The classical challenge with static application security testing (SAST) was bridging the gap between security and development. In SAST’s early days, it was a tool for security pros, who threw the results of prerelease scans over the wall to developers to fix. Developers had to contend with large numbers of unclear findings and false positives, often presented late in the software development lifecycle (SDLC). In the last few years, as DevSecOps has taken hold, security pros became more aware of the need to shift left and engage with the developer earlier in the process, but the tooling was focused on the security persona.
As I listened to the vendor briefings for the “The Forrester Wave™: Static Application Security Testing, Q1 2021,” I was struck by how much the market has evolved. Pretty much every vendor in the SAST market is thinking in terms of the developer. SAST tooling is now so well integrated into the developer toolchain that many developers should be able to perform and respond to all SAST functions in their integrated development environments (IDEs), ticketing tools, build tools, or code repositories:
- In the IDE, developers can run scans, view findings, and follow links to explanations and code samples. In the best cases, developers can access contextual, interactive, secure development training right from the IDE.
- Many SAST tools automatically map security flaws to projects and severity in ticketing tools such as Jira, and some even automatically resolve tickets if subsequent scans indicate that the flaw has been fixed.
- In build tools like Jenkins, SAST will initiate a scan at build time and pass or fail the build based on the results. Quality gates that help determine whether the build passes can be based on discovered flaws’ severity or even their age.
- Within code repositories, SAST tools have integrated to allow automatic code scans at merge or pull.
- Since there are always exceptions, the top SAST tools allow developers to propose workarounds, such as deferring the issue until the next release, with a full workflow for approval of such requests.
Do all of the vendors evaluated in the SAST Wave do all of these equally well? Of course not. However, all of them are backing up their stated focus on the developer with more and deeper integrations with dev tools. If you haven’t looked at how your SAST tooling can better enable your development team, it’s time to take another look. Check out the full report here.