What Static Source Code Testing (SAST) open-source Tools can be used for the ISO Control A.14.2.1 Secure development policy?

While testing for security vulnerabilities in the application code, there are two types of testing methodologies used. One is Static Application Security Testing (SAST) and the other is Dynamic Application Security Testing (DAST). SAST is the type of testing in which application source code is analyzed without being executed in order to find vulnerabilities in it. The approach is useful in identifying vulnerabilities at the early stage of SDLC. However, some vulnerabilities like Authentication issues can’t be identified with automated SAST tools.

ADVANTAGES OF SAST METHODOLOGY?

There are several advantages of performing static testing of source code.

• It helps to identify vulnerabilities at an earlier stage of SDLC.
•  It is less expensive to fix vulnerabilities.
• It ensures secure coding since vulnerabilities are discovered within the Development phase.
• SAST tools can scan source code thoroughly and at a much faster pace than manual code reviews.

To fulfill the requirement of ISO 27001 for Control A.14.2.1 – Secure Development Policy, there are several open-source SAST testing tools depending on the programming language used. Some of the open source tools recommended by OWASP are shown in the table below.

Reference:

OWASP recommended SAST tools,
https://owasp.org/www-community/Source_Code_Analysis_Tools

• Share the blog on: