SecurityGuy TV| Discovering Hidden Security Issues in Code with Sonar Deeper SAST

SecurityGuy TV hosted a conversation with Olivier Gowden, CEO of SonarSource, and Jonas Daza, Head of Research and Development, to discuss the company's recently announced Deeper SAST (Static Application Security Testing) technology. This advanced detection tool addresses a critical gap in traditional SAST solutions by analyzing security issues across both custom code and dependency code holistically. The discussion revealed how modern software development practices have created new security challenges that conventional analysis tools fail to address.

The Limitations of Traditional SAST Tools

Traditional SAST tools have historically treated custom code and dependency code as entirely separate entities. Security analysis would focus exclusively on code written by developers while treating third-party libraries and dependencies as external elements to be verified through manual review or vulnerability databases. This approach misses a crucial security vulnerability vector: the interactions and combinations that occur when developers use dependency code in unique ways. Over 90% of modern software relies on open-source dependencies, yet developers often lack the time and expertise to thoroughly understand what code they are integrating. Deeper SAST changes this paradigm by analyzing the entire codebase—both custom and dependency code—as a unified whole, detecting vulnerabilities that emerge from specific interactions between different code components.

Redefining Clean Code in Modern Development

The conversation emphasized that clean code has evolved beyond its traditional definition. SonarSource now defines clean code across four dimensions: consistency (uniform style and problem-solving approaches), intentionality (no logical errors, unused code, or unsanitized inputs), adaptability (code that remains changeable and maintainable), and responsibility (secure practices like avoiding hardcoded credentials). These principles reflect an evolution in how organizations must approach cyber hygiene—treating code quality as an ongoing state of readiness rather than a one-time achievement. As the hosts noted, this mirrors physical security concepts, where organizations must maintain constant preparedness against emerging threats.

Deeper SAST's Comprehensive Approach

Deeper SAST supports organizations in achieving clean code by detecting multiple categories of issues beyond traditional security vulnerabilities, including programming errors and logical flaws that may have security implications. The technology recognizes that security issues and code quality problems are deeply interconnected. By analyzing how developers intentionally—or unintentionally—use dependency code, Deeper SAST can identify critical vulnerabilities that arise from specific combinations of custom code and external libraries. This approach acknowledges that modern software development is inherently interconnected and that effective security analysis must reflect this reality.

Key Takeaways

• Unified Code Analysis: Deeper SAST analyzes custom code and dependency code together, detecting security issues that emerge from interactions between the two rather than treating them as separate entities
• Dependency Risk Recognition: Over 90% of modern software relies on open-source dependencies, making it critical to understand how developers use this code securely and intentionally
• Clean Code as State: Clean code is defined as consistent, intentional, adaptable, and responsible—representing an ongoing state of cyber hygiene rather than a fixed achievement
• Interconnected Issues: Security vulnerabilities and code quality problems are interconnected; comprehensive analysis must address both to achieve true code cleanliness
• Holistic Security Approach: Effective modern security testing requires analyzing the complete codebase as a unified system rather than isolating custom code from dependency code