SalesforceBen: DigitSec CEO explains “Why SAST Isn’t Fast for DevOps”
The false positive problem- yes it can be fixed.
SalesforceBen invited our founder, Waqas Nazir, to share his perspective on the blizzard of false positives facing many Salesforce developers when they test code. Is it really necessary to spend so much time chasing down nonexistent issues?
Waqas after all is one of the world’s top SaaS security experts and he’s familiar with the static application security testing (SAST) offerings being used to discover security flaws in your source code. He has actually patented S4, DigitSec’s comprehensive approach to the problem.
The blog post went live in July, thoughtfully walking the audience through understanding why Source Code Analysis or SAST alone slows development and doesn’t thoroughly secure your Salesforce.
You can read the entire article, but we’ll summarize they key points for you:
· As source code analysis must err on the side of caution, all SAST tools generate a daunting number of false positive findings, fatiguing your dev team and clogging up your dev pipeline.
· To be effective, SAST tools need to be paired with a runtime testing engine to perform interactive application security testing (IAST). This verifies the exploitability of SAST findings and can detect critical injection flaws like cross-site scripting (XSS) or SOQL vulnerabilities.
· SAST must also be paired with Software Composition Analysis (SCA) to analyze your dev and Org for third-party software libraries with publicly reported security exploits, or Common Vulnerabilities and Exposures (CVE). Reports of software supply chain attacks, like SolarWinds or Codecov, have dominated the news in recent months due to their wide ranging impact on thousands of companies in those supply chains.
Waqas concludes by making the case that teams must embrace Salesforce DevSecOps and integrate security testing at multiple points along their CI/CD pipeline to save time & reduce risk. By testing early and often, you can significantly lower costs while dramatically reducing the number of vulnerabilities that could expose your Salesforce to breach.
DigitSec is proud of Waqas’ contribution to the Salesforce community via SalesforceBen. We’re looking forward to sharing more collaborations in the future!