A SAST Story: Effectively Adopting Static Analysis for Profit

Title: A SAST Story - Effectively adopting static analysis for profit Static Application Security Testing (SAST) solutions have been used by enterprises for over two decades. While such solutions are considered necessary in any development shop, the technology has been notorious for reporting a high volume of false positives. This problem is especially significant in larger codebases and legacy applications. However, with the right skills, process and a little bit of time, teams can extract a lot more value from SAST tools. While SAST tools might sound like plug-n-play solutions, they require constant care and maintenance to achieve optimal Return on Investment (ROI). This talk is meant to be a discussion on identifying the various techniques that will allow teams to utilize SAST offerings to their maximum potential. It will also cover ideas for designing processes that will not only help use SAST tools effectively, but also prevent various categories of vulnerabilities from being introduced into the code.