< Back to all manuals

Xcalscan User Manual (Release 2.0.0)

Xcalscan User Manual (Release 2.0.0)

What is Xcalscan?

1.2 What is SAST?

latest update: 2021-06-15

Static Application Security Testing (SAST) or Static Analysis, is a process of source code analysis during which the program is not executed. In essence, it is the process of examining code and analysing how data flows through the application before it is run. This process can be applied to multiple phases of the Software Development Life Cycle (SDLC), such as the coding phase, pre-testing phase, and during major project checkpoints. Static analysis is an important part of quality assurance and formal code reviews. When static analysis is integrated into the development process, optimal efficiencies can be obtained. It supports development teams by identifying vulnerabilities and categorizing them into risk levels. Knowing which risks are most urgent allows the team to prioritize remediation.

A false positive is a test result which wrongly indicates that a particular condition or attribute is present. Dealing with “false positives” in the results from SAST tools takes a lot of time and effort. Keeping false positives to a minimum is critical to improving test efficiency in the SDLC process. This way, the development team is able to focus on identifying and fixing real vulnerabilities.

Xcalibyte has adopted a completely different approach to code analysis technology compared to other SAST tools. Traditional static code analysis techniques use pattern-matching based analysis performed in the initial stages of the compiler process. Xcalscan uses an in-depth approach based on data flow and sensitivity analysis at the intermediate representation layer which is further down the compiler process. In most cases, we are able to obtain greater accuracy than traditional analytical techniques, which leads to fewer false positives and reduces time in validating scanned results.