From the course: Application Security Posture Management: Security from the Supply Chain to Cloud Runtime
Join today to access over 25,500 courses taught by industry experts.
Static application security testing (SAST)
From the course: Application Security Posture Management: Security from the Supply Chain to Cloud Runtime
Static application security testing (SAST)
- [Instructor] Now that we've broken up the parts of a repository into its usual pieces, let's start by talking about static application security testing, which is abbreviated to SAST. SAST scanning is one of the more traditional application security scanners with some like Fortify being around since 2003. As applications began to develop, some common patterns of exploitation began to develop alongside those applications. Scanners were introduced to look for these vulnerable patterns of code. One company called Backslash has created an awesome CWE database, where you can see the trends of these exploit patterns over time, and many people are surprised to see that old attacks, like SQL injection, continue to be a commonly discovered and disclosed vulnerability. Let's go ahead and use one of these, a SQL injection, for our example, because it's an easy exploit to understand. Looking at this code, you can see we connect to a database, instantiate a connection, and then pass a username…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
(Locked)
Challenges with securing code4m 34s
-
(Locked)
Static application security testing (SAST)4m 50s
-
(Locked)
Software bill of materials (SBOM)5m 14s
-
(Locked)
Software composition analysis (SCA)4m 50s
-
(Locked)
Secret scanning5m 25s
-
(Locked)
Infrastructure as code scanning3m 27s
-
(Locked)
Challenge: Run your own scan59s
-
(Locked)
Solution: Run your own scan1m 35s
-
(Locked)
-
-
-
-