Top 3 Open Source Tools for SAST

Request a quote
13 May, 2019

Top 3 Open Source Tools for SAST

In today’s world of software development, the responsibilities of developers have significantly increasedSo often, security measures get compromised due to relentless efforts put in to improve UI and UX. SAST is one of many such ways to ensure your application is secure. 

What is Static Application Security Testing (SAST)? 

Static Application Security Testing, or SAST, is a type of security testing which analyzes the source code of an application to determine security flaws. It can also be termed as Source Code Analysis. SAST examines the source code before it’s compiled without executing anything. Due to this feature, it can be employed early in the development cycle to reap maximum benefits. This ensures that secure source code is written. Also, making early detection of security vulnerabilities lowers cost of fixing bugs post development. 

Benefits of SAST 
  • The analysis can find major vulnerabilities like buffer overflow, SQL Injection flaws, XSS, and so forth. 
  • It can detect highly complex flaws that are not visible without access to the source code.  
  • It results in highlight precise source files and line numbers that are affected. 
  • It provides a valuable framework during development to detect flaws before they become security risks for your end users and your organization. 
  • It can be easily integrated with IDEs. (Integrated Development Environments) 

SAST Tools 

Code Warrior 

This SAST tool supports multiple languages for a variety of security vulnerabilities. It supports C, C#, PHP, Java, Ruby, ASP and JavaScript. The tool doesn’t need to be installed on a machine. Compiling it using “make” is enough to run this tool after downloading. It is available for Linux, BSD and MacOS systems. 

Although it is a web application, it does not require Apache. Once you run the scanner, it opens up the web browser and prompts you to select the source code. As compared to other tools, it has a relatively low rate of false positives. 

Setup & Usage 

You can download this tool from GitHub. Or, you can also clone the Git repository using the following command – 

Figure 1 Cloning CodeWarrior repository from GitHub

CodeWarrior runs at HTTPd with TLS. After downloading the repository, you will need to compile it using make command. Execute the downloaded file as “bin/warrior” and open the browser  https://127.0.0.1:1345/index.html.

Figure 2 CodeWarrior Dashboard
Directories 

web/ = local of JavaScripthtml and CSS sources 

src/ = C source code (web socket) 

eggs/ = external modules to search codes using regex 

conf/whitelist.conf = list of IPs that have access in the HTTPd server 

bin/ = file to execute 

doc/ = at construction 

lib/ = external libraries 

cert/ = loads your certificates for TLS here 

NodeJsScan 

NodeJsScan is a static code scanner for Node.js applications. It runs on python. 

Configuration & Usage 
  • Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/setting.py 
  • Download the NodeJsScan package from the GitHub repository https://github.com/ajinabraham/NodeJsScan. 
  • Navigate to the NodeJsScan directory and install all requirements using the command – pip3 install –r requirements.txt. 
  • Run once to create database entries required – python3 migrate.py 
  • Run to test the testing Environment – python3 app.py 
  • Setup gunicorn for the production environment – gunicorn –b 0.0.0.0:9090 app:app. 

This tool will run NodeJsScan on http://0.0.0.0:9090If you need to debug, set DEBUG = True in core/settings.py. With periodic updates of this tool, it shows a minimum number of false positives. 

NodeJsScan CLI 

The command line interface (CLI) allows this tool to integrate with DevSecOps CI/CD pipelines. The results are in JSON format.  


Figure 3 NodeJsScan CLI is showing optional arguments.

 

Figure 4 NodeJsScan specifying security issues.

 

It is an automated tool intended for code security review. It supports many languages such as Java, C++, C#, VB, PHP, PL/SQL, etc. 

By identifying bad or insecure code, it optimizes the code review process. It has a config file for each language that allows you to add any adverse functions (or other text) that you want to search for. It provides a brief overview through stats and pie charts for individual files and the entire codebase. These stats represent proportions of code, insecure code, whitespace, and comments. It detects buffer overflows, finds flaws in Java code that might violate OWASP recommendations, etc. 

Configuration & Usage 

The tool is available for download at https://sourceforge.net/projects/visualcodegrepp/It’s an MSI installation file. To use this application, simply select the source code to be analyzed after installation. It is a multi-language scanner. Though it gives false positivesin terms of overall results, it is comparatively better than other tools. 

Figure 4 Visual Code Grepper specifying vulnerability on particular locations.

Conclusion 

Implementing SAST in the initial stages can give a big advantage to a business in identifying security vulnerabilitiesWith many testing tools available, one should be aware of the languages supported by these tools and their false positive rate. Some tools like LGTM are open source tools, but they require the testers to fully understand QL language and hence, the implementation process is a bit lengthy. While on the other hand, some tools are not updated anymore, and a testing team must be extra precautionary while choosing a tool for SAST.