This document discusses static application security testing (SAST) and how it can help detect vulnerabilities in code. It provides background on how code bases and error densities are growing over time. It then discusses various standards and classifications for weaknesses and vulnerabilities, such as CWE, CVE, MISRA, and SEI CERT. It emphasizes that SAST tools can help detect vulnerabilities early and provide coverage of entire code bases, but may produce false positives. Finally, it suggests introducing SAST tools correctly through configuration, continuous integration, and addressing warnings as technical debt.