Abstract
Abiding by the new hot concept of “Secure By Design,” SASTRI is project carved out of the experiences/struggles/conflicts of product security engineers. It is an in-house SAST capability (plug and play VM) we are proposing, to make security engineers’ inputs more receivable and reachable to the product developers and the decision-makers - while making our products more and more secure. This will save a lot of security engineers’ and DevOps experts’ time when it coms to setting up and fine tuning the SAST tools.
Highlights of SASTRI are:
- Open source (hence free to edit and reconfigure)
- Presently capable of scanning Python, C, C++ programs
- Almost zero understanding of security principles is required to “run” SASTRI. (For bug resolution, yes definitely a deep understanding is required)
- Automated bug reporting
- Email alert for the issues reported
- Same email contains attachment of report where buggy code snippet is mentioned along with the exact position of bug
- Easy to integrate approach
SASTRI is an effort towards making SAST tools available right at the time of unit testing of code, in an automated way. The reason being, in most of Agile flavors of development, security testing is done in the end of the sprint, leaving very little to no time for bug fixes. Also, the smaller time window for security testing results in “not so in depth security testing” and “superficial fixes.” However, on the other hand, introducing security testing right at the programming phase in SDLC, can help in:
- Finding vulnerabilities which are easy to exploit but difficult to mitigate
- Finding vulnerabilities which are present due to complicated execution paths
- Finding vulnerabilities specific to insecure configuration
- Setting up basic secure code development principles amongst developers (Trust me this is the trickiest task, as most of the Devs are super possessive about their code and coding styles.
Also, this effort can help reduce apprehensions of security engineers when uploading source code on some vendors server which they do not trust. The list of advantages is huge; we have tried generalize them to the least count possible.