Static Application Security Testing (SAST) Jan 17, 2016 by Sarah Vonnegut What is Static Application Security Testing? Static Application Security Testing, shortened as SAST and also referred to as White-Box Testing, is a type of security testing which analyzes an applications source code to determine if security vulnerabilities exist. SAST solutions looks at the application ‘from the inside-out’, without needing to actually compile the code. Gartner states that “SAST should be a mandatory requirement for all organizations developing applications,” and with 80% of attacks aimed at the application layer, according to Gartner, SAST is one of the top ways to ensure your application security is sound. Because SAST test looks at the code before it’s been compiled without executing anything, SAST tools can be employed as early in the SDLC (software development lifecycle) as possible to achieve maximum benefit from security testing. Many SAST solutions also scan uncompiled code, making early detection of security vulnerabilities easier and saving up to 100 times the cost of needing to fix bug With about 80% of attacks aimed at the application layer, according to Gartner, SAST is one of the top ways to ensure your application security is sound. What Are the Benefits of SAST? Find and fix issues faster: By detecting security flaws during the first stages of development – as opposed to other forms of testing right before release or in post-production – high-risk issues can be resolved quickly and without needing to break the application build. When security testing isn’t run throughout the SDLC, there’s a higher risk of allowing vulnerabilities get through to the released application, increasing the chance of allowing hackers through the application. By embedding Static Application Security Testing throughout an organizations’ SDLC, all team members working on the code can receive near real-time feedback on the code they’re working on. SAST tools like Source Code Analysis are built to detect high-risk software vulnerabilities, including SQL Injection, Buffer Overflows, Cross-Site Scripting, Cross-Site Request Forgery, as well as the rest of the OWASP Top 10, SANS 25 and other standards used in the security industry. Integrate with established tools & platforms: SAST tools can be easily integrated into already-established process and tools in an organizations SDLC, such as the developers IDE (Integrated Development Environment), bug trackers, source repositories and other testing tools to further ensure that security testing is consistent and effective.