Finding coding errors early in the development life cycle can save organizations both time and money, as well as make applications more secure. Catching bugs early in development saves the time and money of catching them during post production and makes sure the code is written securely as it’s created. One way to catch code flaws sooner is through the use of Static Application Security Testing tools.
SAST tools offer organizations a number of benefits. They scale well. They can be run on software written in a variety of languages. They can be run repeatedly, too, such as during overnight builds. They can be easily integrated into Integrated Development Environments. They can also identify common errors, such as buffer overflows, XSS problems and SQL injection flaws. What’s more, after they find an error, they can make life easier for developers by identifying source files, line numbers, and even subsections of lines containing errors. However, the tools have their weaknesses, too, which is why they should be used in conjunction with other error-finding solutions. SAST tools aren’t adept, for example, at finding authentication problems, access control issues, configuration flaws, and bad crypto. In addition, some of them produce too many false positives and have difficulty analyzing code that can’t be compiled. It can also be challenging to determine if a security issue is an actual vulnerability. There are a number of SAST tools—both commercial and open source —available to organizations. Here are five of the most popular in each category.
Join Our DevSec Friday Community!
Free security workshops every Friday @ 12pm EST. Learn more about integrating SAST and DAST tools into your pipeline.
This SAST tool made by Micro Focus can be harder than some other solutions to integrate into your software development lifecycle, although it does support IDE, build tools, code repositories, and bug tracking. Once it’s set up, though, both developers and security practitioners will like its performance. It produces understandable and traceable vulnerability information, supports 25 languages, and makes it easy to clean out false positives manually. What’s more, it can provide scan information fast, eliminating the need for partial or incremental scans. On the down side, some users have complained online about difficulty troubleshooting problems with Fortify’s support people and out-of-date documentation.
In addition to SAST, Veracode’s solution supports Dynamic Application Security Testing and Software Composition Analysis, as well as manual penetration testing. Better yet, an application’s status across all testing can be seen through a single dashboard. The app is designed for developers, and includes an API for customizing the software. When it finds a vulnerability, it provides tips for fixing it. If you’re a Jira user, Veracode will open tickets with the appropriate development teams when it finds flaws in your code, which can also be helpful in generating valuable statistical information about your applications. According to Veracode, developers working in DevSecOps environments fix errors 11 times faster with its solution than other developers.
CxSAST is part of Checkmarx’s Software Exposure Platform, which is designed to address software security risk throughout the software development lifecycle. It can identify hundreds of security vulnerabilities in both custom and open source components and supports more than 25 coding and scripting languages. However, some users have complained that better mobile language support is needed, especially support of Xamarin. Another user sore point is the cost of the software’s professional services. Most common plugins work well with the software and its integrations are solid, especially with build servers like Jenkins. It can also perform scans without building code.
IBM recently sold AppScan to HCL. The software lets an organization implement a scalable security testing strategy that can pinpoint and remediate application vulnerabilities in every phase of the development lifecycle. It can test web, mobile, and open source software and provides management and reporting tools for multi-user, multi-app deployments. Deployment options are flexible and includes on-premise, cloud, and hybrid offerings. Users have praised the software for its low rate of false positives and its ability to counter application attacks, as well as protect data. It has been criticized for having an “unintuitive and hulking interface” and a support library that’s vast but difficult to navigate.
Reshift is free for open source and paid for all private projects. Reshift is a developer-first security tool built to work within existing developer environments, while not slowing their pipeline. It integrates with Github, Bitbucket, and Gitlab where it can simply sync projects and run scans on every build. In addition, it allows for custom security policy settings for the number of critical, moderate, and high issues where it will fail the build if the threshold is exceeded.
This software is a free vulnerability scanner designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development. Users have praised the program for the speed and accuracy of its scans and for providing remediation information that’s easy for developers to understand.
Development teams working with Node.js can use NodeJsScan to scan their code. The software has a command line interface for easy integration with DevSecOps CI/CD pipelines. It produces results in JSON and supports a number programing languages, including Java, C++, C#, VB, PHP, and PL/SQL. A configuration file is available for each language which can be modified for customized searches. Overviews of files, as well as an entire codebase, can be visualized through stats and pie charts. The program can detect buffer overflows and flaws in Java code that may contain OWASP security risks.
This open source project sponsored by the University of Maryland is designed to catch bugs in Java code through static analysis. It has been awhile since the application was updated. The latest version is 3.0.1, released in March 2015. Scans classify the bugs and vulnerabilities they find into four rankings: scariest, scary, troubling, and of concern. The program can find defects in 15 categories, but reports can be customized so only a subset of the categories are reported on. Functionality can be expanded through plug-ins. Findbugs can be a powerful tool if configured correctly. It can also be run as part of a separate continuous automatic code review tool like Sputnik, which can give Findbugs’ reports better visibility.