Static application security testing (SAST) is a way for determining whether software is vulnerable to attacks from malicious users. The underlying technology for SAST is a static analysis where the software is examined in a non-executing (static) state. The code itself and any accompanying configuration files used at runtime are examined in a variety of ways to predict whether the code, when deployed, has weaknesses that could be exploited by an attacker resulting in a vulnerability. The techniques for making predictions vary widely, but most commercial SAST tools use model checking, theorem proving, abstract interpretation, and other techniques that require tradeoffs in precision in order to arrive at practical results within a reasonable time, and space constraints on modern computing machinery.
The tradeoffs in precision, plus the complexity and size of modern applications (millions to tens of millions of lines of code), results in the end users being presented with a very large set of weaknesses. To quickly arrive at an overall sense of the weakness of an application, and to determine where to focus remediation efforts is a great challenge when the list of weaknesses (also called ‘findings’) numbers in the thousands, or more commonly, tens or hundreds of thousands. For a result that takes hours to produce, it can take several person days or weeks to determine what needs to be fixed and how much effort would be involved. Most weaknesses are presented as individual paths through the application, illustrating how attack data promulgates through the code until it reaches its target. Although many of these weaknesses are related by sharing portions of the path through the code, the individual listing makes it difficult to discern relationships between the weaknesses, and obtain a clear picture of where the application needs the most attention.
There are several existing commercial tools which provide such visualizations that present weaknesses and use techniques to summarize the security state of the application. These are generally summary line or bar graphs based on the weakness category (CWE), identifying how many and what kind of weakness the application currently may have. The applications do not provide an easy-to-access picture of where application code is impacted and what the current structure of the code is.