Itroduction
The first part of this article provides a robust theoretical foundation for understanding SAST and its importance in ensuring secure development. Additionally, the subsequent articles (Part 2, and Part 3) will delve into practical examples and effective implementation strategies.
In the field of modern software engineering, it is not only required to provide features on time but also to ensure their security. As companies refine their Secure Software Development Life Cycle (SSDLC) strategies, one essential aspect that stands out is Static Application Security Testing (SAST).
What is SAST?
SAST, or Static Application Security Testing, refers to a type of security testing that identifies and addresses potential vulnerabilities in software code. SAST involves …
Itroduction
The first part of this article provides a robust theoretical foundation for understanding SAST and its importance in ensuring secure development. Additionally, the subsequent articles (Part 2, and Part 3) will delve into practical examples and effective implementation strategies.
In the field of modern software engineering, it is not only required to provide features on time but also to ensure their security. As companies refine their Secure Software Development Life Cycle (SSDLC) strategies, one essential aspect that stands out is Static Application Security Testing (SAST).
What is SAST?
SAST, or Static Application Security Testing, refers to a type of security testing that identifies and addresses potential vulnerabilities in software code. SAST involves examining source code, bytecode, or binaries without running the actual application by scanning the codebase for known vulnerability patterns.
Source code refers to the human-readable code written by developers.
Bytecode refers to the compiled form of source code that a virtual machine or runtime can execute, which can be analyzed by SAST tools to detect errors, vulnerabilities, or performance issues before deployment. For example, in Java .class files – the compiled Java classes generated from .java source files.
Binaries refer to compiled artifacts; in Java, these are typically .jar files, which are Java archives containing .class files and sometimes additional resources such as properties or XML files.
This tool can detect security weaknesses early on, which covers bugs, code smells, and the latest at this moment, 2021 OWASP TOP 10 categories, such as:
- A01:2021-Broken Access Control
- A02:2021-Cryptographic Failures
- A03:2021-Injection
- A04:2021-Insecure Design
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components
- A07:2021-Identification and Authentication Failures
- A08:2021-Software and Data Integrity Failures
- A09:2021-Security Logging and Monitoring Failures
- A10:2021-Server-Side Request Forgery
SAST tools analyze program components, including code structure, data flows, and control flows, to identify potential security vulnerabilities before the software is developed or deployed.
Control flow refers to the order in which individual statements, instructions, or functions in a program are executed.
Data flow refers to the movement of data through a program, specifically how values are assigned, modified, and passed between variables, functions, or modules. It defines how data travels and transforms during execution. One example is detecting tainted data. Tainted data refers to identifying untrusted or potentially dangerous input in a program that could flow into sensitive operations (called “sinks”) without proper validation or sanitization.
Control flow determines the sequence of execution in a program, while data flow tracks how data values propagate and transform through that execution.
| Aspect | Control Flow | Data flow |
|---|---|---|
| What it describes | Execution order or decision paths | How data moves and changes |
| Examples | Loops, conditionals, function calls | Variable assignments, method parameters, and return values |
| Use in SAST | Detect unreachable code, infinite loops, and so on | Detect tainted data, SQL injection, and logging sensitive info |
Some of the tools classified as SAST are:
- Semgrep, PMD, SpotBugs, and FindSecBugs - popular open-source tools for code analysis and bug detection.
- Fortify, Checkmarx, and Veracode - reliable enterprise solutions.
- Snyk, SonarQube Cloud, and GitHub CodeQL - cloud-based or SaaS tools.
The importance of SAST in secure development cannot be overstated.
Implementing SAST within SSDLC enables the efficient implementation of large-scale security measures by:
- Detecting problems early on
- Halting the advancement of vulnerable code through the pipeline, SAST minimizes both time and expense associated with remediation.
- Incorporating security earlier in the development process
- Feedback is provided to developers during the commit or pull request process while the context is still fresh, allowing for any necessary fixes to be made more easily.
- Promoting the education of developers.
- SAST findings facilitate the organic acquisition of secure coding patterns by developers, promoting the integration of security as a daily practice.
- Minimizing risk in the manufacturing process
By addressing vulnerabilities early on in the SDLC or live systems, there is a lower occurrence of security incidents. Several compliance frameworks, such as ISO 27001, SOC2, and PCI DSS, require the inclusion of static security testing in secure development governance.
How to integrate SAST into CI/CD?
The integration of SAST into the development lifecycle is essential for its optimal effectiveness.
Developer local environment (can be optional, but recommended)
- Run lightweight SAST tools locally (Semgrep, CodeQL CLI, Snyk CLI, SonarQube local server using Docker) or run IDE plugins such as SonarQube Cloud that can connect easily from the IDE to the SonarQube Cloud server before pushing code.
- Helps reduce noise in the CI pipeline or incidentally pushes sensitive data to the GIT repository.
Pull request (PR) and merge request (MR) stage
- Protect the main branches from merging directly until all pipeline jobs are SUCCESSFUL. If Git Flow is used, protected branches typically are: dev, qa, or staging, pre-prod, and prod.
- Trigger a SAST scan on each PR/MR.
- Block merging if findings exceed severity thresholds, for example, by configuring Quality Gate in SonarQube or other severity-related policies. You can configure the CI/CD pipeline to FAIL if, for example, 1 Critical and/or 3 High vulnerabilities are detected.
- Use the SAST tool’s suggestions on how to resolve the issue.
- Investigate the findings to identify potential false positives. SAST scanners provide useful information about each vulnerability, making it easier to understand them.
CI pipeline
-
Add SAST as an early stage. Depends on the project; it can be after the build and test stage or before it, if only the source code is used to scan the project, but the recommended approach is to use it after, because you can configure it to scan for binaries or bytecode.
-
Fail builds based on:
-
severity level (Low, Medium, High, Critical)
-
the count of severity levels (for example, 20 Medium, 5 High, 2 Critical)
-
security policy rules
-
code smells
Scheduled full scans
- Run nightly or weekly deep scans on the entire codebase. For example, Snyk scans the project by default once a week and sends the report to the user’s email (this is a SaaS tool, and it depends on whether the company is allowed to send the codebase to other services for scanning for vulnerabilities).
- Capture findings not detected in incremental scans.
Governance
- Export results into an issue tracker (such as Jira) or a SIEM (Security Information and Event Management) system. Some of the SAST tools allow the creation of an issue ticket in Jira.
Track remediation SLAs (Service Level Agreement) by severity:
- Critical issues fixed within 24 hours
- High-severity fix within 3 days
- Medium 7–14 days
- Low 30+ days
Maintain centralized dashboards (SonarQube, Snyk, DefectDojo).
The key principle: SAST must become a non-negotiable quality gate, just like unit tests, linters, or build verifiers.
Why do some companies run SAST within CVS instead of SaaS tools?
While modern SaaS security platforms are powerful, many enterprises still run SAST inside their version-control system (CVS) or self-hosted environments.
Data protection and compliance
Source code is often the company’s most sensitive intellectual property. Some industries, such as finance, defense, and telecom, cannot upload code to external SaaS due to:
- Data residency restrictions
- Regulatory constraints
- Confidentiality concerns
Full control and custom rules
Self-hosted SAST (SonarQube Enterprise, Checkmarx On-Premise) offers:
- Custom rule tuning for domain-specific patterns
- Control over scanner performance and scheduling
- On-prem log retention and audit trails
No external vendor dependency Large organizations want predictable SLAs and reliability without relying on external service uptime or rate limits. Companies often use cloud VMs (Virtual Machines) with autoscaling that make the server available even if one goes down, especially when all infrastructure is deployed on a specific cloud provider like AWS, Azure, and GCP. Still, it is more difficult to configure and maintain your own server compared to SaaS alternatives.
Cost optimization at scale
SaaS SAST tools are charged per seat or LOC (lines of code). For large organizations with millions of LOC, on-premise licensing might be more efficient. This doesn’t make SaaS solutions inferior; they are excellent for small to mid-sized companies or teams that prefer zero maintenance overhead, but big enterprises often choose to keep scanning where the codebase is located or self-hosted.
How does SAST strengthen your application before deployment?
SAST adds many layers of security reinforcement before one line is deployed:
-
Eliminates vulnerabilities at the earliest point. Fixing issues in development prevents vulnerabilities from ever entering later stages.
-
Reduces attack surface. Every resolved injection flaw, every sanitized input, and every removed secret reduces the exploitable surface in production.
-
Improved code quality. Most of the SAST rules lead to improved code clarity, design patterns, and maintainability.
-
Drives security culture. SAST is an enabler of secure software development practices. Teams start thinking in terms of:
-
safe patterns
-
least-privilege design
-
secure defaults
-
flow validation
SAST best practices
To maximize the value of SAST in SSDLC:
-
Start with a minimal and focused rule set. Avoid overwhelming developers. Enable rules progressively.
-
Integrate into PR pipelines.
-
Make SAST feedback part of the daily development routine.
-
Use severity thresholds. These configurations can differ from company to company.
-
Avoid false positives. Not all findings are equal; that is why you need to tune rules to reduce false positives. Even if the finding’s severity level is High and it may appear to be a serious issue, it depends on how the feature or script was implemented.
-
Establish SLAs for remediation. For example:
-
Critical: fix within 1-2 days.
-
High: fix within 5-7 days.
-
Medium: fix within 30 days.
-
Combine with other AST tools. SAST is one part of the security puzzle. Always complement it with:
-
ISCA (dependency scanning), if the tool does not support it, or you can use the free trial version of the tool.
-
WAF (Web Application Firewall) adds a defence layer in front of your application by filtering and monitoring HTTP/HTTPS traffic.
WAF does not replace SAST or DAST. It can block known attack patterns, mitigate exploitation attempts before fixes are deployed, provide real-time protection in production, and prevent DDoS attacks.
- DAST (Dynamic Application Security Testing). Scan the DEV or QA environment, because DAST is used when the application is up and running. Effective DAST can be performed in two phases:
Automated scanning — baseline detection of common runtime vulnerabilities.
Manual exploratory testing — for issues that automated tools often miss (logic flaws, authorization bypasses, etc.). Not all vulnerabilities can be discovered by SAST alone, which is why DAST is an important complement.
-
Ensure DevSecOps collaboration. Security engineers, platform teams, and developers must collaborate on:
-
rule tuning
-
prioritization
-
education
Conclusion
SAST remains one of the cornerstones of a mature SSDLC. It provides early, actionable insights into code security, reduces risk, empowers developers, and fortifies applications before deployment. Implemented with care, SAST becomes more than just a detection tool; it becomes a catalyst for a long-term secure engineering culture.
Closing
This article covered the theoretical foundation of SAST and its strategic role within secure development. In ”Catch vulnerabilities before they ship: local SonarQube setup (Part 2)”, we will explore SonarQube Cloud configuration and IntelliJ IDEA integration, as well as running SonarQube locally with Docker. If you’re building secure systems at scale, SAST is where prevention truly begins.
Originally published on my personal blog: https://matevosian.tech/blog/post/SAST-part1-theory