13 May, 2019
Top 3 Open Source Tools for SAST
In today’s world of software development, the responsibilities of developers have significantly increased. So often, security measures get compromised due to relentless efforts put in to improve UI and UX. SAST is one of many such ways to ensure your application is secure.
What is Static Application Security Testing (SAST)?
Static Application Security Testing, or SAST, is a type of security testing which analyzes the source code of an application to determine security flaws. It can also be termed as Source Code Analysis. SAST examines the source code before it’s compiled without executing anything. Due to this feature, it can be employed early in the development cycle to reap maximum benefits. This ensures that a secure source code is written. Also, making early detection of security vulnerabilities lowers cost of fixing bugs post development.
Benefits of SAST
- The analysis can find major vulnerabilities like buffer overflow, SQL Injection flaws, XSS, and so forth.
- It can detect highly complex flaws that are not visible without access to the source code.
- It results in highlight precise source files and line numbers that are affected.
- It provides a valuable framework during development to detect flaws before they become security risks for your end users and your organization.
- It can be easily integrated with IDEs. (Integrated Development Environments)
Although it is a web application, it does not require Apache. Once you run the scanner, it opens up the web browser and prompts you to select the source code. As compared to other tools, it has a relatively low rate of false positives.
Setup & Usage
You can download this tool from GitHub. Or, you can also clone the Git repository using the following command –
Figure 1 Cloning CodeWarrior repository from GitHub
CodeWarrior runs at HTTPd with TLS. After downloading the repository, you will need to compile it using make command. Execute the downloaded file as “bin/warrior” and open the browser https://127.0.0.1:1345/index.html.
Figure 2 CodeWarrior Dashboard
src/ = C source code (web socket)
eggs/ = external modules to search codes using regex
conf/whitelist.conf = list of IPs that have access in the HTTPd server
bin/ = file to execute
doc/ = at construction
lib/ = external libraries
cert/ = loads your certificates for TLS here
NodeJsScan is a static code scanner for Node.js applications. It runs on python.
Configuration & Usage
- Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/setting.py
- Download the NodeJsScan package from the GitHub repository https://github.com/ajinabraham/NodeJsScan.
- Navigate to the NodeJsScan directory and install all requirements using the command – pip3 install –r requirements.txt.
- Run once to create database entries required – python3 migrate.py
- Run to test the testing Environment – python3 app.py
- Setup gunicorn for the production environment – gunicorn –b 0.0.0.0:9090 app:app.
This tool will run NodeJsScan on http://0.0.0.0:9090. If you need to debug, set DEBUG = True in core/settings.py. With periodic updates of this tool, it shows a minimum number of false positives.
The command line interface (CLI) allows this tool to integrate with DevSecOps CI/CD pipelines. The results are in JSON format.
Figure 3 NodeJsScan CLI is showing optional arguments.
Figure 4 NodeJsScan specifying security issues.
It is an automated tool intended for code security review. It supports many languages such as Java, C++, C#, VB, PHP, PL/SQL, etc.
By identifying bad or insecure code, it optimizes the code review process. It has a config file for each language that allows you to add any adverse functions (or other text) that you want to search for. It provides a brief overview through stats and pie charts for individual files and the entire codebase. These stats represent proportions of code, insecure code, whitespace, and comments. It detects buffer overflows, finds flaws in Java code that might violate OWASP recommendations, etc.
Configuration & Usage
The tool is available for download at https://sourceforge.net/projects/visualcodegrepp/. It’s an MSI installation file. To use this application, simply select the source code to be analyzed after installation. It is a multi-language scanner. Though it gives false positives, in terms of overall results, it is comparatively better than other tools.
Figure 5 Visual Code Grepper specifying vulnerability on particular locations.
Implementing SAST in the initial stages can give a big advantage to a business in identifying security vulnerabilities. With many testing tools available, one should be aware of the languages supported by these tools and their false positive rate. Some tools like LGTM are open source tools, but they require the testers to fully understand QL language and hence, the implementation process is a bit lengthy. While on the other hand, some tools are not updated anymore, and a testing team must be extra precautionary while choosing a tool for SAST.