Finding coding errors early in the development life cycle can save organizations both time and money, as well as make applications more secure. Catching bugs early in development saves the time and money of catching them during post production and makes sure the code is written securely as it’s created. One way to catch code flaws sooner is through the use of Static Application Security Testing tools. 

SAST tools offer organizations a number of benefits. They scale well. They can be run on software written in a variety of languages. They can be run repeatedly, too, such as during overnight builds. They can be easily integrated into Integrated Development Environments. They can also identify common errors, such as buffer overflows, XSS problems and SQL injection flaws. What’s more, after they find an error, they can make life easier for developers by identifying source files, line numbers, and even subsections of lines containing errors. However, the tools have their weaknesses, too, which is why they should be used in conjunction with other error-finding solutions. SAST tools aren’t adept, for example, at finding authentication problems, access control issues, configuration flaws, and bad crypto. In addition, some of them produce too many false positives and have difficulty analyzing code that can’t be compiled. It can also be challenging to determine if a security issue is an actual vulnerability. There are a number of SAST tools—both commercial and open source —available to organizations. Here are five of the most popular in each category.

Commercial

Fortify Static Code Analyzer

This SAST tool made by Micro Focus can be harder than some other solutions to integrate into your software development lifecycle, although it does support IDE, build tools, code repositories, and bug tracking. Once it’s set up, though, both developers and security practitioners will like its performance. It produces understandable and traceable vulnerability information, supports 25 languages, and makes it easy to clean out false positives manually. What’s more, it can provide scan information fast, eliminating the need for partial or incremental scans. On the down side, some users have complained online about difficulty troubleshooting problems with Fortify’s support people and out-of-date documentation.

Veracode

In addition to SAST, Veracode’s solution supports Dynamic Application Security Testing and Software Composition Analysis, as well as manual penetration testing. Better yet, an application’s status across all testing can be seen through a single dashboard. The app is designed for developers, and includes an API for customizing the software. When it finds a vulnerability, it provides tips for fixing it. If you’re a Jira user, Veracode will open tickets with the appropriate development teams when it finds flaws in your code, which can also be helpful in generating valuable statistical information about your applications. According to Veracode, developers working in DevSecOps environments fix errors 11 times faster with its solution than other developers. 

Coverity Scan

Coverity SAST is part of the Synopsys Software Integrity Platform portfolio, which also includes technologies acquired from Cigital, Codiscope, and Black Duck Software. The portfolio covers the gamut of testing technologies—DAST, SCA, and Interactive Application Security Testing. Synopsys released an upgrade of Coverity earlier this year with enhanced capabilities that allow the software to scan for more vulnerability types across a variety of programming languages. It can also perform static code analysis without compiling code for languages that are interpretive in nature or where the code can be modeled fairly accurately without compilation. In addition, it can now do framework analysis and advanced JavaScript template analysis, which can spot XSS vulnerabilities in HTML dynamically generated by those templates.

Checkmarx CxSAST

CxSAST is part of Checkmarx’s Software Exposure Platform, which is designed to address software security risk throughout the software development lifecycle. It can identify hundreds of security vulnerabilities in both custom and open source components and supports more than 25 coding and scripting languages. However, some users have complained that better mobile language support is needed, especially support of Xamarin. Another user sore point is the cost of the software’s professional services. Most common plugins work well with the software and its integrations are solid, especially with build servers like Jenkins. It can also perform scans without building code.

AppScan

IBM recently sold AppScan to HCL. The software lets an organization implement a scalable security testing strategy that can pinpoint and remediate application vulnerabilities in every phase of the development lifecycle. It can test web, mobile, and open source software and provides management and reporting tools for multi-user, multi-app deployments. Deployment options are flexible and includes on-premise, cloud, and hybrid offerings. Users have praised the software for its low rate of false positives and its ability to counter application attacks, as well as protect data. It has been criticized for having an “unintuitive and hulking interface” and a support library that’s vast but difficult to navigate.

 

Open Source

Brakeman

This software is a free vulnerability scanner designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development. Users have praised the program for the speed and accuracy of its scans and for providing remediation information that’s easy for developers to understand.

NodeJsScan

Development teams working with Node.js can use NodeJsScan to scan their code. The software has a command line interface for easy integration with DevSecOps CI/CD pipelines. It produces results in JSON and supports a number programing languages, including Java, C++, C#, VB, PHP, and PL/SQL. A configuration file is available for each language which can be modified for customized searches. Overviews of files, as well as an entire codebase, can be visualized through stats and pie charts. The program can detect buffer overflows and flaws in Java code that may contain OWASP security risks.

Findbugs

This open source project sponsored by the University of Maryland is designed to catch bugs in Java code through static analysis. It has been awhile since the application was updated. The latest version is 3.0.1, released in March 2015. Scans classify the bugs and vulnerabilities they find into four rankings: scariest, scary, troubling, and of concern. The program can find defects in 15 categories, but reports can be customized so only a subset of the categories are reported on. Functionality can be expanded through plug-ins. Findbugs can be a powerful tool if configured correctly. It can also be run as part of a separate continuous automatic code review tool like Sputnik, which can give Findbugs’ reports better visibility.

JsHint

Engineers at Mozilla, Wikipedia, Facebook, Twitter, Yahoo, RedHat and other companies use JSHint to catch defects in JavaScript programs. The open source software is designed to help developers write complex programs without worrying about typos and language errors. It can scan a codebase and report on common mistakes and potential bugs, such as syntax errors, implicit type conversions. and leaking variables, as well as others. The tool was created in 2011 as a fork in the JSLint project by developers who felt JSLint was getting “too opinionated” and did not allow enough customization options.

CodeWarrior

 This web-based tool can find security vulnerabilities in applications written in C, C#, PHP, Java, Ruby, ASP, and JavaScript and is available for Linux, OX, BSD, and MacOS. The software doesn’t have to be installed on a machine. After downloading it, compiling it using “make” will get it running. In addition, although it’s a web app, Apache isn’t needed to run it. After starting CodeWarrior, it will open your web browser and ask you to choose what source code you want scanned. The program has a reputation for producing low rates of false positives.

Find and fix vulnerabilities
in your source code.