Static Code Analysis Tools for Bulletproof Software Security

Written by

Software security is no longer just anti-virus and firewalls. The cloud today offers plenty of excellent options for software developers to increase user reach and availability, yet while these options are beneficial for marketing and revenue, they create many more possibilities for security holes.

Manual security reviews are useful, but humans are humans after all, and they just aren't capable of finding every security hole within a large or even midsize application.

The Importance of Security – Right From the Start

Penetration tools find security holes after the application is deployed, but the right way to perform security checks and balances is at the start – while the code is developed. With smaller applications, a quick pen test with human reviews could be enough to verify security. With larger applications, this type of review doesn’t cover all possibilities.

Static application security testing (SAST) is the most cost-effective way to secure code. It’s implemented during the software development life cycle, so developers and stakeholders know of security risks before the code is even deployed. These analysis tools determine risks associated with an application without actually executing any code.

These tools perform a number of analysis techniques including data, control flow, taint and lexical. Each analysis technique is used to abstract different results to identify if there are any common security holes. They check for certain threats such as SQL Injection and buffer overflows, which would otherwise go undetected by standard human review.

Consider this Before Finding Static Tools

The first consideration is that these tools are dependent on language. The language you use (C++, C, Python, PHP, etc.) determines the analysis tool that you can use. Some languages are more linear while others are object-oriented (OOP). The tool must be able to “read” OOP if it’s the coding structure.

You also should look into the type of threats it can discover. For instance, a cloud application is vulnerable to outside threats such as DDoS or SQL injection. While these threats could technically affect an internal application, it’s much less likely. Internal threats from employees are much more subtle (usually) and require different types of penetration testing including LDAP injection, brute force or buffer overflows. Some of these threats overlap between cloud and internal applications, but the analysis tool you choose should be able to cover the most common threats for your application.

Integration into the developer’s IDE is also important, so it must support development tools. Each development team has its own list of preferences, but certain environments use standard IDEs. For instance, a C# developer uses Visual Studio, so the analysis tool must integrate into it.

A Few Tools to Get You Started

According to this list by static code analysis tools provider Checkmarx, there are dozens of tools on the market, and the best way to secure your application is to combine these tools with a human review. Why? Because while these tools can find most problems, they can sometimes return false positive or false negatives that a human reviewer would actually catch.

Checkmarx CxSAST – This tool is all-encompassing for several languages and IDEs. It supports Java, C#, PHP, Python, Ruby, C++ and JavaScript just to name a few. It can find dozens of security holes including XSS, SQL injection, impersonation, frame spoofing and buffer overflows.

Luacheck – Luacheck is an open source static analysis for Lua code. It’s very lightweight and available on Git. Since it’s only meant for Lua code, it’s only beneficial for organizations that implement Lua into automation and development.

.NET Compiler Platform – This analysis tool is useful for .NET developers. It’s probably the most common for Visual Studio and .NET. Its code name is Roslyn, and it integrates well with any Microsoft development environment.

Jtest – For Java developers, Jtest automates several security tests within Java IDEs. It also supports C, C++, and .NET. This tool has several analysis benefits that serve teams of developers including a peer review framework.

Google Closure – Google is the king of cloud applications and environments. Since they push client-side Angular, they offer developers tools to analyze JavaScript. The Closure tool is a JavaScript optimizer and analysis tool mainly for cloud developers.

Obviously, it's a big mistake to develop software without security in mind. These static application security testing tools can make your software nearly impenetrable, just don't forget to add some human touch to the mix.

What’s hot on Infosecurity Magazine?