Penetration Testing Services Cloud Pentesting Penetration Network Pentesting Application Pentesting Web Application Pentesting Social Engineering May 13, 2019 Top 3 Open Source Tools for SAST In today’s world of software development, the responsibilities of developers have significantly increased. So often, security measures get compromised due to relentless efforts put in to improve UI and UX. SAST is one of many such ways to ensure your application is secure. What is Static Application Security Testing (SAST) Static Application Security Testing, or SAST, is a type of security testing which analyzes the source code of an application to determine security flaws. It can also be termed as Source Code Analysis. SAST examines the source code before it’s compiled without executing anything. Due to this feature, it can be employed early in the development cycle to reap maximum benefits. This ensures that a secure source code is written. Also, making early detection of security vulnerabilities lowers cost of fixing bugs post development. Benefits of SAST The analysis can find major vulnerabilities like buffer overflow, SQL Injection flaws, XSS, and so forth. It can detect highly complex flaws that are not visible without access to the source code. It results in highlight precise source files and line numbers that are affected. It provides a valuable framework during development to detect flaws before they become security risks for your end users and your organization. It can be easily integrated with IDEs. (Integrated Development Environments) SAST Tools Code Warrior This SAST tool supports multiple languages for a variety of security vulnerabilities. It supports C, C#, PHP, Java, Ruby, ASP and JavaScript. The tool doesn’t need to be installed on a machine. Compiling it using “make” is enough to run this tool after downloading. It is available for Linux, BSD and MacOS systems. Although it is a web application, it does not require Apache. Once you run the scanner, it opens up the web browser and prompts you to select the source code. As compared to other tools, it has a relatively low rate of false positives. Setup & You can download this tool from GitHub. Or, you can also clone the Git repository using the following command – Figure 1 Cloning CodeWarrior repository from GitHub CodeWarrior runs at HTTPd with TLS. After downloading the repository, you will need to compile it using make command. Execute the downloaded file as “bin/warrior” and open the browser https://127.0.0.1:1345/index.html. Figure 2 CodeWarrior Dashboard Directories web/ = local of JavaScript, html and CSS sources src/ = C source code (web socket) eggs/ = external modules to search codes using regex conf/whitelist.conf = list of IPs that have access in the HTTPd server bin/ = file to execute doc/ = at construction lib/ = external libraries cert/ = loads your certificates for TLS here NodeJsScan NodeJsScan is a static code scanner for Node.js applications. It runs on python. Configuration & Usage Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/setting.py Download the NodeJsScan package from the GitHub repository https://github.com/ajinabraham/NodeJsScan. Navigate to the NodeJsScan directory and install all requirements using the command – pip3 install –r requirements.txt. Run once to create database entries required – python3 migrate.py Run to test the testing Environment – python3 app.py Setup gunicorn for the production environment – gunicorn –b 0.0.0.0:9090 app:app. This tool will run NodeJsScan on http://0.0.0.0:9090. If you need to debug, set DEBUG = True in core/settings.py. With periodic updates of this tool, it shows a minimum number of false positives. NodeJs Scan CLI The command line interface (CLI) allows this tool to integrate with DevSecOps CI/CD pipelines. The results are in JSON format. Figure 3 NodeJsScan CLI is showing optional arguments. It is an automated tool intended for code security review. It supports many languages such as Java, C++, C#, VB, PHP, PL/SQL, etc. By identifying bad or insecure code, it optimizes the code review process. It has a config file for each language that allows you to add any adverse functions (or other text) that you want to search for. It provides a brief overview through stats and pie charts for individual files and the entire codebase. These stats represent proportions of code, insecure code, whitespace, and comments. It detects buffer overflows, finds flaws in Java code that might violate OWASP recommendations, etc. Configuration & Usage The tool is available for download at https://sourceforge.net/projects/visualcodegrepp/. It’s an MSI installation file. To use this application, simply select the source code to be analyzed after installation. It is a multi-language scanner. Though it gives false positives, in terms of overall results, it is comparatively better than other tools. Figure 5 Visual Code Grepper specifying vulnerability on particular locations. Conclusion Implementing SAST in the initial stages can give a big advantage to a business in identifying security vulnerabilities. With many testing tools available, one should be aware of the languages supported by these tools and their false positive rate. Some tools like LGTM are open source tools, but they require the testers to fully understand QL language and hence, the implementation process is a bit lengthy. While on the other hand, some tools are not updated anymore, and a testing team must be extra precautionary while choosing a tool for SAST. Industry recognitions we have earned Tell us about your requirements and we will respond within 24 hours. Fill out the form below to let us know your requirements. We will contact you to determine if BreachLock is right for your business or organization.