Posts
I didn’t think that I would write such posts, but a recent meeting with a customer made m…
September 28, 2025 at 4:04 PM•Max Knyazev is typing…Telegram mirror
I didn’t think that I would write such posts, but a recent meeting with a customer made me understand that many, even within IT, do not distinguish between the classes of security tools that are used in the process of secure software development and DevSecOps philosophy. Therefore, I decided to make a series of posts in which I will try to explain in an accessible language what SAST/DAST/IAST/SCA and many other classes of solutions are. The posts will not be published in a row, so that experienced guys don’t get tired of reading about what they already know. Let's start
❤️
What is SAST?
When a developer writes code, he usually thinks about the program simply doing a task. And, as a rule, he does not think about making the code safe. And here SAST — Static Application Security Testing, or in Russian “static code security analysis” ( and an AppSec engineer, who will later triage everything that the scanner finds in the code )
In order not to come up with a definition myself, I will use a quote:
What is SAST used for?
In very simple terms, let's imagine that we have an application that we are writing. We are developing this application using some kind of technology stack ( programming languages, databases, etc. ). We have access to the source code of this application. SAST analyzes the code and looks for vulnerabilities in it, after which it generates a report in which we can look and understand where and what in the code should be fixed so that an attacker cannot take advantage of it and hack the application
🧠
How does this even work?
Imagine that you have a thick book with code. SAST is such a smart proofreader that carefully rereads it, but does it not with his eyes, but like a machine: builds diagrams, tables and connections
First, it turns the code text into a tree, where you can see what functions are there, what variables are used, what is passed where. It's like a subway map: stations are functions and pieces of code, and lines are connections between them. Then SAST starts looking: “Here the user must enter some text. Where does he go next? - and tracks the entire route of this line through the program. If in the end it ends up, for example, in an SQL query without filtering, this is a red flag
❌
SAST has a base of rules and templates: “passwords cannot be stored in code”, “a file cannot be opened without checking the path”, etc. Everyone found to He compares the code with these rules. Does not pass through the rule - it is reflected in the report. If you are interested in reading more about the SAST device, you can here
How can you use SAST?
You can deploy a scanner with a web interface and upload the project repository directly there. You can connect the scanner to the pipeline. That is, if you want to manually add a project - please, if you want to automate the process - no problem
🥳
Basic Tools for Implementing SAST
There are both open source solutions ( free and open source ), as well as commercial products. In open source it can be noted Semgrep, CodeQL SonarQube. There are also scanners for specific languages, for example Bandit for Python
Among domestic commercial solutions we can highlight Solar appScreener PT Application Inspector and PVS-Studio. Among Westerners - checkmarx, Fortify, Snyk Code. Both domestic and foreign solutions are complex tools that include not only SAST, but also other analysis methods ( and their price for it is appropriate )
🪄
In my practice, I worked with different static code analysis tools: these were solutions like Semgrep, and the same PT AI ( in which I was trained and passed certification exam )
P.S. If this post was useful to you or you have any questions, write about it in the comments. It’s important for me to understand how much sense it makes sense to talk about such things on my channel
🤓
#information_security #sast
Open original post on TelegramWhat is SAST?
When a developer writes code, he usually thinks about the program simply doing a task. And, as a rule, he does not think about making the code safe. And here SAST — Static Application Security Testing, or in Russian “static code security analysis” ( and an AppSec engineer, who will later triage everything that the scanner finds in the code )
In order not to come up with a definition myself, I will use a quote:
Static analysis allows you to check the source code of a program or its individual parts at any stage of the development cycle, without running the software being developed. Static analysis can be classified as a white box method because it requires access to the application's source code.
ⓒ Information from the official Solar website
What is SAST used for?
In very simple terms, let's imagine that we have an application that we are writing. We are developing this application using some kind of technology stack ( programming languages, databases, etc. ). We have access to the source code of this application. SAST analyzes the code and looks for vulnerabilities in it, after which it generates a report in which we can look and understand where and what in the code should be fixed so that an attacker cannot take advantage of it and hack the application
How does this even work?
Imagine that you have a thick book with code. SAST is such a smart proofreader that carefully rereads it, but does it not with his eyes, but like a machine: builds diagrams, tables and connections
First, it turns the code text into a tree, where you can see what functions are there, what variables are used, what is passed where. It's like a subway map: stations are functions and pieces of code, and lines are connections between them. Then SAST starts looking: “Here the user must enter some text. Where does he go next? - and tracks the entire route of this line through the program. If in the end it ends up, for example, in an SQL query without filtering, this is a red flag
SAST has a base of rules and templates: “passwords cannot be stored in code”, “a file cannot be opened without checking the path”, etc. Everyone found to He compares the code with these rules. Does not pass through the rule - it is reflected in the report. If you are interested in reading more about the SAST device, you can here
How can you use SAST?
You can deploy a scanner with a web interface and upload the project repository directly there. You can connect the scanner to the pipeline. That is, if you want to manually add a project - please, if you want to automate the process - no problem
Basic Tools for Implementing SAST
There are both open source solutions ( free and open source ), as well as commercial products. In open source it can be noted Semgrep, CodeQL SonarQube. There are also scanners for specific languages, for example Bandit for Python
Among domestic commercial solutions we can highlight Solar appScreener PT Application Inspector and PVS-Studio. Among Westerners - checkmarx, Fortify, Snyk Code. Both domestic and foreign solutions are complex tools that include not only SAST, but also other analysis methods ( and their price for it is appropriate )
In my practice, I worked with different static code analysis tools: these were solutions like Semgrep, and the same PT AI ( in which I was trained and passed certification exam )
P.S. If this post was useful to you or you have any questions, write about it in the comments. It’s important for me to understand how much sense it makes sense to talk about such things on my channel
#information_security #sast
Discussion
Comments
Comments are available only to confirmed email subscribers. No separate registration or password is required: a magic link opens a comment session.
Join the discussion
Enter the same email that you already used for your site subscription. We will send you a magic link to open comments on this device.
There are no approved comments here yet.