# Static Application Security Testing (SAST) Tools

A SAST tools use compare source code against a list of different patterns to search for security issues.

# Background

A SAST tool is often used during the development of software. A linter with a specific security plugin (see here (opens new window)) could be used or other tools such as SonarQube (opens new window) or LGTM (opens new window) that can be included into the version management system.

The result of both SonarQube and LGTM is a list of code blocks in which a certain pattern was found. A overview of the native rulesets and how they help covering the OWASP Top 10 list can be found at page 90 of the Master's Thesis.

# Problems

False positives and especially false negatives
Security testing completely depends on the rules defined in the tools

← Prohibit eval() Secure APIs →