• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1046
  • Last Modified:

Static code analisys tools, your consideration

Hi to all of you,
I need your advice since I'm not a programmer.
The security manager needs a software to analyze the code produced by our development team . This is a procedure he wants to implement before publishing web projects on the internet.
Based on your experience can you reccomend a software that gives good and easy to read reports.
This is where I started

Thank you
4 Solutions
Since the request is from your security manager, then your focus is primarily on identifying software vulnerabilities. What is frustrating about static code analysis tools for developers is the number of false positives that are reported. But there are solutions to this problem.

HP acquired several security companies integrating their products to produce a suite of security shields. You can contact HP for more information about their products which will protect their own clouds as well as provide companies with customized security for their own needs (including lower cost on-demand needs). Take a look at HP Fortify Static Code Analyzer and HP WebInspect. I haven't worked with them, but have seen some of HP's internal videos and was quite impressed.

Here is more information: "HP WebInspect Real-Time, based on HP WebInspect 9.1, works with HP Fortify SecurityScope to attack and observe an application during security testing, enabling testers to pinpoint line-of-code detail where vulnerabilities exist."
Static code analysis only goes so far, it can only find syntax errors and the like, not architectural problems or logical faults. If you just want flashy reports and don't mind paying for them, I'd get the code analysis done as SaaS, eg. with VeraCode: http://www.veracode.com/

If on the other hand you want to produce secure and good quality code, invest in training courses for the programmers, make them use peer code reviews as part of the development process and implement some freeware tools to look for errors to complement the manual reviews.

btanExec ConsultantCommented:
Suggest also to take a look at the NIST SAMATE and there is alot based on the targeted code language. Also including the test suite for download


One point to highlight is alluding to the part of CWE which is talking on the common weakness in software flaws. It is not isolated to static code but being aware minimally of the top 25 common s/w weakness, it helps to catch those low hanging fruits and making the whitebox and blackbox testing more relevant and the need to go indepth into the business logic behind code flow

> ...  that gives good and easy to read reports.
if you're a experianced developer in a couple of net-languages *and* know most of the common and also not so common web vulnerabilities and threads, they all give you "easy to read" reports

said this, a bit kidding, it's like already explained: SCA cannot find all such problems, and so dynamic analyzing tools (aka web vulnerability scanners) can't do either; a combination of both will give more perfect results
if you have $$$$ (and a couple of other resources:) go with Fortify; Klocwork, Checkmarx, Coverty are alternatives; or you can give away your code to be checked online

note: SCA as well as web penetration testing needs highly specialised tools and people with very good experience
-- a fool with a tool is still a fool --

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now