Experiment 4

Aim: Study of SAST Tools (open Source like GitHub, GitLab and so on) and use at least one
for practical

Theory:
Source code analysis tools, also known as Static Application Security Testing (SAST) Tools,
can help analyze source code or compiled versions of code to help find security flaws.
SAST tools can be added into your IDE. Such tools can help you detect issues during
software development. SAST tool feedback can save time and effort, especially when
compared to finding vulnerabilities later in the development cycle.

Pros and Cons of SAST

Pros
• Scales well – can be run on lots of software, and can be run repeatedly (as with nightly
builds or continuous integration).
• Identifies certain well-known vulnerabilities, such as:
• Buffer overflows
• SQL injection flaws
• Output helps developers, as SAST tools highlight the problematic code, by filename,
location, line number, and even the affected code snippet.

Cons
• Difficult to automate searches for many types of security vulnerabilities, including:
• Authentication problems
• Access control issues
• Insecure use of cryptography
• Current SAST tools are limited. They can automatically identify only a relatively small
percentage of application security flaws.
• High numbers of false positives.
• Frequently unable to find configuration issues, since they are not represented in the code.
• Difficult to ‘prove’ that an identified security issue is an actual vulnerability.
• Many SAST tools have difficulty analyzing code that can’t be compiled.
• Analysts frequently cannot compile code unless they have:
• Correct libraries
• Compilation instructions
• All required code

Top seven SAST tools

1. .NET Security Guard - .NET, C\#, VB.net.
2. APIsecurity.io Security Audit - online tool for OpenAPI / Swagger file static security
analysis.
3. Bandit - Bandit is a comprehensive source vulnerability scanner for Python.
4. clj-holmes - A CLI SAST (Static application security testing) tool which was built with
the intent of finding vulnerable Clojure code via rules that use a simple pattern language.
5. Dawnscanner - Dawnscanner is an open source security source code analyzer for Ruby,
supporting major MVC frameworks like Ruby on Rails, Padrino, and Sinatra. It also
works on non-web applications written in Ruby.
6. Enlightn - Enlightn is a vulnerability scanner specifically designed for Laravel PHP
applications that combines SAST, DAST, IAST and configuration analysis techniques to
detect vulnerabilities.
7. Find Security Bugs - Java, Scala, Groovy

Conclusion:
• SAST tools are a valuable tool for identifying security vulnerabilities in your code.
• There are a number of open source SAST tools available, including OWASP
Dependency-Check, SonarQube, and Fortify SCA.
• To use a SAST tool for practical purposes, you can follow these steps: install the tool,
configure it to scan your source code, run the scan, and review the results.
• SAST tools are not perfect and can sometimes miss vulnerabilities. It is important to use
them in conjunction with other security testing techniques, such as DAST and manual
code review.
• GitLab's SAST functionality and SonarQube are two good options for open source
projects.
Questionnaire:
1. Is SAST black box testing?
Ans. No. Static application security testing (SAST) is a white-box testing methodology.

2.What are the types of SAST?

Ans. There are three basic types of SAST testing: source code analysis, byte code analysis,
and raw binary code analysis.

3. What are the limitations of SAST?

Ans.
• Needs to synthesize data to test code leading to false positives
• Language-dependency makes tools difficult to build and maintain, and requires a different
tool for each language used
• Not good at understanding libraries or frameworks, like API or REST endpoints
• Unable to check calls or most argument values

4.Explain between SAST and DAST?

Ans.
SAST
White box security testing
The tester has access to the underlying
framework, design, and implementation.
The application is tested from the inside
out. This type of testing represents the
developer approach.
Requires source code
SAST doesn’t require a deployed
application. It analyzes the sources code or
binary without executing the application.
Less expensive to fix vulnerabilities
Since vulnerabilities are found earlier in the
SDLC, it’s easier and faster to remediate
them. Findings can often be fixed before the
code enters the QA cycle.
Typically supports all kinds of software
Examples include web applications, web
services, and thick clients.
DAST
Black box security testing
The tester has no knowledge of the
technologies or frameworks that the
application is built on. The application is
tested from the outside in. This type of
testing represents the hacker approach.
Requires a running application
DAST doesn’t require source code or
binaries. It analyzes by executing the
application.
More expensive to fix vulnerabilities
Since vulnerabilities are found toward the
end of the SDLC, remediation often gets
pushed into the next cycle. Critical
vulnerabilities may be fixed as an emergency
release.
Typically scans only apps like web
applications and web services
DAST is not useful for other types of
software.

5.What can SAST find?

Ans. It can find security vulnerabilities that make your organization's applications susceptible
to attack.