Abstract
Abiding by the new hot concept of “Secure By Design”, SASTRI actually is project carved out of the experiences||struggles||conflicts of product security engineers. It is an in house SAST capability (plug and play VM) we are proposing, to make security engineer’s inputs more receivable and reachable to the product developers and indeed the decision makers in the process of making our products more and more secure. This will save a lot of time of security engineers, DevOps experts to setup and fine tune the SAST tools.
Highlights of SASTRI are:
Open source (hence free to edit and reconfigure). Presently capable of scanning Python, C, C++ programs. Almost zero understanding of security principles is required to “run” SASTRI. (For bug resolution, yes definitely a deep understanding is required.) Automated bug reporting Email alert for the issues reported Same email contains attachment of report where buggy code snippet is mentioned along with the exact position of bug. Easy to integrate approach SASTRI is an effort towards making SAST tools available right at the time of unit testing of code, indeed in an automation way. Reason being, in most of Agile flavors of development, Security testing is done in the fag end of the sprint, leaving very little to no time for bug fixes. As well, the smaller time window for security testing results in “not so in depth security testing” and “superficial fixes”. However, on the other hand, introducing security testing right at the programming phase in SDLC, can help in:
Finding vulnerabilities which are easy to exploit but difficult to mitigate. Finding vulnerabilities which are present due to complicated execution paths. Finding vulnerabilities specific to insecure configuration. Setting up basic secure code development principles amongst developers (Trust me this is the trickiest task, as most of the Devs are super possessive about their code and coding styles.) As well, this effort can help reduce apprehensions of security engineers of uploading source code on some vendors server which they do not trust. Practically the list of advantages is huge. We have tried generalize them to the least count possible.