https://blog.rodolpheg.xyz/tags/sast/Recent content in SAST on Yet another infosec blogHugofr-frcontact@rodolpheg.xyz (0xRo)contact@rodolpheg.xyz (0xRo)Sat, 02 Aug 2025 00:00:00 +0000https://blog.rodolpheg.xyz/posts/code-auditing--101/Sat, 02 Aug 2025 00:00:00 +0000contact@rodolpheg.xyz (0xRo)https://blog.rodolpheg.xyz/posts/code-auditing--101/<h2 id="topics-covered">Topics covered</h2> <p>This post explores the evolution from manual code review to automated security testing, covering:</p> <ul> <li>The reality of manual code review and its limitations</li> <li>Understanding vulnerabilities vs weaknesses</li> <li>How SAST tools work under the hood</li> <li>Taint analysis and data flow tracking</li> <li>Sink-to-source vs source-to-sink methodologies</li> <li>Mitigation strategies: whitelisting vs blacklisting</li> <li>Dealing with false positives in practice</li> <li>Choosing and implementing SAST tools at scale</li> <li>The complementary relationship between manual and automated testing</li> </ul> <p>It&rsquo;s 3 AM. You&rsquo;re on your fifth cup of coffee, eyes bloodshot, staring at line 2,847 of a 10,000-line pull request. Somewhere in this maze of curly braces and semicolons lurks a SQL injection vulnerability that could bring down your entire application. Welcome to the glamorous world of manual code review!</p>