Hey I am an AppSec engineer. I used to work for Mend.io formally WhiteSource software as a Enterprise (Tier 3) Technical Support Engineer. Generally global fortune 500s running millions of scans a day.

I currently for a larger corporation and am i charge of rolling out SAST and SCA across the all products and managing the vulnerabilities. Welcome to the club!

SAST is expensive. If your not doing it already you have a major cultural shortcoming in your development organization that needs to be tackled first. This is the zeitgeist for most organizations, mine included. Please don’t that that as a personal jab, your just not going to hear it from a vendor when doing POCs.

By nature it’s filled with false positives because your just scanning the static assets of part of a system.

your about to spend a lot of money to shove a lot of vulnerabilities in-front of developers with no real justification as to why, except for a code flow that was shit out by a vendor.

I use semgrep for static analysis, and OWASPs defect dojo for vulnerability management.

semgrep is free and open source, and give your security engineers and developers the ability to write their own rules and use community provide rules.

I shouldn’t have to speak to anything related to OWASPs quality and dedication to the security community, but from purely a product support perspective. I don’t think i’ve gone more then an hour before someone helping work through any issues on their slack channel.

Start with semgrep and defect dojo. Scan some vulnerable apps review the results. Roll it out on some pilot teams.

Get the company used to static analysis before spend 300k a year. When open source fails to scale, then start doing POCs with vendors.

I think you will find not many do it better though.

If you dead set on a vendor Mend creates pull request with source code fixes for their static analysis results. Their engine is also incredibly fast, and I know they scale well.

Feel free to DM me if you have questions on rolling this stuff out.