Static Application Security Testing (SAST), or “white-box” testing, finds common vulnerabilities by performing a deep analysis of your applications without actually executing them.
Unique in the industry, our patented binary SAST technology analyzes all code — including third-party components and libraries — without requiring access to source code.
SAST supplements threat modeling and code reviews performed by developers, finding coding errors and omissions more quickly and at lower cost via automation. It’s typically run in the early phases of the Software Development Lifecycle because it’s easier and less expensive to fix problems before going into production deployment.
Identify vulnerabilities in custom and third-party code
SAST identifies critical vulnerabilities such as SQL injection, cross-site scripting (XSS), buffer overflows, unhandled error conditions and potential back-doors. Our binary SAST technology delivers actionable information that prioritizes flaws according to severity and provides detailed remediation information to help developers address them quickly.
SAST typically provides more comprehensive results than Dynamic Application Security Testing (DAST) results because it tests the entire application, whereas DAST must first discover every individual execution path in the running application before testing it.
FS-ISAC, an industry group formed by leading financial services firms, has recommended binary static analysis as one of three critical controls for reducing third-party software risk.
Veracode analyzes applications to identify vulnerabilities and classify them using standard NIST severity levels. Applications are scored using centralized risk-based policies.