Static Analysis Security Testing
Static Analysis Security Testing (SAST) is a powerful way to identify potential security flaws in a program.
While techniques are varied, SAST tools are designed to produce security warnings representing potentially risky pathways through a program’s source code. Risky pathways typically involve receiving user-controlled data that then makes its way through the source code and ending up outside the program, such as a website form to make a purchase making it into an orders database table. The reverse is sometimes true as well: data can go from the database back out to the user.
SAST tools present a security warning, or finding, when the user data is not modified to remove attacks (sanitation) or is not checked against a list of known good characters (validation or an allow list). The absence of sanitization or validation triggers a finding to be flagged as potentially damaging. Such potentially damaging pathways and findings are what SAST tools try to find within source code.
- Scan less of the attack surface of the program, and thus have fewer findings to review and increase the risk of important findings not being identified.
- Add more people to review the results.
Intelligent Finding Analysis (IFA) offers an additional approach to managing large sets of findings from SAST assessments.
To take advantage of IFA, verify that the property use_ifa
in
scan.ozsettings is set to "true"
.