SAST Series: How to Handle, Improve and Deliver Results

Static Application Security Testing (SAST) tools are powerful tools, they provide feedback on the quality of the software that developers are writing. Good SAST tools provide a lot of information in their feedback. From a score, which helps to understand how dangerous a warning is, to a filename and line-number, to a path through the source code to help in remediation.

Managing all this power requires a dedicated approach, especially when introducing a SAST solution into a running development process. Not all warnings are worth fixing, sometimes a tool can be too pedantic, or a there are other controls that prevent a warning from requiring source code modification. A static analysis warning is not always directly an error like a compiler error, or a runtime crash.

This presentation, part of GrammaTech’s SAST Practitioner series, will look into SAST tool output and will outline an convenient way to use the output of SAST tools to improve software quality early in the development process without overloading developers with too much information and allowing them to focus on the work-at-hand.

Static Application Security Testing (SAST) is one of the most important software best practices to put in place. SAST, done well, helps software engineers remove defects from their code that they never thought of existed, or simply overlooked.

The reason for this is simple: good SAST tools calculate through all available execution paths of a piece of software in a technique called abstract execution. This, of course, takes time to do well. And this is one of the tasks that SAST users struggle with when introducing SAST into a running project, especially when introducing it into a large project: How to get results to the software developer quickly.

This presentation, part of GrammaTech’s SAST Practitioner series, will look into various different ways to perform software builds, with SAST enabled and how to speed up delivery of results to the software engineers.

One of the attributes of strong development teams is that they are always on the lookout for improvements in their tools and processes. Static application security testing (SAST) is a critical capability, especially for code that is safety and security critical. This presentation will provide 10 easy rules that you can use to evaluate if there is room for improvement in how you use SAST in your current DevSecOps process.