The Fundamentals of SAST and DevSecOps

I recently came across this wonderful article, written by Mark Tey https://medium.com/dipcode/static-code-analysis-a-personal-research-story-387323983419.

His definition of SAST was as follows:

“Static Code Analysis is a set of technologies that define specific programs, accountable for detecting early faults or errors on the program code and avoiding future problems and vulnerabilities.

It is essentially placed during the testing phases, and its main purpose is guaranteeing security on the Software Development Life Cycle (SDLC), but it can also be done during the coding”.

This is a perfect way to learn the value of static code analysis, as well as to determine where in the SDLC it fits.

In this article, I would like to build a bit more on Mark’s article, but focus more on the various challenges and solutions that SAST is known for.

Most Common SAST Challenges

After being in the software development and testing space for over 21 years, DevOps teams are still trying to overcome the following challenges. They are mostly divided into Quality and Velocity. Having the ability to fail fast, fix fast and release fast and with high quality is top of mind of most DevOps leaders. The reality in most cases makes the objectives hard to meet.

Top SAST Challenges (Source: Perforce)

Shifting quality and security/safety coverage left requires skills, automation, tools and following best-practices in software design.

Software testing that include functional, unit, APIs, accessibility, performance and more are a key ingredient for success, and are not part of this blog scope.

In addition to the above mentioned quality methodologies, teams must bake into their CI/CD process security and safety testing as early as possible. To do so, the tools that are being used must integrate into the developers workstations and IDEs, as well as be integrated into CI servers (Jenkins). More mature SAST tools can also be bundled within a docker container and be virtualized across multiple code bases and teams.

SAST and DevSecOps

When a developer runs upon his code changes a code analysis scan, he can define what rules, what coverage and which standards he wants his code to adhere to. Specifically with security, developers can plug into their scans the following common security coverage rules:

• CWE
• OWASP
• CERT
• PCI DSS
• DISA STIG
• ISO/IEC TS 17961

To make sure teams can cover properly the relevant security rules, they need to follow some basic checklist. Some of the key benefits of DevSecOps are as follows:

• Detect code vulnerabilities, compliance issues, and rule violations earlier in the software development cycle.
• Deliver fast feedback to developers with the precise locations of security vulnerabilities and their cause.
• Enforce industry and security coding standards (like the above mentioned ones and more)
• Report on compliance over time and across product versions, branches and deliveries.

Now that we have established a basic understanding of SAST and DevSecOps, let’s explore the other piece of SAST and this is safety compliance.

Klockwork Sample SAST Report (Source: Perforce)

The Complimentary Piece: Safety Compliance

In major market verticals like embedded software, automotive, healthcare, and other mission critical domain (aerospace, rail, etc.), SAST plays an even bigger role, since it must adhere to the strictest safety rules in the industry. Adhering to these rules as well as having constant evidence reports are key for these organizations certification to release their products to the market.

Leveraging SAST tools to run both security, code quality standards as well as safety rules including MISRA, Autosar, JSF and others (depending on the code language the software is developed in) is a mandatory requirement per each software build, by each developer. In many organizations, having the build report with the above evidence serves as a quality gate for QA to start their regression cycle and move forward with the release.

The major requirements from a SAST Safety and Compliance tool include:

1. Accurate reporting with minimal false negatives.
2. Ability to run across large code bases (millions lines of code LOC) and advanced architectures.
3. Integrability into CI/CD/IDEs that fits the development processes (see below process example).
4. Custom reporting abilities and rules to allow proper visibility into main issues and product risks (see above report sample)
5. Continuous compliance and being up to date with all major coding and safety standards as they changed regularly.
6. Advanced code scanning abilities like differential analysis — this allows scanning only the delta of the code that was changed against an existing baseline to save time, and better focus on the changes.

Bottom Line

As DevOps matures and becomes more modern, SAST is also becoming a key ingredient in the SDLC process. With the rise of AI/ML and other technologies, teams can benefit more then ever from smarter tools to drive greater productivity and deliver higher quality, secured product and safer code. Like in any technology adoption, such tools must be part of the process and integrate seamlessly to the developers workflows to be well adopted and grow.