Top 3 Open Source Tools for SAST

In today’s world of software development, the responsibilities of developers have significantly increased. So often, security measures get compromised due to relentless efforts put in to improve UI and UX. SAST is one of many such ways to ensure your application is secure.

What is Static Application Security Testing (SAST)

Static Application Security Testing, or SAST, is a type of security testing which analyzes the source code of an application to determine security flaws. It can also be termed as Source Code Analysis. SAST examines the source code before it’s compiled without executing anything. Due to this feature, it can be employed early in the development cycle to reap maximum benefits. This ensures that a secure source code is written. Also, making early detection of security vulnerabilities lowers cost of fixing bugs post development.

Benefits of SAST

  • The analysis can find major vulnerabilities like buffer overflow, SQL Injection flaws, XSS, and so forth.
  • It can detect highly complex flaws that are not visible without access to the source code.
  • It results in highlight precise source files and line numbers that are affected.
  • It provides a valuable framework during development to detect flaws before they become security risks for your end users and your organization.
  • It can be easily integrated with IDEs. (Integrated Development Environments)

SAST Tools

Code Warrior

This SAST tool supports multiple languages for a variety of security vulnerabilities. It supports C, C#, PHP, Java, Ruby, ASP and JavaScript. The tool doesn’t need to be installed on a machine. Compiling it using “make” is enough to run this tool after downloading. It is available for Linux, BSD and MacOS systems.

Although it is a web application, it does not require Apache. Once you run the scanner, it opens up the web browser and prompts you to select the source code. As compared to other tools, it has a relatively low rate of false positives.

Setup &amp

You can download this tool from GitHub. Or, you can also clone the Git repository using the following command –

Figure 1 Cloning CodeWarrior repository from GitHub

CodeWarrior runs at HTTPd with TLS. After downloading the repository, you will need to compile it using make command. Execute the downloaded file as “bin/warrior” and open the browser  https://127.0.0.1:1345/index.html.

Figure 2 CodeWarrior Dashboard

Directories

web/ = local of JavaScript, html and CSS sources
src/ = C source code (web socket)
eggs/ = external modules to search codes using regex
conf/whitelist.conf = list of IPs that have access in the HTTPd server
bin/ = file to execute
doc/ = at construction
lib/ = external libraries
cert/ = loads your certificates for TLS here

NodeJsScan

NodeJsScan is a static code scanner for Node.js applications. It runs on python. 

Configuration & Usage

  1. Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/setting.py
  2. Download the NodeJsScan package from the GitHub repository https://github.com/ajinabraham/NodeJsScan.
  3. Navigate to the NodeJsScan directory and install all requirements using the command – pip3 install –r requirements.txt.
  4. Run once to create database entries required – python3 migrate.py
  5. Run to test the testing Environment – python3 app.py
  6. Setup gunicorn for the production environment – gunicorn –b 0.0.0.0:9090 app:app.

This tool will run NodeJsScan on http://0.0.0.0:9090. If you need to debug, set DEBUG = True in core/settings.py. With periodic updates of this tool, it shows a minimum number of false positives.

NodeJs Scan CLI

The command line interface (CLI) allows this tool to integrate with DevSecOps CI/CD pipelines. The results are in JSON format.

Figure 3 NodeJsScan CLI is showing optional arguments.

It is an automated tool intended for code security review. It supports many languages such as Java, C++, C#, VB, PHP, PL/SQL, etc. 
By identifying bad or insecure code, it optimizes the code review process. It has a config file for each language that allows you to add any adverse functions (or other text) that you want to search for. It provides a brief overview through stats and pie charts for individual files and the entire codebase. These stats represent proportions of code, insecure code, whitespace, and comments. It detects buffer overflows, finds flaws in Java code that might violate OWASP recommendations, etc. 

Configuration & Usage

The tool is available for download at https://sourceforge.net/projects/visualcodegrepp/. It’s an MSI installation file. To use this application, simply select the source code to be analyzed after installation. It is a multi-language scanner. Though it gives false positives, in terms of overall results, it is comparatively better than other tools. 

Figure 5 Visual Code Grepper specifying vulnerability on particular locations.

Conclusion

Implementing SAST in the initial stages can give a big advantage to a business in identifying security vulnerabilities. With many testing tools available, one should be aware of the languages supported by these tools and their false positive rate. Some tools like LGTM are open source tools, but they require the testers to fully understand QL language and hence, the implementation process is a bit lengthy. While on the other hand, some tools are not updated anymore, and a testing team must be extra precautionary while choosing a tool for SAST.

Industry recognitions we have earned

reuters logo cybersecurity_awards_2024 logo winner logo csba logo hot150 logo bloomberg logo top-infosec logo

Fill out the form below to let us know your requirements.
We will contact you to determine if BreachLock is right for your business or organization.

background image