Note: CVSS score 8.8(for databases) and 9.8(WebLogic servers).
While testing for security vulnerabilities in the application code, there are two types of testing methodologies used. One is Static Application Security Testing (SAST) and the other is Dynamic Application Security Testing (DAST). SAST is the type of testing in which application source code is analyzed without being executed in order to find vulnerabilities in it. The approach is useful in identifying vulnerabilities at the early stage of SDLC. However, some vulnerabilities like Authentication issues can’t be identified with automated SAST tools.
ADVANTAGES OF SAST METHODOLOGY?
There are several advantages of performing static testing of source code.
To fulfill the requirement of ISO 27001 for Control A.14.2.1 – Secure Development Policy, there are several open-source SAST testing tools depending on the programming language used. Some of the open source tools recommended by OWASP are shown in the table below.
Tool Name | Platform | Programming Language Supported |
---|---|---|
.Net Security Guard | Windows | .Net, C#, VB.net |
APIsecurity | Online | Online tool for OpenAPI |
Agnitio | Windows | ASP, ASP.net, C#, Java, JavaScript, Perl, PHP, Python, Ruby, VB.Net, XML |
Bandit | Linux | Python |
RIPS | Windows/Linux | PHP |
Brakeman | Linux/Windows | Ruby on Rails applications |
CodeSec | Windows | C, C++, C3, Java, Javascript, PHP, Kotlin, Lua |
CodeSonar | Windows | C, C++, Java |
Coverity | Windows | Android, C#, C, C++, Java, Javascript, Node.js, Objective-C, PHP, Python, Ruby, Scala, Swift, VB.Net |
Dawnscanner | Linux/Windows | Ruby, Ruby on Rails, Padrino, Sinatra |
Deep Dive | Windows | Byte code analysis tool. Supports Java applications |
DevBug | Windows | PHP |
Englightn | Windows | Laravel PHP applications |
Find Security Bugs | Windows | Java, Scala, Groovy |
Find Bugs | Windows | Java Programs |
Flawfinder | Windows | C, C++ |
Graudit | Linux | Python |
Reference:
OWASP recommended SAST tools,
https://owasp.org/www-community/Source_Code_Analysis_Tools