What Static Source Code Testing (SAST) open source Tools can be used for the ISO Control A.14.2.1 Secure development policy?
While testing for security vulnerabilities in the application code, there are two types of testing methodologies used. One is Static Application Security Testing (SAST) and the other is Dynamic Application Security Testing (DAST). SAST is the type of testing in which application source code is analyzed without being executed in order to find vulnerabilities in it. The approach is useful in identifying vulnerabilities at the early stage of SDLC. However, some vulnerabilities like Authentication issues can’t be identified with automated SAST tools.
ADVANTAGES OF SAST METHODOLOGY
There are several advantages of performing static testing of source code.
- It helps to identify vulnerabilities at an earlier stage of SDLC.
- It is less expensive to fix vulnerabilities.
- It ensures secure coding since vulnerabilities are discovered within Development phase.
- SAST tools can scan source code thoroughly and at much faster pace than manual code reviews.
To fulfill the requirement of ISO 27001 for Control A.14.2.1 – Secure Development Policy, there are several open source SAST testing tools depending on the programming language used. Some of the open source tools recommended by OWASP are shown in the table below.
|Tool Name||Platform||Programming Language Supported|
|.Net Security Guard||Windows||.Net, C#, VB.net|
|APIsecurity||Online||Online tool for OpenAPI|
|Brakeman||Linux/Windows||Ruby on Rails applications|
|CodeSonar||Windows||C, C++, Java|
|Dawnscanner||Linux/Windows||Ruby, Ruby on Rails, Padrino, Sinatra|
|Deep Dive||Windows||Byte code analysis tool. Supports Java applications|
|Englightn||Windows||Laravel PHP applications|
|Find Security Bugs||Windows||Java, Scala, Groovy|
|Find Bugs||Windows||Java Programs|
- OWASP recommended SAST tools, https://owasp.org/www-community/Source_Code_Analysis_Tools