Hackers of India

SASTRI: Plug and Play VM for SAST/Static Application Security Testing Realtime Integration/

 Rushikesh D Nandedkar   Lalit Bhandari 


Abiding by the new hot concept of “Secure By Design,” SASTRI is project carved out of the experiences/struggles/conflicts of product security engineers. It is an in-house SAST capability (plug and play VM) we are proposing, to make security engineers’ inputs more receivable and reachable to the product developers and the decision-makers - while making our products more and more secure. This will save a lot of security engineers’ and DevOps experts’ time when it coms to setting up and fine tuning the SAST tools.

Highlights of SASTRI are:

SASTRI is an effort towards making SAST tools available right at the time of unit testing of code, in an automated way. The reason being, in most of Agile flavors of development, security testing is done in the end of the sprint, leaving very little to no time for bug fixes. Also, the smaller time window for security testing results in “not so in depth security testing” and “superficial fixes.” However, on the other hand, introducing security testing right at the programming phase in SDLC, can help in:

Also, this effort can help reduce apprehensions of security engineers when uploading source code on some vendors server which they do not trust. The list of advantages is huge; we have tried generalize them to the least count possible.