Application security

What are the benefits of SAST testing in CI/CD pipelines?

TF 70px2 png

ThreadFix Team


Blog Images 2022 TF Coalfire logo grey

Static application security testing (SAST) is traditionally used in software development lifecycles both early on in the process and often to “white box” test all files containing source code. Integrating SAST into modern CI/CD pipelines allows developers to continuously monitor their code, providing scrum masters and product owners with the insights needed to regulate the security standards within their organization. This leads to faster identification and remediation of vulnerabilities.

Most SAST scanners are able to test for vulnerabilities against the leading industry standards such as the OWASP Top-10, SANS Top 25, HIPAA, PCI DSS, and MISRA. This provides coverage against the most commonly used exploits including SQL injection, cross-site scripting (XSS) and cross-site request forgery. Testing for these throughout the CI/CD pipeline helps reduce organizational costs for addressing vulnerabilities and deliver more secure applications.

Checkmarx CxSAST engine provides organizations with enterprise level support for more than 22 coding languages to identify source code vulnerabilities through SAST scanning. When used in conjunction with dynamic application security testing (DAST) to “black box” test the application after it is up and running, the two scanning methodologies provide comprehensive vulnerability coverage.

Using our patented Hybrid Analysis Mapping (HAM), ThreadFix allows security teams to automatically merge scan results from Checkmarx CxSAST with industry leading DAST scanning tools. These scan results are then correlated and de-duped, before our HotSpot Identification technology highlights the most vulnerable components developed and shared within the organization.

Thanks to ThreadFix’s REST API integrations, scans from both Checkmarx CxSAST and other scanning tools can be scheduled to automatically run as part of embedded security efforts throughout the CI/CD pipeline.