges when integrating into workflows. Some of those challenges include:

• False positives: Based on how SAST tools work, the possibility of showing false positive results is high. This is a real challenge for teams who are short on time and need to parse hundreds of results shown by tools to find the real issues. Teams at the beginning could choose to adjust the SAST tool to show only the critical and important issues first, which can be addressed in a timely manner. In the meantime and if the SAST tool allows it, the team members could review and update the tool's ruleset to minimize the irrelevant findings based on their projects and developers' knowledge of the codebase
• Long scan times: When a codebase is large, it can take a significant amount of time to scan, leading to a long wait time. Engineers can choose to adjust the settings to only scan critical parts of the codebase, which provides faster feedback. If that's not an option, you can explore whether the SAST tool supports ways to scan the source code concurrently to handle large volumes of data
• Resistance to adoption: Many teams might be resistant to introducing yet another hurdle that stands in the way of developing and delivering software. Measuring whether SAST is effective is important when justifying a team's continued investment in the program. Provide teams with tangible and demonstrable benefits, such as security issues that have been fixed before software goes into production, reduced count of introduced security issues as compared to before, and increased confidence in the field during software deployment. Success stories from teams utilizing SAST are a great way to encourage other teams to implement SAST for their workflows

6. Improvement over time

The needs of development teams change over time. Establish processes for regularly gathering feedback through surveys, meetings, or retrospectives. Use this feedback to refine the SAST program. Stay updated on industry trends and emerging threats, and ensure your SAST tools and processes evolve accordingly.

7. How Artificial Intelligence (AI) can help

There have been significant developments in the AI, machine learning (ML) and large language models (LLMs) space recently. Organizations can use these developments and apply them to their SAST programs, making them more effective. Consider the following ways AI can help your SAST programs:

• Machine learning models can be trained to identify genuine issues and weed out false positives based on historical data
• AI can be effective in understanding the context of code changes, and help you focus on the areas likely to have an impact in the event of a security issue
• An LLM can be used to better understand comments in the source code, and commit messages to provide more contextual analysis in understanding code behavior
• AI can help tailor security training and with challenges that arise when providing training to the developers

The many benefits of SAST

Next time you are triaging a ticket as a result of a SAST tool finding, think about the bigger picture of how SAST helps you proactively identify and fix issues. Not only does SAST  reduce risk, while remaining compliant with industry standards, it also fosters a security conscious culture. By continuing to invest in improving your SAST program, it will strengthen the security posture of your software. When organizations embrace SAST and continuously refine their approach, they can move beyond reactive security measures and build a foundation of security-enhanced software. Red Hat Trusted Application Pipeline (RHTAP) can help you on this journey, where the entire build process is done in a highly secure and manageable workflow.