What Static Source Code Testing (SAST) open source Tools can be used for the ISO Control A

Note: CVSS score 8.8(for databases) and 9.8(WebLogic servers).

Main Hero Image

What Static Source Code Testing (SAST) open-source Tools can be used for the ISO Control A.14.2.1 Secure development policy?

While testing for security vulnerabilities in the application code, there are two types of testing methodologies used. One is Static Application Security Testing (SAST) and the other is Dynamic Application Security Testing (DAST). SAST is the type of testing in which application source code is analyzed without being executed in order to find vulnerabilities in it. The approach is useful in identifying vulnerabilities at the early stage of SDLC. However, some vulnerabilities like Authentication issues can’t be identified with automated SAST tools.


There are several advantages of performing static testing of source code.

  • It helps to identify vulnerabilities at an earlier stage of SDLC.
  •  It is less expensive to fix vulnerabilities.
  • It ensures secure coding since vulnerabilities are discovered within the Development phase.
  • SAST tools can scan source code thoroughly and at a much faster pace than manual code reviews.

To fulfill the requirement of ISO 27001 for Control A.14.2.1 – Secure Development Policy, there are several open-source SAST testing tools depending on the programming language used. Some of the open source tools recommended by OWASP are shown in the table below.

Tool Name Platform Programming Language Supported
.Net Security Guard Windows .Net, C#, VB.net
APIsecurity Online Online tool for OpenAPI
Agnitio Windows ASP, ASP.net, C#, Java, JavaScript, Perl, PHP, Python, Ruby, VB.Net, XML
Bandit Linux Python
RIPS Windows/Linux PHP
Brakeman Linux/Windows Ruby on Rails applications
CodeSec Windows C, C++, C3, Java, Javascript, PHP, Kotlin, Lua
CodeSonar Windows C, C++, Java
Coverity Windows Android, C#, C, C++, Java, Javascript, Node.js, Objective-C, PHP, Python, Ruby, Scala, Swift, VB.Net
Dawnscanner Linux/Windows Ruby, Ruby on Rails, Padrino, Sinatra
Deep Dive Windows Byte code analysis tool. Supports Java applications
DevBug Windows PHP
Englightn Windows Laravel PHP applications
Find Security Bugs Windows Java, Scala, Groovy
Find Bugs Windows Java Programs
Flawfinder Windows C, C++
Graudit Linux Python


OWASP recommended SAST tools,