SAST Fundamentals
Methodology
Static Application Security Testing (SAST) analyzes source code to identify vulnerabilities without executing the application. It's a white-box approach that finds bugs early in the SDLC.
Code Review Methodology
Top-Down Approach
- • Start from entry points (controllers, APIs)
- • Follow data flow through application
- • Track user input to dangerous sinks
- • Good for understanding business logic
Bottom-Up Approach
- • Search for dangerous functions
- • Trace back to find user input
- • grep for SQL, exec, eval, etc.
- • Quick wins for common vulns
Dangerous Functions to Search
bash
# SQL Injection sinks
grep -rn "execute|executeQuery|rawQuery" --include="*.java"
grep -rn "cursor.execute|raw|extra" --include="*.py"
grep -rn "query|exec|prepare" --include="*.php"
# Command Injection sinks
grep -rn "Runtime.exec|ProcessBuilder" --include="*.java"
grep -rn "os.system|subprocess|popen" --include="*.py"
grep -rn "exec|system|passthru|shell_exec" --include="*.php"
# XSS sinks
grep -rn "innerHTML|document.write|eval" --include="*.js"
grep -rn "dangerouslySetInnerHTML" --include="*.jsx"
# Deserialization
grep -rn "ObjectInputStream|readObject" --include="*.java"
grep -rn "pickle.loads|yaml.load" --include="*.py"
grep -rn "unserialize|json_decode" --include="*.php"
# Path Traversal
grep -rn "new File|FileInputStream|Paths.get" --include="*.java"
grep -rn "open|read|send_file" --include="*.py"