Ebook

Key
Considerations
When Choosing a SAST Solution
Essential elements for selecting a SAST solution
that is part of an comprehensive AppSec platform
10 considerations
With an array of SAST solutions on the market, it can
be hard to determine which one is the right choice
for your organization. Here is a quick checklist to

at a glance leverage during your evaluations. Keep reading for

additional details on each consideration.

Does it allow you to scan What is the mean time to remediation?

deep and wide? Can it identify the best fix location and
fix multiple vulnerabilities at once?
Does it offer presets to
support major use cases? Is the solution developer friendly?
Does it offer remediation guidance?
Can the solution find vulnerabilities
across multiple files and compilation
Does it support a wide array of
units? Does the solution leverage data
languages and frameworks?
flow analysis and symbolic execution?

How accurate are the findings? Does Can you easily integrate and automate
it produce a lot of false-positives and the tool into development?
false-negatives?

Can you scan uncompiled code and Is it part of a larger AppSec platform?
code directly from repositories? Does it integrate with your other engines?
 Contents

10 Considerations Factor in what makes up a

2 13
at a Glance developer-friendly solution
• Get the whole picture 14
Attackers adapt rapidly; 4 with application-centricity
your SAST must too
• Insist on the ability to scan Secure code, happy developers: 15
5
deep and wide The need for ecosystem support
• Got specific scanning needs?
6 • Supporting the entire lifecycle with 16
Presets can help
comprehensive language and framework support

Why accuracy 7 • Don’t forget integration

matters and automation 17

• Get the whole picture with 8

application-centricity Security must be
18
expandable and scalable
• False positives and false negatives are 9
inevitable — they should also be minimal • Scaling security:
19
Why a platform is essential for
application security
The need 10
for speed
Bonus: AppSec maturity
20
• It’s not just scan speed 11 modeling can pump up your ROI
• You need the power to fix
12 Checkmarx:
problems fast 21
Shift Everywhere

3 10 Key Considerations When Choosing a SAST Solution as Part of an AppSec Platform

 Chapter A

Attackers adapt rapidly;

your SAST must too
Organizations need a SAST solution that is
flexible, adapts to many different use cases
within the organization, and meets the needs
of the different stakeholders (e.g., CISOs,
application security teams, and developers)
while being capable of adapting to the way
developers write and ultimately deliver code.
Let’s look at the first two considerations.

10 Key Considerations When Choosing a SAST Solution

 Chapter A

01 Insist on the ability

to scan deep and wide

Different organizations, and even different teams their entire application footprint and get a high-level
in the same organization, have different needs. For view of their overall risk. Attackers adapt rapidly, so,
example, AppSec teams responsible for mission-critical regardless of which type of scan is appropriate for a Recommendation
applications will need to scan deep. This type of scan given situation, organizations need a SAST solution
performs the most thorough survey to uncover all high, that offers both options. Different teams also have
medium, and low-severity vulnerabilities and provide Select a SAST solution
diverse requirements.
the most comprehensive view of application security
that can perform both
types of scans.
risk. However, it requires overhead to analyze and Some stakeholders need to ensure that the code
triage identified vulnerabilities to focus remediation on meets legal and compliance requirements while
the most important ones first. This level of effort may others must make sure the door isn’t being opened to
not be warranted for every application. security vulnerabilities. Having the flexibility to scan
deep and scan wide covers almost all use cases.
On other occasions, AppSec teams may want to scan It enables organizations to standardize on a single
wide. This type of scan provides a high-level survey solution and platform that maximizes security.
designed to find only the most critical high-severity
vulnerabilities. Wide scans not only allow developers to
focus on only the most important issues that need to be
fixed but also allow organizations to measure risk across

5 10 Key Considerations When Choosing a SAST Solution as Part of an AppSec Platform

 Chapter A

02 Got specific scanning needs?

Presets can help

Presets (also known as rulesets) are out-of-the-box Having the ability to modify existing queries, and even
groups of rules that AppSec teams can apply to various create custom queries, is a powerful SAST feature.
scans. For example, they might need a preset designed Go for a SAST solution that comes with prepackaged
to help meet regulatory compliance requirements, or a presets, allows for customization of existing queries,
Recommendation
preset based on the type of code being scanned. and enables organizations to create their own presets.
Use a SAST tool that
Organizations need SAST solutions that come offers multiple presets.
prepackaged with a variety of presets to support major
use cases, such as regulatory compliance (e.g., HIPAA,
PCI DSS, and FISMA), OWASP Top 10, OWASP Top 10 API,
CWE Top 25. They might need other presets focused
on mobile application development, web application
development, and so on. Or, they might need different
presets to go deep into mission-critical applications or
wide across their entire application footprint.

6 10 Key Considerations When Choosing a SAST Solution as Part of an AppSec Platform

 Chapter B

Why accuracy
matters
Some SAST solutions rely on regular expressions
(regex) to search for patterns in code, using a
set of syntax rules to define the patterns. Others
typically work by analyzing the source code (like
a compiler) and then using various techniques
to analyze the code, such as data flow analysis,
control flow analysis, and symbolic execution.
Regardless of the approach, the next two
considerations will guide you toward a more
accurate SAST solution.

10 Key Considerations When Choosing a SAST Solution

 Chapter B

03 Get the whole picture with

application-centricity

SAST solutions must be able to find vulnerabilities tools that do not use flow analysis, and instead rely
across multiple files and compilation units. At times, this on pattern matching. Although some regex-based
may lead to longer scans, but it helps make code more tools are often lightweight and easy to use, and may
secure, finds vulnerabilities that may be overlooked, and require minimal setup and configuration, they can only
Recommendation
ensures that vulnerabilities aren’t hiding in application identify vulnerabilities that match a specific pattern
flows. SAST solutions that deploy the following two and may miss complex vulnerabilities that require Use a SAST solution that
methods are more accurate: more sophisticated analysis. This approach sacrifices can analyze vulnerabilities
accuracy for speed and potentially increases risk. across your application.
1. Data-flow analysis involves tracking the flow of data
through the code to identify how data is used and
Instead, understanding how application flows interact
manipulated, which is useful to identify complex
with each other, and how flows build connections
security vulnerabilities.
between files and components, is a critical phase in
2. Symbolic execution involves executing the code
conveying attack vectors. This is also highly useful
with symbolic inputs, which allows a tool to
when providing a best fix location to help developers
explore all possible paths through the code to find
quickly correct coding errors.
exploitable paths.

SAST solutions that use both data-flow analysis and Select a SAST solution that can go as deep as needed
symbolic execution, together with an efficient query and can find vulnerabilities that “good enough”
language, are much more accurate than regex-based solution can’t.

8 10 Key Considerations When Choosing a SAST Solution as Part of an AppSec Platform

 Chapter B

04 False positives and false negatives are

inevitable; they should also be minimal

SAST solutions of the past often gave people a bad Some vendors also offer developer versions of
first impression. They cranked out an avalanche of false their SAST, primarily designed to only highlight the
positives that were primarily the result of using default, most critical vulnerabilities. In developer-centric
out-of-the-box presets when starting scans. However, organizations that have limited resources to triage
Recommendation
some false positives are inevitable, and eliminating scan results, have lower AppSec maturity overall, but
them will likely increase the risk from false negatives. still want to get started with noise-free scans, these
Use a SAST solution
options, while less comprehensive, can make sense.
that can minimize both
AppSec teams can minimize false positives by using the
false positives AND
appropriate profile for the code, selecting rules for the Regardless of the approach, the key to solving the
false negatives.
correct coding language, and building custom queries false positive/false negative dilemma is to select
(queries) as needed. For example, if an organization a SAST solution that allows for easy and efficient
has developed its own custom sanitizer, telling the query customization.
SAST about this sanitizer by adjusting the queries can
eliminate false positives. Having a customizable query
language is key to reducing false positives without
enabling false negatives. Every company writes code
differently. Selecting a SAST solution that allows for
easy query customization ensures that legitimate
company-specific styles won’t be flagged.

9 10 Key Considerations When Choosing a SAST Solution as Part of an AppSec Platform

 Chapter C

The need
for speed
In today’s modern application and cloud-
native world, development approaches like
agile and DevSecOps are the new normal.
Security at speed is imperative for meeting
deadlines. In this context, scan speed and
fixing problems fast are top considerations
for SAST solutions. We discuss both of these
concepts in the next section.

10 Key Considerations When Choosing a SAST Solution

 Chapter C

05 It’s not just

scan speed

Speed is not solely measured by what can scan code Bitbucket), avoiding the need to rebuild code, and
the fastest. Instead, it is about the overall time it takes only scanning the updated portion of the code.
to accurately scan code AND remediate security issues.
Secure software is the goal. It is critical to look at both Having the ability to scan uncompiled code
Recommendation
the time to write code and deploy code. provides significant value. This avoids the time
spent waiting for code to compile, running a scan,
Use a SAST solution that
Select a SAST solution that supports incremental remediating risk, then compiling again so another
can scan uncompiled
scans without requiring a complete build to launch a scan can be performed. This can be a huge waste
code, and code directly
scan. Waiting for code to compile before scanning is of time and resources.
from repositories.
cumbersome. If developers need to compile their code
each time they make changes, this adds significant
time. Many developers will simply skip scans or
ignore the results, and as they get more results,
they may become overwhelmed with the process of
remediation. However, breaking down the tasks and
incrementally scanning after major changes saves
time by avoiding tedious rebuilds. SAST solutions can
also reduce scan times by scanning at the source
code repository level (e.g., GitHub, GitLab, Azure,

11 10 Key Considerations When Choosing a SAST Solution as Part of an AppSec Platform

 Chapter
Chapter C
C

06 You need the power

to fix problems fast

Although application security testing activities are multiple vulnerabilities and reduce the number of
designed to find coding errors that could lead to code corrections needed. Fast scans that miss
potential vulnerabilities, the ultimate purpose is to vulnerabilities because they don’t understand how
produce more secure applications. SAST solutions must the code relates to the applications are not the goal.
Recommendation
lead developers to where coding errors exist and guide But neither is forcing already rushed developers to go
them on the best approach to remediate them. This will through each error with a fine-toothed comb. With Use a SAST solution that
reduce Mean Time to Remediation (MTTR). best fix location, a single fix can eliminate multiple can identify the best
vulnerabilities throughout the application. location to fix multiple
As mentioned in consideration #3, some SAST solutions vulnerabilities at once.
rely on regex and pattern-matching approaches that For organizations that want to measurably reduce
lack perspective into what the code is actually doing MTTR, SAST solutions that understand code at a
and don’t provide context into how various parts of much deeper level are highly desired because they
code work together. Other SAST solutions analyze code lead developers to the perfect location to fix an
at a much deeper level to put into context the actions error. Often when one error is fixed in earlier lines
the code performs throughout the entire application — of code, other errors found in latter lines of code
from source to sink — and use that information to not are remediated as well. This reduces the number of
only find coding errors but, more importantly, to provide issues tremendously and provides triage prioritization
what is called a best fix location. By modifying code in a simple, user-friendly way to speed remediation.
at the best fix location, that single fix can eliminate

12 10 Key Considerations When Choosing a SAST Solution as Part of an AppSec Platform

 Chapter D

Factor in what makes up a

developer-friendly solution
Software developers build the applications
that your organization runs on. But the entire
software development life cycle (SDLC) is made
up of many moving parts: planning, coding,
testing, integration, deployment, packaging,
and more. Developers don’t want to have to
learn another new tool, change the way they
develop and deploy software, have another tool
interrupting their workflow, or add additional
steps to the SDLC.

Therefore, SAST solutions must be built with

developers in mind and must fit well into their
everyday activities. Developer adoption of SAST
solutions is imperative to enhancing security.

10 Key Considerations When Choosing a SAST Solution

 Chapter D

07
Turn developers into
security heroes

Developers are typically not security experts. By adoption, and this approach may even enhance
providing them with a SAST solution that shows them employee retention. With the right SAST solution, your
how to fix vulnerabilities and educates them about developers likely won’t need to go to Stack Overflow
security flaws, they can write more secure code in the or Reddit seeking advice on how to fix an issue.
Recommendation
future, making their jobs easier and turning them into
security heroes. The ultimate training to enhance security-minded Turn developers into
skills combines the ability to get trained, obtain security heroes by using
Some SAST solutions leave developers in the dark. remediation advice, and edit code right from the tools a SAST solution that
Others make it very clear on where and how to fix developers are using. SAST solutions that incorporate teaches them how to fix
a vulnerability. Some solutions come with a quick, training into the process of writing code ultimately vulnerabilities.
digestible description of what caused a vulnerable reduce time spent fixing code.
situation, and even offer quick tips and advice on how
to remediate it, helping developers write more secure
code in the future. SAST solutions that offer this sort
of guidance are far superior to those that don’t. Some
solutions deliver secure coding training modules that
are designed to increase developers’ skills and overall
security awareness. Bite-sized, gamified training allows
for easy and quick learning that increases developer

14 10 Key Considerations When Choosing a SAST Solution as Part of an AppSec Platform

 Chapter E

Secure code, happy developers:

The need for ecosystem support
No two software development environments are
the same. This is where the broad spectrum of
languages and frameworks must be addressed,
and where integration and automation of SAST
scans are imperative.

10 Key Considerations When Choosing a SAST Solution

 Chapter E

08 Supporting the entire lifecycle with

comprehensive language and framework support

Selecting one language or framework over another Even though different developers may work on
is often driven by preference, requirements, and both components, organizations can maximize
organizational standards. Certain languages are efficiencies by standardizing on a single application
more appropriate for different types of applications. security platform, rather than resort to a mishmash
Recommendation
For example, many computer games and embedded of vendors.
systems are written in C++, whereas mobile apps may
Use a SAST solution
be written in Swift or Dart. When selecting a SAST solution, look for vendors
that supports a wide
that support the largest number of languages and
array of languages
Developers have their own goals and priorities, often frameworks. You should also evaluate vendors
and frameworks.
driven by time allotted, and some languages are on how often they add new languages that are
better suited for certain types of tasks than others. trending in the industry so you can future-proof
Understanding this, SAST solutions must natively your application security platform.
support an extremely broad set of languages and
frameworks. For example, if you’re in finance, the
organization may need to support legacy languages
such as COBOL, which still powers many banking
transactions, as well as emerging mobile application
development languages such as Flutter and Dart.

16 10 Key Considerations When Choosing a SAST Solution as Part of an AppSec Platform

 Chapter E

09 Don’t forget
integration and automation

As noted above, the software development life cycle is No one can predict every tool, and some organizations
complex, with multiple moving parts. Interruptions to use less popular tools. It’s also important that custom
this life cycle, and additional steps and stages, simply integrations are supported. The whole point is to
add frustration, delay secure deployment, and make embed security testing throughout development so
Recommendation
it less likely that developers will use the tools in your it becomes a natural and well accepted part of the
organization. Therefore, integrating and automating development process itself — without causing delays. Use a SAST solution
SAST solutions into the development life cycle are Developers and release managers can get early that integrates into and
imperative to increasing development adoption and warning if vulnerabilities are introduced. In fact, and automates development
achieving shift everywhere. Here are some examples of if done right, fully integrated and automated security
common integrations: testing can result in accelerating secure application
delivery and deployment. Application security
+ Source Code Management (SCM) solutions
(Bitbucket, GitHub, GitLab) testing should also be able to fully fit within everyday
processes, so developers don’t have to change
+ Integrated Development Environment (IDE) solutions
what they are already doing. This reduces friction,
(Eclipse, IntelliJ, Visual Studio)
accelerates developer adoption, and improves secure
+ Continuous Integration/Continuous Delivery (CI/CD) software initiatives. When comparing SAST solutions,
solutions (Jenkins, CircleCI, Bamboo, Team City) pay close attention to their ability to seamlessly
integrate and automate into your development
+ Feedback solutions (Azure DevOps, Jira, Rally)
environments and processes with ease.

17 10 Key Considerations When Choosing a SAST Solution as Part of an AppSec Platform

 Chapter F

Security must be
expandable and scalable
For organizations who desire to produce
more secure software, the usage of multiple
application security testing (AST) solutions
is imperative to address vulnerabilities that
likely exist in the various types of code that
make up a modern application. Organizations
frequently use an array of security testing
solutions in addition to SAST, such as DAST,
SCA, Supply Chain Security (SCS), container
security, and API security. By unifying solutions
across a single AppSec platform, they can get
a more comprehensive picture of their risks
and vulnerabilities. In addition, some solution
correlate the results across scanning engines
for more accurate results.

10 Key Considerations When Choosing a SAST Solution

 Chapter F

10 Scaling security: Why a platform is

essential for application security

Today, there is no need to source and stitch together When looking for a SAST solution, if it is a part of a
various point products to deliver what is needed unified AppSec platform, it will provide the best value
to secure modern applications. Relying on point to secure modern applications. A complete platform
solutions that don’t talk to one another results in more should also provide a centralized dashboard for
Recommendation
complicated integrations and wasteful spending. SAST, SCA, SCS, API security, DAST, IaC security,
Taking a platform-based approach means the vendor and container security.
Use a SAST solution that
has already done the work of integrating multiple AST
is part of a larger platform
capabilities into one single AppSec platform. Additionally, a platform should be able to grow
and integrates with your
with you as your needs change over time. When
other AppSec engines.
Purposely designed for today’s technology stack, comparing platform-based approaches, make sure
processes, vulnerabilities, and risks, a comprehensive they can correlate scan results across different
application security platform enables you to scanning engines so you can obtain an overall
simplify security — in applicative code, open source risk assessment across projects and applications,
dependencies, supply chains, IaC, APIs, containers, instead of trying to manually aggregate results from
and more — all from a single scan. If built from various standalone AST tools.
industry-leading AST solutions, a platform should be
able to provide rapid, correlated, and accurate results
to speed remediation.

19 10 Key Considerations When Choosing a SAST Solution as Part of an AppSec Platform

 Chapter G

Bonus AppSec maturity modeling

can pump up your ROI

Even the best tool does not always take organizations Key benefits of a maturity model include:
to the next level in their application security maturity.
Advice from application security and change-
Rapidly assess and understand the current state Recommendation
of AppSec activities
management experts can bring organizations to the
next level.
Rely on AppSec experts
Find gaps and measure progress through who can help your
repeat assessments organization make security
Organizations can benefit from professional
methodologies to use AST solutions more efficiently Plan a desired end-state and carry out specific
strategic and improve your
and help encourage adoption. To get the best value steps towards achieving that goal
organization’s application
and fastest ROI, an AppSec maturity model helps
security maturity.
organizations get the most out of their solutions and Get best-practices guides for program
improve their security maturity and capabilities. components for internal stakeholders

20 10 Key Considerations When Choosing a SAST Solution as Part of an AppSec Platform

Checkmarx:
Shift Everywhere
Technological advances and increased connectivity platform — Checkmarx One™ — and an extensive
have heightened reliance on software, rendering end- services portfolio, provide unparalleled scan accuracy,
to-end application security critical. To meet consumer
needs and remain competitive in the software space,
coverage, visibility, and guidance to prioritize the
most impactful vulnerabilities, reduce risk across all
See
enterprises are prioritizing speed to market through
digital transformations and modern development
components of modern software, and build for the
always-evolving technological landscape.
Checkmarx
tactics such as increased use of open source
libraries, APIs, microservices, and containers. But After nearly two decades, our mission is to secure the
in action
new approaches to hosting, building, and deploying applications that power our day-to-day lives. We are
Speak to our experts
applications bring new risks and attack surfaces. trusted by more than 1,800 customers, including 60
Shifting security left or right is no longer enough. To percent of Fortune 100 organizations. Our forward-
fully secure applications without sacrificing speed to thinking technology, services, and ongoing research
Book a demo
market, enterprises need application security solutions are continuously recognized by top analyst firms,
that seamlessly embed security into every phase of such as Frost & Sullivan, Gartner, Forrester, and IDC.
development. This is where Checkmarx comes in. We are proud of the progress we have made and
are committed to moving forward with responsible
Checkmarx is the leading application security leadership, innovation, excellence, and unwavering
provider. We empower enterprises to shift everywhere dedication to the safety and security of our customers
in order to secure every phase of development for and, in turn, the customers they serve.
every application while simultaneously balancing
the dynamic needs of CISOs, security teams, and
development teams. Our comprehensive cloud-native