Static code analisys tools, your consideration

Posted on 2012-09-03
Last Modified: 2012-09-13
Hi to all of you,
I need your advice since I'm not a programmer.
The security manager needs a software to analyze the code produced by our development team . This is a procedure he wants to implement before publishing web projects on the internet.
Based on your experience can you reccomend a software that gives good and easy to read reports.
This is where I started

Thank you
Question by:carlettus
    LVL 31

    Assisted Solution

    Since the request is from your security manager, then your focus is primarily on identifying software vulnerabilities. What is frustrating about static code analysis tools for developers is the number of false positives that are reported. But there are solutions to this problem.

    HP acquired several security companies integrating their products to produce a suite of security shields. You can contact HP for more information about their products which will protect their own clouds as well as provide companies with customized security for their own needs (including lower cost on-demand needs). Take a look at HP Fortify Static Code Analyzer and HP WebInspect. I haven't worked with them, but have seen some of HP's internal videos and was quite impressed.

    Here is more information: "HP WebInspect Real-Time, based on HP WebInspect 9.1, works with HP Fortify SecurityScope to attack and observe an application during security testing, enabling testers to pinpoint line-of-code detail where vulnerabilities exist."
    LVL 19

    Accepted Solution

    Static code analysis only goes so far, it can only find syntax errors and the like, not architectural problems or logical faults. If you just want flashy reports and don't mind paying for them, I'd get the code analysis done as SaaS, eg. with VeraCode:

    If on the other hand you want to produce secure and good quality code, invest in training courses for the programmers, make them use peer code reviews as part of the development process and implement some freeware tools to look for errors to complement the manual reviews.
    LVL 60

    Assisted Solution

    Suggest also to take a look at the NIST SAMATE and there is alot based on the targeted code language. Also including the test suite for download

    One point to highlight is alluding to the part of CWE which is talking on the common weakness in software flaws. It is not isolated to static code but being aware minimally of the top 25 common s/w weakness, it helps to catch those low hanging fruits and making the whitebox and blackbox testing more relevant and the need to go indepth into the business logic behind code flow
    LVL 51

    Assisted Solution

    > ...  that gives good and easy to read reports.
    if you're a experianced developer in a couple of net-languages *and* know most of the common and also not so common web vulnerabilities and threads, they all give you "easy to read" reports

    said this, a bit kidding, it's like already explained: SCA cannot find all such problems, and so dynamic analyzing tools (aka web vulnerability scanners) can't do either; a combination of both will give more perfect results
    if you have $$$$ (and a couple of other resources:) go with Fortify; Klocwork, Checkmarx, Coverty are alternatives; or you can give away your code to be checked online

    note: SCA as well as web penetration testing needs highly specialised tools and people with very good experience
    -- a fool with a tool is still a fool --

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    If you’re thinking to yourself “That description sounds a lot like two people doing the work that one could accomplish,” you’re not alone.
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
    The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now