If you use an SCA tool, why should you use a SAST tool as well? Let’s discuss what each tool can and can’t do and how they complement each other.
If you’re an SCA user, then you might wonder why you should use a SAST tool too. After all, modern applications consist of up to 90% open source code. To answer this question, let’s first discuss at a high level what each tool can and can’t do.
What SCA can do:
- Find common open source libraries and components used in your software
- Compare findings to a list of known vulnerabilities (e.g., Common Vulnerabilities and Exposures, or CVEs) and determine whether components have known and documented vulnerabilities, are out of date, and have patches available
- Identify licenses associated with open source components and libraries (e.g., GPL), as well as potential license issues
What SCA can’t do:
- Identify custom components or libraries your own organization has developed
- Identify weaknesses in code that can contribute to vulnerabilities
What SAST can do:
- Uncover Common Weakness Enumerations (CWEs) in source code, including custom code, components, and libraries and open source code and components
- Identify both security and quality flaws in code and provide remediation advice
- Help ensure compliance to a wide variety of embedded quality, reliability, and security standards by identifying specific vulnerabilities listed in these standards
What SAST can’t do:
- Identify security vulnerabilities or license issues in open source or custom components or libraries
- Identify out-of-date components or libraries that require a patch
- Identify code that contains CVEs
Comparing SAST and SCA
SAST is fundamental to software development and enables developers to shift left in the software development life cycle (SDLC). SAST tools are critical for identifying quality and security issues in your software early on, so developers can find and fix issues as they write their code. Using a SAST tool enables developers to learn how to write clean secure code from the start, when it is easier and cheaper to make fixes than in later stages, such as QA and pre-release.
An analogy is that SCA identifies all the visible holes in the roof of a house (known vulnerable components and libraries) and provides a quick patch. By contrast, SAST identifies hard-to-detect structural weaknesses in the roof beams and plywood structure and prevents major roof cave-ins (i.e., breaches) by identifying security vulnerabilities that hackers can exploit.
What to look for in a static application security testing (SAST) tool
- Comprehensive code coverage; accurate identification and prioritization of critical security vulnerabilities to be fixed.
- Ease of use. An intuitive, consistent, modern interface involving zero configuration; insight into vulnerabilities with necessary contextual information (e.g., dataflow, CWE vulnerability description, and detailed remediation advice).
- Fast incremental analysis results that appear in seconds as developers write code within their IDE.
- DevSecOps capabilities. Support for popular build servers and issue trackers; flexible APIs for integration into custom tools.
- Enterprise capabilities to support thousands of projects, developers, and millions of issues.
- Management-level reporting and compliance to industry standards. Broad and complete support of software quality (CERT C/C++, MISRA, AUTOSAR, ISO 26262, ISO/IEC TS 17961) and security standards (OWASP Top 10, CWE Top 25, PCI DSS) so you can ensure your apps are compliant.
- eLearning integration. Contextual guidance and links to short courses specific to the issues identified in code; just-in-time learning when developers need it.
Our latest news is that our Code Sight IDE plugin now supports both Coverity and Black Duck analysis findings together on the developer’s desktop. With Code Sight, developers can address security issues in both proprietary code and open source dependencies as they code, without leaving the IDE. So you can quickly find and fix issues before you check in your code for the next build.