DEV Community

Discussion on: Comparing Popular Static Application Security Testing (SAST) Tools

Collapse
phlash909 profile image
Phil Ashby

Thanks Jin, a nice selection of tools with varying focus. Back in the in 2000s my colleagues & I conducted a survey of available SAST tools, and settled on Klocwork for it's easy integration to existing build systems and wide language support, as we were providing a SAST consultancy service within BT to internal and 3rd party development teams and did not have the budget for Fortify360 :) We also used a number of open source tools from this list: en.wikipedia.org/wiki/List_of_tool... and investigated the 'weird one' that is Veracode (en.wikipedia.org/wiki/Veracode), the only binary-based offering at the time. Unfortunately Veracode insisted on (they may still insist on) having us ship binaries to them, which did not suit a lot of internal / sensitive development in a large telco, so we never got to try it.

Collapse
andreidascalu profile image
Andrei Dascalu

Wide language support? You mean C family and Java? Lol.

Collapse
phlash909 profile image
Phil Ashby

Fair point when you look at current tools (such as SonarQube - in use in my last position), but compared to the available single language tools (eg: checkstyle) and the multiple flavours of C/C++, Java, and early C# (remember this was 15 years ago) that were in use for telecoms software it was a reasonable fit, and meant that my team didn't have to learn how to effectively use multiple tools in a consultancy environment. We also found that it produced fewer false positives from the start compared to other more expensive tooling.