Static Application Security Testing (SAST)
ELI5 Explanation
SAST reads your code like a reviewer that never gets tired. It catches risky patterns before the app is deployed.
Technical Explanation
SAST analyzes source or compiled code for insecure coding constructs such as injection paths, weak cryptography, hardcoded secrets, and unsafe input handling. In Veracode, SAST findings can be policy-gated and tied to fix guidance for developers.
Visual
Hands-on Commands
veracode package --source ./app --output app.zip
veracode upload --app "orders-service" --file app.zip
veracode scan start --app "orders-service" --type sast
veracode findings list --app "orders-service" --status open
veracode policy check --app "orders-service"Debugging Scenario
SAST reports SQL injection in a utility function used by many services. Team patches shared library, adds parameterized query wrapper, and enforces lint rule to prevent recurrence.
Interview Questions
Beginner
- What is SAST?
- When should SAST run in pipeline?
- Can SAST find runtime issues?
- Why are false positives possible?
- Give two vulnerabilities SAST can detect.
Intermediate
- How do you tune SAST policies by repository?
- How do you prevent blocking on low-risk findings?
- How do you map findings to code owners?
- How do incremental scans improve speed?
- How do you combine SAST with code review?
Scenario-based
- SAST fails release due legacy findings. How do you proceed safely?
- Critical issue found hours before go-live. What mitigation path?
- Developers claim scanner slowdown harms productivity. What changes help?
- Multiple apps share same vulnerable helper. How do you coordinate fix?
- Policy fails for one branch only. What root causes do you inspect?
Real-world Use Case
An insurance firm integrated SAST into PR checks and reduced security defects discovered in UAT by 45%.
Summary
SAST finds code-level vulnerabilities before deployment and lowers remediation cost. Next lesson covers DAST for runtime attack surface testing.