Static Analysis (SAST)
Static Application Security Testing (SAST), or “white-box” testing, finds common vulnerabilities by performing a deep analysis of your applications without actually executing them.
Unique in the industry, our patented binary SAST technology analyzes all code — including third-party components and libraries — without requiring access to source code.
SAST supplements threat modeling and code reviews performed by developers, finding coding errors and omissions more quickly and at lower cost via automation. It’s typically run in the early phases of the Software Development Lifecycle because it’s easier and less expensive to fix problems before going into production deployment.
Identify vulnerabilities in custom and third-party code
SAST identifies critical vulnerabilities such as SQL injection, cross-site scripting (XSS), buffer overflows, unhandled error conditions and potential back-doors. Our binary SAST technology delivers actionable information that prioritizes flaws according to severity and provides detailed remediation information to help developers address them quickly.
SAST typically provides more comprehensive results than Dynamic Application Security Testing (DAST) results because it tests the entire application, whereas DAST must first discover every individual execution path in the running application before testing it.
FS-ISAC, an industry group formed by leading financial services firms, has recommended binary static analysis as one of three critical controls for reducing third-party software risk.
Hybrid Engineering Solutions analyzes applications to identify vulnerabilities and classify them using standard NIST severity levels. Applications are scored using centralized risk-based policies.
To speed time-to-market using agile processes, most modern applications are complex composites of in-house code, third-party libraries, outsourced code and open source components. As a result, you rarely have access to all the source code — which means blind spots in your testing.
Unlike legacy on-premises scanning tools, Veracode’s binary SAST technology scans all code in its final compiled state — including potentially risky artifacts introduced by compiler- or platform-specific interpretations — without requiring source code.
Our binary SAST technology makes it faster than ever to find and fix vulnerabilities in your applications. It delivers detailed information that:
Is accurate: Static binary analysis examines applications the same way attackers look at them: By creating a detailed model of the application’s data and control flows. Unlike legacy source code scanners, this approach accurately detects hidden threats such as malicious code and backdoors that are difficult to detect because they’re not visible in source code.
Is actionable: Provides detailed educational feedback and suggested corrective actions for programmers. All applications are scored using an industry-standard methodology that measures both the severity and exploitability of a flaw. For example, a high-severity flaw with a high likelihood of being exploited is potentially more dangerous than a high-severity flaw with a low likelihood of exploitation.
Minimizes false positives: Legacy scanning tools have a reputation for generating a high volume of vulnerabilities, which lowers productivity because of the time required to identify false positives. Our centralized platform is backed by world-class security experts and continuously learning with every new application it scans, to reduce false positives so you can start remediating faster.
Binary SAST analyzes binary code to create a detailed model of the application’s data and control paths. The model is then searched for all paths through the application that represent a potential weakness.
For example, if a data path through the application originates from an HTTP Request and flows through the application without validation or sanitization to reach a database query, then this would represent a SQL Injection flaw.
The stages of binary static analysis:
Submit: Binaries are automatically uploaded by build servers or manually submitted through our web interface. Veracode simplifies time-consuming tasks such as scan preparation and management so you can scan early and often.
Model & Analyze: Our patented binary static analysis technology creates a complete model of the application’s control and data flow directly from the executable binary or bytecode. We then test the model to detect code that is vulnerable to common attack patterns. Results are optimized for low noise and prioritized according to issue severity, potential business risk and policy compliance.
Review: Prioritized results can be accessed via standard bug tracking systems such as JIRA or Bugzilla or viewed through our web interface. Flaw details and remediation advice are automatically provided to aid in rapid mitigation or remediation.
Report: Metrics showing progress in hardening applications are provided through our analytic dashboards. Aggregated statistics are available for reporting on your global application security program and for integrating information with enterprise GRC (governance, risk and compliance) solutions such as RSA Archer.
Veracode’s binary SAST technology supports all widely-used languages for desktop, web and mobile applications including:
- Java and .NET
- C/C++ (Windows, Linux and Solaris)
- Web (J2EE, ASP.NET, Classic ASP, PHP, Cold Fusion, Ruby)
- Mobile Platforms (Objective C for iOS, Java for Android and J2ME for BlackBerry)
Plus it integrates seamlessly with agile development processes and tools including:
- IDEs including Visual Studio and Eclipse
- Build Servers such as Jenkins, Ant, Mave, Team Foundation Server (TFS)
- Issue Tracking Systems like JIRA, Bugzilla and RSA Archer GRC
Unlike legacy standalone scanners, our SAST technology is fully integrated with our central cloud-based platform. This enables you to aggregate and share results with all stakeholders in a single dashboard, including results obtained via multiple techniques (SAST, DAST, manual penetration testing). Leveraging multiple techniques helps reduce false negatives and detect a broader range of security flaws, since each technique has its particular strengths.
Our cloud-based platform is continuously learning to adapt to evolving threats and reduce false positives; massively scalable to address your global application infrastructure; and a central part of Veracode’s programmatic, policy-based approach for systematically reducing application-layer risk compared to traditional ad hoc approaches.