DEV Community

Cover image for Comparing Popular Static Application Security Testing (SAST) Tools
Jin Vincent Necesario
Jin Vincent Necesario

Posted on

Comparing Popular Static Application Security Testing (SAST) Tools

Introduction

Many organizations require thorough consideration when selecting a Static Application Security Testing (SAST) tool, as most of these tools are unique in some ways. That's why in this article, we'll try to see and evaluate some of the known SAST tools in the market today. Moreover, don't be confused with source code analysis tools. It is also referred to as SAST tools as it helps you analyze source code or compiled versions of your codebase to help you fix security issues.

Background

Organizations have different criteria when selecting a SAST tool, and of course, it should support the technology stack of your current organization or team. However, we won't be covering how the organization selects its SAST tool, but to help you, we can at least give some selection criteria by answering the following questions:

  • Is it easy to set up and use?
  • Does it fully support the technology stack, framework, and libraries your developers are using?
  • Can it be fully integrated into the developer's IDE?
  • What are the types of vulnerabilities it can detect, and what mitigation steps it provides?
  • Can it be fully integrated into the CI/CD pipelines of the organization?
  • Will it perform well with our current tools and make us more productive?

As you can see, these criteria, which are questions based, are vital when selecting a SAST tool. Answering these questions is recommended, and understanding the robust features of a certain SAST helps you quickly choose the best tool that fits your organization. Let's now start showing you some SAST tools and elaborate on their unique features and how it shines from competitors in the market.

Klocwork

Klocwork
Klocwork is a SAST tool built to scale on any project's sizes. It can be integrated into a large and complex environment, a wide range of developer tools, and provides controls and collaboration. Moreover, developers love coding standards, and Klocwork offers a wide range of coding standards to comply with different languages such as C, C++, C#, and Java. These sets of coding standards are community-driven, which can also be configured by the team of developers.

If your organization needs a tool with world-class recognition and is highly dependable, Klockwork has industry safety standards and certifications: CWE, OWASP, and CERT, to name a few. Itโ€™s also designed for developers, which means it wonโ€™t confuse your dev team or impede their work. Instead, it intends to integrate seamlessly with the dev process.

What is unique about Klocwork?

Klocwork stands out because it is highly scalable and because its server-client build feature allows total collaboration to the entire team members. Moreover, it reduces the time for code development, and it is a time saver because of its on-the-fly analysis (much like a word processor does when checking spelling mistakes) and pre-check-in and post-check-in analysis. If everything is correctly set up and choosing a coding standard backed by a community that can be combined with internal standards gives more quality to the product produced by the team.

SonarQube

SonarQube

SonarQube is an open-source platform developed by SonarSource for continuous checking of code quality. It supports 25+ major programming languages with built-in rulesets, which can be extended with various plugins available.

SonarQube comes with four editions: the community, developer, enterprise, and datacenter editions. So, if you're starting out with no too little budget, you can try community or developer edition. And, of course, organizations can choose between enterprise and datacenter editions.

The community edition provides static code analysis for around 15+ languages, including Java, JavaScript, C#, TypeScript, Kotlin, Ruby, Go, Python, PHP, HTML, CSS, etc. It has code vulnerability and bug detection, can track code smells, review technical debt with remediations, and offer code quality and metrics. It can be integrated with CI/CD and extensible community plugins. The developer edition has all the community edition features, plus you can use it with GitHub, GitLab, Bitbucket, and Azure DevOps.

What is unique about SonarQube?

SonarQube stands out as a "Continuous Code Quality" tool because it provides the overall health of your codebase, and significantly it shows and highlights issues found on the new code. Moreover, as it behaves as a quality gate, you'll fix the leak immediately and improve yourself and your code as you progress with your project.

Codacy

Codacy
Codacy helps a team of developers in their code reviewing and code quality monitoring. It is a helpful tool when identifying security issues and providing your code quality in the process. Moreover, its interface, such as dashboard (organization, project, and personal), charts, hot spots, and pull requests, gives you enough information about the code you are running; it helps you identify your project's quality and progress over time. When your organization or team incorporates Codacy with GitHub, GitLab, or Bitbucket, it can help you maintain your codebase quality and ensure updates aren't going to compromise the integrity of your project. Thanks to Codacy's static code analysis that provides quicker notification to the rest of the group about code coverage, security problems, code duplication, and code complexity.

What is unique about Codacy?

Codacy stands out as an "Automated Code Review Platform" because of an essential part of any development workflow. Developers spend more than 20 percent of their time reviewing code to catch bugs as early as possible and ensure quality. The Codacy part of the developer's workflow helps developers optimize by an estimated 30 percent of their code review time.

HCL AppScan

HCL AppScan
HCL AppScan (formerly IBM) is a SAST tool that focuses on web application testing during the development process, intending to find security issues, bugs, and glitches before code can be committed to production environments. Therefore, HCL AppScan reduces the risk of web application attacks and data breaches before going live to production. However, it is not free compared to other market vendors. Still, it offers a free 30-day trial to allow us, purchasers, to see how AppScan can benefit many organizations. HCL offers cloud, enterprise, and standard editions, and in any of these editions, organizations can run vulnerability checking tests that automatically hunt down any code vulnerabilities. Once these vulnerabilities are found, HCL AppScan creates a related report in a detailed manner to remedy the issues found.

What is unique about HCL AppScan?

HCL AppScan stands out because of its low rate of false positives, which directly translates into a time saver for the team of developers. It is also good to point out that the automated crawler of HCL AppScan identifies all URL performs deep security tests. Therefore, this gives developers and testers rich test cases, which ensures good coverage in security testing.

Conclusion

In this post, we have seen some of the SAST tools that I'm pretty familiar and exposed with, and hopefully, it was informative. Let me know if I miss something or if you have any suggestions by commenting on the comment section below to update this article in the future continuously.

I hope you have enjoyed this article, as I have enjoyed writing it. Stay tuned for more. Until next time, happy programming! Thanks.

Top comments (4)

Collapse
 
phlash profile image
Phil Ashby

Thanks Jin, a nice selection of tools with varying focus. Back in the in 2000s my colleagues & I conducted a survey of available SAST tools, and settled on Klocwork for it's easy integration to existing build systems and wide language support, as we were providing a SAST consultancy service within BT to internal and 3rd party development teams and did not have the budget for Fortify360 :) We also used a number of open source tools from this list: en.wikipedia.org/wiki/List_of_tool... and investigated the 'weird one' that is Veracode (en.wikipedia.org/wiki/Veracode), the only binary-based offering at the time. Unfortunately Veracode insisted on (they may still insist on) having us ship binaries to them, which did not suit a lot of internal / sensitive development in a large telco, so we never got to try it.

Collapse
 
andreidascalu profile image
Andrei Dascalu

Wide language support? You mean C family and Java? Lol.

Collapse
 
phlash profile image
Phil Ashby

Fair point when you look at current tools (such as SonarQube - in use in my last position), but compared to the available single language tools (eg: checkstyle) and the multiple flavours of C/C++, Java, and early C# (remember this was 15 years ago) that were in use for telecoms software it was a reasonable fit, and meant that my team didn't have to learn how to effectively use multiple tools in a consultancy environment. We also found that it produced fewer false positives from the start compared to other more expensive tooling.

Collapse
 
nipun-bearer profile image
Nipun Gupta

Would love to get your thoughts on our benchmark comparison of modern SAST tools here - bearer.com/blog/benchmarking-top-s...