This is one of the 52 terms in The Language of Cybersecurity published by XML Press in 2018 and the contributor for this term is Lucas von Stockhausen.

What is it?

A test for security vulnerabilities that looks at the source code or binary of an application without running it.

Why is it important?

Static Application Security Testing (SAST) can be used before an application is executable, enabling early and regular tests for security vulnerabilities. SAST allows developers to fix problems during the development phase of an application and at a much lower cost than when the code is in quality assurance (QA) or production.

Why does a business professional need to know this?

Business professionals and developers need to understand the basics of SAST and its essential role in catching vulnerabilities early in the development process. This is especially critical for environments where there is limited time for final product testing.

SAST analyzes an application for security vulnerabilities without executing the code. SAST looks for insecure coding patterns in the source code, bytecode, or binary of the application. SAST can help identify the exact lines of code where an attack might occur. SAST can then recommend how to fix the vulnerability.

SAST examines all the possible ways a piece of software could run, including edge cases that rarely occur in practice. For example, this can show vulnerabilities whether the data is entered by a user, comes in through a database, or comes in from an application programming interface (API).

SAST is best used by integrating it into the build environment. This allows developers to detect vulnerabilities early, while the application is still under development, and it helps ensure that all of the application code is examined.

Recent extensions of SAST allow it to be part of an integrated development environment (IDE), where spellchecker-like testing can give immediate feedback as code is written.