Industry data suggests that static analysis (SAST) tools detect only 14% of the vulnerabilities found.

The vulnerable code that caused the Log4Shell issue was introduced as a feature in 2013. In the nearly decade time interval since then, the popular and ubiquitous Log4J code underwent many security scans and code reviews. Sadly, none of the existing SAST tools detected it. This experience mirrors what happened with the Heartbleed bug. It had been introduced in the popular OpenSSL software in 2012 and was not discovered until 2014. It had also gone through many bug detection efforts, but the problem remain undetected.

Why do existing bug detection tools keep falling short? What fundamental changes need to occur within current SAST technology to find the next bug before it creates the next hot mess?