- A focus on depth rather than breadth: It uses high-confidence, targeted rules to identify vulnerabilities.
- It’s managed by development teams: The development team addresses issues as part of their regular workflow.
- Prevents new vulnerabilities: It stops specific classes of vulnerabilities from entering the code base during development.
- Requires second-generation SAST tools: To be effective, the tool needs to be fast and targeted so that it can operate on every commit and every pull request quickly and in a way that limits the attention a developer needs to pay to it.
Regardless of whether you choose a modern or traditional SAST, there’s another consideration… to bundle or not to bundle. SAST vendors commonly bundle other application security testing (AST) tools including software composition analysis (SCA), container scanning, and secret detection. For vendors, this makes sense — why sell you one thing if they can sell two, three, or more. But does it make sense for you?
In most cases, bundling is also good for consumers. But let’s go beyond the obvious (it can be cheaper). Bundling SAST with other ASTs can be hugely beneficial for productivity — assuming you have similar objectives for all your tools (e.g., developer productivity) — because it can create a more integrated and streamlined AppSec program. To figure out if the bundle will save you time, start with your technical requirements for each tool. Once you’ve narrowed down your list, look for tools that provide a united interface for the AppSec team that consolidates or de-duplicates findings. Not only will that make your team more efficient, it can also help you avoid investing in tools like application security posture management (ASPM) that are designed to consolidate alerts when your tools don’t play well together. Finally, find out how much effort it takes to add each AST. AppSec teams often lack robust access to CI, so most organizations will want an easy installation experience where they don’t have to install each tool separately. Ideally, this should be as non-disruptive as possible to both the AppSec and development teams.
Bundling might not be for you if your technical requirements can’t be adequately met by a single vendor. For example, you might need a traditional SAST tool but can’t handle a noisy SCA. It’s tempting to go with a cheaper bundle but that can lead to shelfware, so beware.
