Just as having a larger family inevitably results in more children forgotten at swim practice, the bigger your software project, the harder it becomes to find every bug, security vulnerability and logic flaw. In-house enterprise developer teams can become overwhelmed by the number of branches in a project and bugs can go unnoticed until the worst possible time: when software is released to the public. There is a solution to this problem, however, and that would be static code analysis security tools. Read on to find out what they are, why you need them and which ones you should check out.
A Necessary Innovation
Software development has obviously survived for decades without these tools, so you might quietly ask yourself why you should bother investing in them. But while software development has survived, the software development of the 80s would be largely unrecognizable compared to software development today. Enterprise software has grown exponentially since those days of early development. Now, it’s beyond common to have several developers working in different modules deploying applications for millions of users. This leaves you needing some way to gain control of potential bugs that could easily go overlooked with so many hands in the pot. That’s where static code analysis security tools come in, as they automate much of the process for you. Typically, it’s developers that use these tools, but you could also have your quality assurance people run them against currently developed software.
A Major Time- and Headache-Saver
What makes static code analysis tools different from other security tools is that they run while code is developed. They don’t compile or execute the code. Rather they run against the software source to identify security vulnerabilities as developers are working. These tools are unique from standard scripts, which are designed to run against compiled, deployed code to find vulnerabilities in fully completed applications. Standard scripts are useful, but what if they find a security flaw that surrounds a critical module in the software? Your software developers will be forced to redesign, refactor and rebuild critical parts of the application. It’s much more efficient to identify critical security flaws before too much code depends on the vulnerable module. Think of it like tasting a pan of brownies fresh out of the oven only to discover that they’re bitter. Would’ve been much nicer to know during the baking process that you’d forgotten the sugar.
Shopping for the Right Tools
Leading application security solutions provider Checkmarx lists several highly reputable security testing tools on the market – but before you decide to buy anything, you need to ask yourself (or your developers) a few questions.
- Does the tool support your developer’s language?
- Does the tool find the most common threats in the wild?
- Will it be easy to learn for busy developers with deadlines?
- Does it work with your development IDE?
- Can you integrate it with other tools?
- Do the tool’s developers offer any support for your developers?
- What is the ratio of vulnerabilities and false positives?
With these questions in mind, just remember that any one tool can’t do everything for you. Your developers must actively code with vulnerabilities in mind and always use the best security standards in code design. With that said, here are a few tools to consider for your development team:
VisualCodeGrepper
This tool supports multiple languages including C++, C#, VB, PHP and Java. It’s a good tool if you have developers working in multiple languages. It’s also the only one on this list that supports Visual Studio, which is Microsoft’s proprietary tool for Windows development.
OWASP LAPSE+
Java is the foundation language for Android, so this tool works well in a Java environment for desktop, web, or mobile.
RIPS
RIPS is a tool designed for PHP applications. PHP is one of the leading languages for web applications, so it’s also an attractive target for hackers, making this a pretty necessary tool.
Flawfinder
C and C++ software is especially vulnerable to security issues due to its low-level programming that can access hardware directly. Flawfinder is one tool that can be used with these development projects.
Brakeman
Ruby is on the fast track to becoming a common language for developers, and Brakeman is an excellent tool for Ruby on Rails designers and developers. Even if you have deployed software on the market, these static code analysis tools are essential for future development. They can be used in current code environments to help catch current coding flaws or future ones during enhancement projects. So, let those development projects get massive and unwieldy because with static code analysis tools, it can be handled. It’s not like leaving your second kid standing alone in the park holding his t-ball bat. That’s going to cost you an ice cream cone.
About the Author: Ben Campbell is an accomplished, experienced freelance writer and web security expert who has featured in a number of high profile publications and websites. If he’s not writing about protecting your website you’ll find him listening to live music or at the coast surfing. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
