Neil MacDonaldAll static application security testing (SAST) tools work in basically the same way – they generate an intermediate representation (model) of the application that they then analyze for conditions indicative of security vulnerability. For clients, our in depth research on the SAST tool vendors is in this research note.
However, just because a SAST vendor supports a given language (e.g. Java), doesn’t mean they support the myriad of development frameworks for the language – in Java’s case Spring, Struts, EJB, Hibernate, JSF, Tiles, and so on.
Bottom line: if a static analysis tool doesn’t have an accurate understanding of the underlying framework, it can’t generate an accurate model and the analysis will be incomplete, resulting in at least false negatives. This is true for any of the languages a SAST tool may scan, not just Java and this is true of any SAST tool – whether analyzing source code, byte code or binaries.
When a SAST vendor says they support “Java” or any other language, dig deeper.
Comments Off
Category: Application Security Tags: Application Security, application security testing tools
