Application Security Services

Static Application Security Testing (SAST)

  • May 8, 2025
  • 0

Sherlocked Security – Static Application Security Testing (SAST)

Catch Vulnerabilities Early by Scanning Source Code Before Runtime

1. Statement of Work (SOW)

Service Name: Static Application Security Testing (SAST)
Client Type: Enterprises, Fintechs, SaaS Providers, DevOps Teams
Service Model: Source Code Security Analysis as a Managed or On-Demand Service
Compliance Coverage: OWASP Top 10, CWE/SANS Top 25, ISO 27001, SOC 2, PCI-DSS

Assessment Types:

  • Source Code Analysis
  • Pre-commit and CI-integrated Security Checks
  • Custom Rule Development for Business Logic Flaws
  • Secure Coding Guideline Mapping

2. Our Approach

[Source Code Intake] → [Toolchain Configuration] → [Automated SAST Execution] → [Manual Verification] → [Report Generation] → [Remediation Guidance] → [Revalidation & Certification]

3. Methodology

[Codebase Inventory] → [Baseline Security Scan] → [False Positive Triage] → [Business Logic Review] → [Secure Code Recommendations] → [CI/CD Integration Plan] → [Final Report & Fix Support]

4. Deliverables to the Client

  1. Static Application Security Testing Report
  2. Exploitable Vulnerabilities List with Risk Levels
  3. CWE, OWASP Top 10, and NIST Mapping
  4. Secure Coding Improvement Plan
  5. Integration Guidelines for CI/CD Pipelines
  6. Developer Remediation Support (via call or written advisory)
  7. Revalidation Report Post-Fix
  8. Certificate of SAST Completion (on request)

5. What We Need from You (Client Requirements)

  • Access to full or partial source code
  • Information on programming languages, frameworks, and repos
  • Temporary access to CI/CD or repo (read-only)
  • NDA and scope approval
  • Optional: Developer contact for remediation sessions

6. Tools & Technology Stack

  • SonarQube / Checkmarx / Fortify / Veracode
  • GitHub Advanced Security / CodeQL
  • Semgrep / Bandit / Brakeman / ESLint Security
  • Polyglot support: Java, Python, JavaScript, Go, Ruby, PHP, .NET
  • Custom rule engines for business logic detection
  • IDE Plugins (VSCode, IntelliJ, Eclipse)
  • Git Hooks / Pre-commit Security Tools

7. Engagement Lifecycle

1. Discovery Call → 2. Source Code Access → 3. SAST Setup & Execution → 4. Triage & Manual Review → 5. Reporting → 6. Developer Support → 7. Revalidation Scan → 8. Final Certificate

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Deep Code Intelligence SAST tuned for both common and custom flaws
Manual + Automated Analysis No over-reliance on tools; human validation adds accuracy
CI/CD Native Integration Pre-merge, pre-prod scanning support
Secure Coding Advisory Language-specific guidance and fix plans
OWASP & CWE Mapped Reporting Aligns to recognized vulnerability frameworks
Revalidation & Closure Patch verification and certification included

9. Real-World Case Studies

E-Commerce Platform: CI-Integrated SAST Deployment

Issue: Lack of secure coding checks led to injection vulnerabilities reaching production.
Impact: SQL injection found in order processing logic, exposed customer data.
Our Role: Integrated Checkmarx with GitHub pipelines, trained developers.
Outcome: 85% reduction in recurring input validation issues across microservices.

Banking App: Business Logic Flaw Discovery

Client: Digital Banking Fintech
Findings: Logic bypass in funds transfer code due to insufficient validation.
Outcome: Custom rule created in SAST engine to detect similar flaws proactively.

10. SOP – Standard Operating Procedure

  1. Source Code Collection & Environment Setup
  2. Language & Framework Detection
  3. Baseline Scan using SAST Tool(s)
  4. False Positive Elimination & Manual Triage
  5. Custom Business Logic Checks
  6. Secure Coding Recommendations
  7. Integration Planning for CI/CD
  8. Developer Fix Support Sessions
  9. Revalidation Scan & Closure Report
  10. Final Certificate (Optional)

11. SAST Testing Checklist

1. Pre-Engagement Setup

  • Identify repositories, modules, and microservices in scope
  • Confirm supported programming languages, frameworks, and custom components
  • Inventory third-party libraries, package managers, and proprietary dependencies
  • Determine access method (GitHub/GitLab, ZIP archives, CI/CD access)
  • Validate build and pre-processing tools (e.g., Maven, Gradle, Webpack, TypeScript compilers)
  • Define code coverage expectations (full repo, modules, or critical flows only)
  • Finalize scanning cadence (one-time, scheduled, pre-merge, post-commit)
  • Exclude generated code, third-party libraries, and test artifacts from scans

2. Scanning Configuration

  • Select SAST engine based on language and CI/CD compatibility (e.g., Checkmarx, SonarQube, Semgrep, Fortify)
  • Enable rule sets covering OWASP Top 10, CWE Top 25, PCI-DSS, and NIST mappings
  • Activate taint analysis features to trace untrusted data to critical sinks
  • Configure custom rules for proprietary functions and business logic controls
  • Enable detection for hardcoded secrets, API tokens, and private keys
  • Map known vulnerable functions and APIs to severity scoring
  • Enable IDE integration (optional) for developer feedback loops
  • Configure CI/CD policy enforcement (e.g., break build on High/Critical issues)

3. Scan Execution

  • Perform baseline scan on main development and staging branches
  • Validate parser behavior across polyglot codebases (e.g., JS/TS with backend in Python/Java)
  • Confirm that dataflow and control flow are accurately modeled in large files or dynamic typing contexts
  • Run scans with verbose logging to catch parsing errors, unsupported files, or truncation
  • Ensure full file coverage metrics meet pre-defined thresholds
  • Export raw scan results in standardized formats (e.g., SARIF, JSON, XML) for audit compliance

4. Result Triage & Manual Review

  • Prioritize exploitable vulnerabilities with reachable code paths
  • Eliminate false positives, especially in test code or unused libraries
  • Identify unvalidated input vectors (forms, API parameters, deserialization entry points)
  • Detect code-level injection flaws (SQLi, XSS, OS Command, LDAP, XXE)
  • Assess insecure authentication logic, bypasses, or hardcoded credentials
  • Review cryptographic misuse (e.g., MD5, static IVs, ECB mode, insecure RNGs)
  • Evaluate authorization bypasses (missing RBAC checks, broken object-level auth)
  • Validate insecure file uploads, path traversal, and local file inclusion risks
  • Flag insecure logging of sensitive data (PII, tokens, credentials)
  • Correlate findings with CI/CD pipeline variables, secrets, or containerized deployment misconfigurations

5. Reporting & Remediation

  • Document all verified findings with severity, file path, line number, and technical impact
  • Map each issue to OWASP, CWE, and business risk
  • Provide secure code examples or remediation snippets
  • Group recurring code smells and insecure patterns for developer-wide awareness
  • Include coverage metrics: files scanned, rules triggered, false positive ratio
  • Provide CI/CD integration instructions and security gate examples
  • Suggest fixes for build scripts or custom tooling gaps (e.g., minification or obfuscation blocking scan depth)
  • Deliver final report in PDF and data-extractable format (CSV/SARIF/JSON)
  • Conduct remediation support sessions or Q&A walkthroughs with developers
  • Perform revalidation scan post-fix and issue closure summary with delta comparison
Real Time Application Self-Protection (RASP)
Software Composition Analysis (SCA)