The AppSec How-To: Choosing a SAST Tool

Jun 04, 2013 By carolineb

Given the wide range of source code analysis tools, security professionals, auditors and developers alike are faced with a question:

How to assess a Static Analysis Software Testing (SAST) tool for deployment? Choosing the right tool requires different considerations during each stage of the SAST tool evaluation process.

Evaluation Preparation

The following qualifiers are required prior to testing the SAST tool in order to set initial  expectations:

  1. List of languages. Ensure that the SAST tool supports the languages in the development environment.
  2. Access to source and binary files. Some SAST tools run only on the source code files (pre-compilation scanning), while others run on the binaries (post-compilation scanning). As opposed to scanning on the source code, post-compilation scanning requires all project dependences in order to run the scan.
  3. Deployment. Confirm the SAST tool supports the preferred mode of operation – on premise or on-demand.
  4. Parties within the organization responsible for code security. Define how code security is managed within the organization. For example, one organization might prefer having a dedicated team – such as code auditors or an application security team – which provides the security services to the organization.

View full article here


The following two tabs change content below.


Latest posts by carolineb (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.