Supported Application Security Testing Tools, Languages and Standards

SAST open-source tools included with both Code Dx Enterprise and Stat!

Brakeman: A widely-used static analysis security tool for Ruby on Rails.

CAT.NET: Helps identify security flaws within a managed code (C#, Visual Basic .NET, J#) application under development. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies.

Checkstyle: A development tool to help programmers write Java code that adheres to a coding standard. It is highly configurable and can be made to support almost any coding standard.

CppCheck: An analysis tool for C/C++ code. It detects the types of bugs that the compilers normally fail to detect.

FindBugs: A static code analysis tool that analyses Java bytecode and detects a wide range of problems.

FxCop: An application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.

Gendarme: An extensible rule-based tool to find problems in .NET applications and libraries. Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET) and looks for common problems with the code.

JSHint: A tool that helps to detect errors and potential problems in JavaScript code, and helps to enforce coding conventions.

OWASP Dependency-Check: An open-source utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.

PHP_CodeSniffer: Tokenizes PHP, JavaScript and CSS files and detects violations of a defined set of coding standards.

PHP Mess Detector (MD):  Takes a given PHP source code base and looks for several potential problems within that source such as bugs, suboptimal code, overcomplicated expressions and unsused parameters, methods and properties.

PMD: A source code analyzer that finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, XML and XSL

Pylint: A source code bug and quality checker for the Python programming language.

Retire.js: A tool for detecting  versions of JavaScript libraries with known vulnerabilities.

Scalastyle: Examines Scala code and indicates potential problems with it.  Similar to the Checkstyle application for Java.

SAST open-source tools supported by Enterprise

Android Lint: A static code analysis tool that checks Android project source files for potential bugs and optimization improvements for correctness, security, performance, usability, accessibility and internationalization.

Clang: A compiler front end for the C, C++, Objective-C and Objective-C++ programming languages. It includes the Clang static analyzer and several code analysis tools.

error-prone: A tool that augments the compiler’s static analysis, catching common Java mistakes as compile-time errors.

Jlint: Checks Java code and finds bugs, inconsistencies and synchronization problems by doing data flow analysis on the code and building the lock graph. Jlint requires no changes in the class files to be checked.

OCLint: A static code analysis tool for improving quality and reducing defects by inspecting C, C++ and Objective-C code and looking for potential problems such as possible bugs, unused code, complicated code, redundant code and bad practices. Runs on Linux and Mac OS platforms.

SAST Commercial tools supported by Enterprise

Armorize CodeSecure: A static source code analysis platform that leverages third-generation software verification technologies to identify web application vulnerabilities throughout development.

Checkmarx: A source code analysis product to automatically scan un-compiled, un-built code and identify security vulnerabilities

Coverity: Static analysis algorithms to detect critical defects specific to each programming language.

GrammaTech CodeSonar: Static analysis software that analyzes source code and binaries, identifying programming bugs that can result in system crashes, memory corruption, leaks, data races, and security vulnerabilities.

HP Fortify Static Code Analyzer: Scans source code, identifies root causes of software security vulnerabilities and correlates and prioritizes results – giving you line-of-code guidance for closing gaps in your security.

IBM AppScan: Enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance.

Parasoft JTest: Static analysis automatically checks code against hundreds of built-in or custom rules as developers review, add, and modify code.

Parasoft dotTest: Prevent, expose, and correct errors to ensure that .NET code (including C#, VB.NET, ASP.NET and Managed C++ ) works as expected.

Parasoft C++Test:  Parasoft’s Development Testing solution for C and C++ based applications is an integrated Development Testing solution for automating a broad range of best practices proven to improve software development team productivity and software quality

Veracode: A cloud-based service with the speed and scale required to reduce application-layer risk, enterprise-wide; across web, mobile and third-party apps; and across the entire app lifecycle, from code development to IT operations.

WhiteHat Sentinel Source: Scans your entire source code, identifies vulnerabilities, and provides detailed vulnerability descriptions and remediation advice, as well as precise ready-to-implement remediation solutions for particular exposures.

DAST open-source and commercial tools supported by Enterprise

Acunetix: A commercial vulnerability scanner that automatically crawls and scans off-the-shelf and custom-built websites and web applications for SQL injection, XSS, XXE, SSRF, Host Header Attacks and over 500 other web vulnerabilities.

Arachni: A free, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

Burp Suite: A platform for performing security testing of web applications. Available in free and paid versions. Supports the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

HP Webinspect: A commercial tool for testing the dynamic behavior of running web applications and services to identify and prioritize security vulnerabilities.  It integrates dynamic and runtime analysis to find more vulnerabilities.

IBM AppScan: A commercial web application and web services penetration testing solution for the security specialist. It provides automated DAST and Interactive Application Security Testing (IAST) of modern web applications and services.

Netsparker: A commercial, false-positive-free web application security scanner with support for both detection and exploitation of vulnerabilities. It aims to be false positive-free by only reporting confirmed vulnerabilities after successfully exploiting them.

OWASP ZAP: (Zaproxy) An open-source, easy to use, integrated penetration testing tool for finding vulnerabilities in web applications.

Veracode: A commercial available capability for identifying architectural weaknesses and vulnerabilities in your running web applications. It identifies highly-exploitable vulnerabilities such as SQL injection and Cross-Site Scripting. It also finds runtime issues that can’t easily be found by looking at code in its offline state via SAST, such as authentication issues, server misconfiguration issues, and vulnerabilities that are only visible when you login as a known user.

WhiteHat Sentinel Dynamic: A software-as-a-service platform that offers continuous assessment, constantly scanning a website as it evolves to find software weaknesses.  It is completely safe for production websites with no performance degradations.

Open source Component Analysis tools supported by both Stat! and Code Dx Enterprise

OWASP Dependency-Check: An open-source utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.

Retire.js: An open-source tool for detecting versions of JavaScript libraries with known vulnerabilities.

Commercial Component Analysis tools supported by Enterprise

Sonatype Nexus: A leading commercial component lifecycle management (CLM) tool that analyzes an application’s open-source components for known vulnerabilities and license violations. This tool helps defend against A9-Using Components with Known Vulnerabilities in the OWASP Top 10.

Veracode Software Composition Analysis: Veracode’s Software Composition Analysis (SCA) builds an inventory of open-source components and identifies vulnerabilities within them.

Contrast Assess: Contrast Assess automatically analyzes third-party libraries as part of its IAST solution.

Commercial Interactive Application Security Testing (IAST) tools supported by Enterprise

Contrast Security Assess: A commercial IAST tool that deploys an intelligent agent that instruments an application to analyze code in real time from within the application. Code Dx Enterprise automatically pulls results from Contrast on a continuous basis without the need to download and upload scan reports.

Supported Languages

C, C++, C#, Java, JavaScript, JSP, PHP, Python, Rails, Ruby, Scala, VB.NET and XML/XSL.

Supported Compliance Requirements and Industry Standards

Health Insurance Portability and Accountability Act (HIPAA) (Enterprise only):  United States legislation that provides data privacy and security provisions for safeguarding medical information.  The US Department of Health and Human Services has established standards by which healthcare organizations must implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.

DISA Security Technical Implementation Guides (STIGs) versions 3.1 & 4.0 (Enterprise only) : The configuration standards for DoD IA and IA-enabled devices/systems.  The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.

OWASP Top 10: (2013) This web application security document represents a broad consensus about what the most critical web application security flaws are.  It provides a list of the 10 most critical web application security risks.  And for each risk it provides a description, example vulnerabilities, example attacks, guidance on how to avoid, and references to OWASP and other related resources.

CWE/SANS Top 25 (Most Dangerous Software Errors): (Version 3.0, June 2011) A list of the most widespread and critical errors that can lead to serious vulnerabilities in software. Software errors are organized into three different categories: Insecure Interaction Between Components, Risky Resource Management and Porous Defenses.  Each entry at the Top 25 Software Errors site includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.

SEI CERT Secure Code Standards: A collection of secure coding standards for commonly used programming languages such as C, C++, Java, and the Android Platform. These standards are developed through a broad-based community effort by members of the software development and software security communities.

Payment Card Industry Data Security Standard (PCI DSS): (Enterprise only) A standard that applies to all entities that store, process and/or transmit cardholder data and/or sensitive authentication data. It provides a baseline of technical and operational requirements designed to protect account data. It covers technical and operational system components included in or connected to cardholder data.

CLASP (Comprehensive, Lightweight Application Security Process) Vulnerability Lexicon: A comprehensive lexicon of vulnerabilities that helps development teams avoid and/or remediate specific designing/coding errors that can lead to exploitable security services. The basis of this Lexicon is a highly flexible taxonomy that enables development teams to quickly locate Lexicon information from many perspectives.

SFP (Software Fault Patterns): Developed by KDM Analytics, it is a specification of software weaknesses/vulnerabilities that enables automation. The SFP is targeted at preventing cyber-attacks by collecting and managing knowledge about exploitable weaknesses and building more comprehensive prevention, detection and mitigation solutions.

WASC (Web Application Security Consortium) Threat Classification v2: A cooperative effort to clarify and organize the threats to the security of a web site.  WASC members created the project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors and compliance auditors have the ability to access a consistent language and definitions for web security related issues.

7PK (Seven Pernicious Kingdoms): A taxonomy of Software Security Errors that can help software developers and security practitioners understand the common coding mistakes that affect security.  The goal is to help developers avoid making these mistakes and more readily identify security problems whenever possible.