Opinion: SAST tools have one advantage – they point the developer to the root cause of the problem. However, this is also a major disadvantage. They don’t teach the developer about the consequences. They don’t teach the developer how to avoid making mistakes. As a result, many developers create quick fixes and learn how to fool SAST instead of eliminating vulnerabilities.
It’s Not Enough Just to Find Root Causes
Recently, I came across a security report from one of the global DevSecOps platforms. This platform clearly prefers the use of SAST, which is understandable – they manage code, not the actual applications. What struck me immediately was the fact that there was no mention of vulnerabilities. The report focused on what’s wrong with the code, not on what can happen because there is something wrong with the code.
For example, the number one security issue, according to this report, is the lack of input validation. That’s no surprise at all to me. I know very well that most security vulnerabilities are caused by a lack of input validation. However, for me, the real problem is what can happen because of the lack of input validation or, more importantly, because of improper input validation.
You Need a Good Fix, Not Just an Easy Fix
At the same time that I read the report mentioned above, I was also proofreading an article written by another author. This article contained intentionally vulnerable code in PHP along with a fix. The vulnerable code in PHP was written using MySQLi and the SQL expressions were created using simple concatenation. It was a perfe ..
Support the originator by clicking the read the rest link below.
