The AppSec How-To: Choosing a SAST Tool

Given the wide range of source code analysis tools, security professionals, auditors and developers alike are faced with a question:

How to assess a Static Analysis Software Testing (SAST) tool for deployment? Choosing the right tool requires different considerations during each stage of the SAST tool evaluation process.

Evaluation Preparation

The following qualifiers are required prior to testing the SAST tool in order to set initial  expectations:

  1. List of languages. Ensure that the SAST tool supports the languages in the development environment.
  2. Access to source and binary files. Some SAST tools run only on the source code files (pre-compilation scanning), while others run on the binaries (post-compilation scanning). As opposed to scanning on the source code, post-compilation scanning requires all project dependences in order to run the scan.
  3. Deployment. Confirm the SAST tool supports the preferred mode of operation – on premise or on-demand.
  4. Parties within the organization responsible for code security. Define how code security is managed within the organization. For example, one organization might prefer having a dedicated team – such as code auditors or an application security team – which provides the security services to the organization.

View full article here

 

The following two tabs change content below.

carolineb

Latest posts by carolineb (see all)

Jump to Category