Full Report
Modern code runs in complex and distributed cloud environments. Wiz SAST meets this complexity by correlating code flaws with real cloud context–including where workloads run, what they can access, and how exposed they are.
Analysis Summary
The provided article focuses on the announcement and capabilities of **Wiz SAST**, a feature extension to the Wiz Application Security Posture Management (ASPM) platform. It does not describe traditional malware families, specific attack tools, or detailed adversary techniques (TTPs) in the context of active intrusion or exploitation. Instead, it details a **security product feature** designed for **proactive vulnerability detection and risk prioritization**.
As a malware analyst summarizing this information, the focus will be on describing the SAST tool itself, its integration techniques, and the proactive security posture management it enables, mapping relevant vulnerability detection and code quality concepts to the MITRE ATT&CK framework where applicable for vulnerabilities that could lead to adversary actions.
# Tool/Technique: Wiz SAST
## Overview
Wiz SAST (Static Application Security Testing) is a feature integrated into the Wiz ASPM platform. Its primary purpose is to scan application source code for vulnerabilities and correlate these static findings with real-time cloud context (deployment location, accessibility, permissions) using the Wiz Security Graph. This correlation aims to prioritize code flaws based on their actual runtime risk exposure rather than treating all findings equally.
## Technical Details
- Type: Tool / Security Solution Feature (Static Analysis)
- Platform: Software development artifacts (Source code, CI pipeline, Container images, Cloud workloads)
- Capabilities: Static code scanning, vulnerability detection (e.g., CWE families), Cloud context correlation, Policy enforcement, Ingestion of third-party scanner findings.
- First Seen: Public Preview announcement on December 2, 2025 (as per article date).
## MITRE ATT&CK Mapping
Since Wiz SAST is a defensive/detection tool focused on *potential* weaknesses in code, the ATT&CK mappings reflect the types of vulnerabilities it detects, which adversaries might exploit.
- **T1578 - Modify Existing Product or Software** (Relevant if the detected vulnerability allows code modification or insecure deployment configuration)
- *Note: SAST primarily detects weaknesses that map to the Initial Access or Execution phases if exploited, but the tool itself is defensive.*
- **T1059 - Command and Scripting Interpreter** (If SAST detects Code Injection vulnerabilities, e.g., OS Command Injection)
- T1059.004 - Command and Scripting Interpreter: Command and Scripting Interpreter: Unix Shell
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- **T1505 - Supply Chain Compromise** (If detecting flaws that lead to insecure deployment)
- T1505.003 - Supply Chain Compromise: Compromise Software Dependencies (SCA relates to this, though SAST focuses on application code issues)
## Functionality
### Core Capabilities
- **Zero-Configuration Code-to-Cloud Mapping:** Automatically traces artifacts from Source code $\rightarrow$ CI pipeline $\rightarrow$ Container repository $\rightarrow$ Container image without requiring manual tagging or CI/CD modifications.
- **Unified Policy Engine:** Extends the existing Wiz policy engine to apply rules across code security findings, ensuring predictable enforcement.
- **Vulnerability Grouping:** Groups related weaknesses into common CWE families to address root causes rather than individual findings.
### Advanced Features
- **Contextual Risk Elevation:** Automatically prioritizes code flaws based on cloud context, such as:
1. Whether the resulting workload is internet-exposed.
2. Whether the code handles sensitive/regulated data.
3. If the code builds workloads with excessive privileges (e.g., sensitive hostPath mappings) or reachable sensitive data.
- **Third-Party Ingestion:** Integrates and enriches findings from existing scanners like Checkmarx, Semgrep, and Snyk Code within the Wiz Security Graph.
## Indicators of Compromise
This section primarily details Indicators of *Configuration/Vulnerability* rather than active malware IoCs.
- File Hashes: N/A (Not applicable to a static analysis product)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Reports on potential runtime behaviors associated with exploited vulnerabilities (e.g., a workload being susceptible to Path Traversal, Code Injection, or SQL Injection if deployed).
## Associated Threat Actors
Wiz SAST is a defensive tool used by security teams (AppSec, Cloud Security) to secure environments against various threat actors who exploit application vulnerabilities. No specific threat actor is explicitly mentioned as **using** Wiz SAST; it is a commercial security product.
## Detection Methods
Wiz SAST itself is the detection mechanism for code flaws. Detection against the *exploitation* of these flaws relies on the context provided by the Wiz platform.
- Signature-based detection: Identifies known vulnerability patterns within source code (CWEs).
- Behavioral detection: Correlates code flaws with actual cloud configuration (e.g., detecting that a vulnerable component is running in an internet-facing, highly-privileged environment).
- YARA rules: Not mentioned in the context of the SAST engine itself.
## Mitigation Strategies
Mitigation is focused on vulnerability remediation guided by context.
- **Prioritization:** Focus engineering effort on high-risk vulnerabilities (e.g., Path Traversal in a publicly exposed workload) over low-risk findings buried in code.
- **Guided Remediation:** Provides clear ownership and guided fixes within the unified workflow.
- **Root Cause Analysis:** Remediate broader CWE families rather than addressing isolated findings.
- **ASPM Integration:** Use the unified graph to track remediation status from code commit through deployment.
## Related Tools/Techniques
- **Code Scanners (Ingested):** Checkmarx, Semgrep, Snyk Code.
- **Related Security Concepts:** Software Composition Analysis (SCA), Infrastructure as Code (IaC) scanning, Application Security Posture Management (ASPM).
- **Underlying Technology:** Wiz Security Graph (for context correlation).