Ein „Audit“ impliziert naturgemäß, dass eine dritte Partei außerhalb der funktional verantwortlichen Partei eine unabhängige Bewertung einer Sache vornimmt. Ein Sicherheitsaudit wäre also eine externe Partei, die dies tut. Sicherheitstests könnten für Entwicklung/Penetration/Grenzen/Audit/etc. sein.
Im Allgemeinen würde ich hoffen, dass die durchgeführten Sicherheitstests mit dem übereinstimmen, worauf die Sicherheitsüberprüfung abzielt. Normalerweise ist ein Audit dazu da, die Genehmigung zu bestätigen und die Konsistenz in Bezug auf die Sicherheit zu wahren. Deshalb werden regelmäßig Sicherheitsaudits durchgeführt, um sicherzustellen, dass die Sicherheit des Systems/der Anwendung durch entsprechende Patches und Upgrades gewährleistet ist.
Wenn ihr spezifischere Begriffe wie Penetrationstests, Schwachstellenbewertung und verschiedene andere anerkannte Zertifizierungen für die Anwendungssicherheit verwendet, könnten die Nuancen dieser Unterschiede herausgearbeitet werden.
Unterschiede zwischen Sicherheitsaudits und Sicherheitstests
- Ein Sicherheitsaudit wird durchgeführt, um nach Sicherheitsschwachstellen in den Sicherheitsprozessen und der Infrastruktur eines Unternehmens zu suchen, während Sicherheitstests einen eher technischen Schwerpunkt haben.
- Bei der Sicherheitsüberprüfung wird etwas getestet, das sich nur schwer direkt überprüfen lässt (ändern sich die Passwörter regelmäßig?), während Sicherheitstests normalerweise einen direkten Ansatz verfolgen (ist ein Passwort zu schwach?).
Sicherheitsaudit und Sicherheitstests haben auch etwas gemeinsam
- Sie haben denselben Zweck, nämlich die Aufdeckung von Schwachstellen.
- Für einige Unternehmen können Sicherheitstests Teil eines Sicherheitsaudits sein.
- Ein Sicherheitsaudit ist entweder ein einmaliges oder ein seltenes, aber geplantes Ereignis, z. B. jährlich oder vierteljährlich, und wird oft zur Einhaltung von Vorschriften durchgeführt. Es kann auch erforderlich sein, dass eine andere Gruppe als diejenige, die die Software und die dazugehörigen Sicherheitstests schreibt, sie durchführt.
- Sicherheitstests sind eine ständige, fortlaufende Praxis, die idealerweise bei jeder Änderung der Software als Teil der Anwendungsentwicklung und/oder als Teil des Codes, der Sicherheitsaspekte wie Authentifizierung und Autorisierung behandelt, durchgeführt wird.
Security Audit Tools
Tools zum Scannen von Schwachstellen (DAST)
Schwachstellen-Scanner für Webanwendungen sind automatisierte Tools, die Webanwendungen – normalerweise von außen – auf Sicherheitslücken wie Cross-Site-Scripting, SQL Injection, Command Injection, Path Traversal und unsichere Serverkonfiguration untersuchen. Diese Kategorie von Tools wird häufig als Dynamic Application Security Testing (DAST) Tools bezeichnet. Es gibt eine große Anzahl kommerzieller und Open-Source-Tools dieser Art, und alle diese Tools haben ihre eigenen Stärken und Schwächen. Wenn ihr euch für die Effektivität von DAST-Tools interessier, solltet ihr euch das OWASP Benchmark-Projekt ansehen, das die Effektivität aller Arten von Tools zur Erkennung von Sicherheitslücken, einschließlich DAST, wissenschaftlich misst.
Hier finden Sie eine Liste der derzeit auf dem Markt erhältlichen Tools zum Scannen von Sicherheitslücken.
| Name/Link | Owner | License | Platforms | Note |
|---|---|---|---|---|
| Abbey Scan | MisterScanner | Commercial | SaaS | |
| Acunetix | Acunetix | Commercial | Windows, Linux, MacOS | Free (Limited Capability) |
| App Scanner | Trustwave | Commercial | Windows | |
| AppCheck Ltd. | AppCheck Ltd. | Commercial | SaaS | Free trial scan available |
| AppScan | HCL Software | Commercial | Windows | |
| AppScan on Cloud | HCL Software | Commercial | SaaS | |
| AppSpider | Rapid7 | Commercial | Windows | |
| AppTrana Website Security Scan | AppTrana | Free | SaaS | |
| Arachni | Arachni | Free | Most platforms supported | Free for most use cases |
| Astra Security Suite | Astra Security | Free | SaaS | Paid Option Available |
| Beagle Security | Beagle Security | Commercial | SaaS | Free (Limited Capability) |
| beSECURE (formerly AVDS) | Beyond Security | Commercial | SaaS | Free (Limited Capability) |
| BlueClosure BC Detect | BlueClosure | Commercial | Most platforms supported | 2 week trial |
| BREACHLOCK Dynamic Application Security Testing | BREACHLOCK | Commercial | SaaS | |
| Burp Suite | PortSwiger | Commercial | Most platforms supported | Free (Limited Capability) |
| CloudDefense | CloudDefense | Commercial | SaaS or On-Premises | CloudDefense DAST integrates with any CI/CD with just 1 line of code. It supports multiple authentication types. Perform deep DAST scans with ease. |
| Contrast | Contrast Security | Commercial | SaaS or On-Premises | Free (Full featured for 1 App) |
| Crashtest Security | Crashtest Security | Commercial | SaaS or On-Premises | |
| Cyber Chief | Audacix | Commercial | SaaS or On-Premises | |
| Deepfence ThreatMapper | Deepfence | Open Source | Linux | Apache v2 |
| Deepfence ThreatStryker | Deepfence | Commercial | Linux, Windows | |
| Detectify | Detectify | Commercial | SaaS | |
| Digifort- Inspect | Digifort | Commercial | SaaS | |
| Edgescan | Edgescan | Commercial | SaaS | |
| GamaScan | GamaSec | Commercial | Windows | |
| GoLismero | GoLismero Team | Open Source | Windows, Linux and Macintosh | GPLv2.0 |
| Grabber | Romain Gaucher | Open Source | Python 2.4, BeautifulSoup and PyXML | |
| Grendel-Scan | David Byrne | Open Source | Windows, Linux and Macintosh | |
| HostedScan.com | HostedScan.com | Commercial | SaaS | Free Forever |
| IKare | ITrust | Commercial | N/A | |
| ImmuniWeb | High-Tech Bridge | Commercial | SaaS | Free (Limited Capability) |
| Indusface Web Application Scanning | Indusface | Commercial | SaaS | Free trial available |
| InsightVM | Rapid7 | Commercial | SaaS | Free trial available |
| Intruder | Intruder Ltd. | Commercial | ||
| IOTHREAT | IOTHREAT | Commercial | SaaS | Free (View Partial Results). Full report (PRO) – 50% discount for the OWASP community with ‚OWASP50‘. |
| K2 Security Platform | K2 Cyber Security | Commercial | SaaS/On-Premise | Free trial available |
| Mayhem for API | ForAllSecure | Commercial | SaaS | 30-day Free Trial |
| N-Stealth | N-Stalker | Commercial | Windows | |
| Nessus | Tenable | Commercial | Windows | |
| Netsparker | Netsparker | Commercial | Windows | |
| Nexploit | NeuraLegion | Commercial | SaaS | |
| Nexpose | Rapid7 | Commercial | Windows/Linux | Free (Limited Capability) |
| Nikto | CIRT | Open Source | Unix/Linux | |
| Nmmapper Tool Collections | Nmmapper | Commercial | SasS | Great Collection of Kali Tool hosted online |
| Nuclei | ProjectDiscovery | Open Source | Windows, Unix/Linux, and Macintosh | Fast and customisable vulnerability scanner based on simple YAML based DSL. |
| Probely | Probely | Commercial | SaaS | Free (Limited Capability) |
| Proxy.app | Websecurify | Commercial | Macintosh | |
| purpleteam | OWASP | Open Source | CLI and SaaS | GNU-AGPL v3 |
| QualysGuard | Qualys | Commercial | N/A | |
| ReconwithMe | Nassec | Commercial | SaaS | Paid Option Available |
| Retina | BeyondTrust | Commercial | Windows | |
| Ride (REST JSON Payload fuzzer) | Adobe, Inc. | Open Source | Linux / Mac / Windows | Apache 2 |
| ScanRepeat | Ventures CDX | Commercial | SaaS | |
| ScanTitan Vulnerability Scanner | ScanTitan | Commercial | SaaS | Free (Limited Capability) |
| Sec-helpers | VWT Digital | Open Source or Free | N/A | |
| SecPoint Penetrator | SecPoint | Commercial | N/A | |
| Security For Everyone | Security For Everyone | Commercial | SaaS | Free (Limited Capability) |
| Securus | Orvant, Inc | Commercial | N/A | |
| Sentinel | WhiteHat Security | Commercial | N/A | |
| SOATest | Parasoft | Commercial | Windows / Linux / Solaris | |
| StackHawk | StackHawk | Commercial | SaaS | |
| Tinfoil Security | Synopsys | Commercial | SaaS or On-Premises | Free (Limited Capability) |
| Trustkeeper Scanner | Trustwave SpiderLabs | Commercial | SaaS | |
| Vega | Subgraph | Open Source | Windows, Linux and Macintosh | |
| Vex | UBsecure | Commercial | Windows | |
| w3af | w3af.org | Open Source | Linux and Mac | GPLv2.0 |
| Wapiti | Informática Gesfor | Open Source | Windows, Unix/Linux and Macintosh | |
| Web Security Scanner | DefenseCode | Commercial | On-Premises | |
| WebApp360 | TripWire | Commercial | Windows | |
| WebCookies | WebCookies | Free | SaaS | |
| WebInspect | Micro Focus | Commercial | Windows | |
| WebReaver | Websecurify | Commercial | Macintosh | |
| WebScanService | German Web Security | Commercial | N/A | |
| Websecurify Suite | Websecurify | Commercial | Windows, Linux, Macintosh | Free (Limited Capability) |
| Website Security Check | CyberAnt | Commercial | SaaS | 20% off with OWASP20 |
| WPScan | WPScan Team | Commercial | Linux and Mac | Free options |
| Zed Attack Proxy | OWASP | Open Source | Windows, Unix/Linux, and Macintosh | Apache-2.0 |
Static Code Analyse Tools
| Name/Link | Owner | License | Platforms | Note |
|---|---|---|---|---|
| .NET Security Guard | Open Source or Free | .NET, C\#, VB.net | ||
| 42Crunch | Commercial | REST API security platform that includes Security Audit (SAST), dynamic conformance scan, runtime protection, and monitoring. | ||
| Agnitio | Open Source or Free | Windows | ASP, ASP.NET, C\#, Java, Javascript, Perl, PHP, Python, Ruby, VB.NET, XML | |
| APIsecurity.io Security Audit | Open Source or Free | online tool for OpenAPI / Swagger file static security analysis | ||
| Application Inspector | Positive Technologies | Commercial | combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C\#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. | |
| Bandit | Open Source or Free | Bandit is a comprehensive source vulnerability scanner for Python | ||
| Beyond Security beSOURCE | Beyond Security | Commercial | Static application security testing (SAST) used to be divorced from Code quality reviews, resulting in limited impact and value. beSOURCE addresses the code security quality of applications and thus integrates SecOps into DevOps. | |
| BlueClosure BC Detect | BlueClosure | Commercial | Analyzes client-side JavaScript. | |
| Brakeman | Open Source or Free | Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications | ||
| bugScout | Nalbatech, Formerly Buguroo | Commercial | ||
| CAST AIP | Commercial | Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. [AIP’s security specific coverage is here](https://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards). | ||
| CloudDefense | CloudDefense | Commercial | SaaS or On-Premises | CloudDefense provides holistic threat intelligence across all attack surfaces – Containers, Kubernetes, Code, Open Source Libraries, APIs and more… |
| Codacy | Commercial | Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects) | ||
| CodeScan Cloud | Commercial | A Salesforce focused, SaaS code quality tool leveraging SonarQube’s OWASP security hotspots to give security visibility on Apex, Visualforce, and Lightning proprietary languages. | ||
| CodeSonar | Commercial | tool that supports C, C++, Java and C\# and maps against the OWASP top 10 vulnerabilities. | ||
| CodeSonar | Open Source or Free | C, C++, Java | ||
| CoGuard | Heinle Solutions Inc. | Commercial | SaaS or On-Premises | A SAST tool for infrastructure configuration analysis. Support for common web servers, databases, streaming services, authentication services, container orchestration and Infrastructure-as-Code tools. |
| Contrast Assess | Commercial | Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis. | ||
| Coverity | Open Source or Free | Android, C\#, C, C++, Java, JavaScript, Node.js, Objective-C, PHP, Python, Ruby, Scala, Swift, VB.NET | ||
| Coverity Static Analysis | Synopsys | Commercial | ||
| CxSAST | Checkmarx | Commercial | Saas, or on-premises. Windows and Linux with CI/CD and IDE plugin integration | Run full or incremental source code security scans. Supported languages include Javascript, Java, Apex, PHP, Python, Swift, Scala, Perl, Groovy, Ruby, C++, C#.NET, PL/SQL, VB.NET, ASP.NET, HTML 5, Windows Mobile, Go, and Kotlin. |
| Dawnscanner | Open Source or Free | Dawnscanner is an open source security source code analyzer for Ruby, supporting major MVC frameworks like Ruby on Rails, Padrino, and Sinatra. It also works on non-web applications written in Ruby. | ||
| Deep Dive | Open Source or Free | Byte code analysis tool for discovering vulnerabilities in Java deployments (EAR, WAR, JAR). | ||
| DeepSource | DeepSource Corp. | Commercial | SaaS or On-Premises | DeepSource helps you automatically find and fix issues in your code during code reviews, such as bug risks, anti-patterns, performance issues, and security flaws. It takes less than 5 minutes to set up with your Bitbucket, GitHub, or GitLab account. It works for Python, Go, Ruby, and JavaScript. |
| DerScanner | DerScanner Ltd. | Commercial | Capable of identifying vulnerabilities and backdoors (undocumented features) in over 30 programming languages by analyzing source code or executables, without requiring debug info. | |
| DevBug | Open Source or Free | Web Based | PHP | |
| ECG | VoidSec | Commercial | SaaS TCL Static Source Code Analysis Tool able to detect real and complex security vulnerabilities in TCL/ADP source-code. Discovered vulnerabilities will be mapped against the OWASP top 10 vulnerabilities. | |
| Enlightn | Enlightn Software | Open Source | Enlightn is a vulnerability scanner specifically designed for Laravel PHP applications that combines SAST, DAST, IAST and configuration analysis techniques to detect vulnerabilities. | |
| Find Security Bugs | Open Source or Free | Java, Scala, Groovy | ||
| FindBugs | Open Source or Free | Find bugs (including a few security flaws) in Java programs [Legacy – NOT Maintained – Use SpotBugs (see other entry) instead] | ||
| FindSecBugs | Open Source or Free | A security specific plugin for SpotBugs that significantly improves SpotBugs’s ability to find security vulnerabilities in Java programs. Works with the old FindBugs too. | ||
| Flawfinder | Open Source or Free | Scans C and C++. | ||
| Fluid Attack’s Scanner | Fluid Attacks | Open Source | SAST, DAST and SCA vulnerability detection tool with perfect OWASP Benchmark score. | |
| Fortify | Micro Focus | Commercial | Windows, Linux, and MacOSX | Free trial scan available. Supported languages include: ABAP/BSP, ActionScript/MXML (Flex), APEX, ASP.NET, VB.NET, C\# (.NET), C/C++, Classic ASP (w/VBScript), COBOL, ColdFusion CFML, Go, HTML, Java (including Android), JavaScript/AJAX, JSP, Kotlin, Objective-C, PHP, PL/SQL, Python, Typescript, T-SQL, Ruby, Scala, Swift, Visual Basic (VB.NET), Visual Basic 6, VBScript, XML |
| GitGuardian — Automated Secrets Detection | Commercial | SaaS or On-Premises | Secure your software development with automated secrets detection & remediation for private or public source code. | |
| GitLab | GitLab | Commercial | SaaS, Linux, Windows | |
| GolangCI-Lint | Open Source or Free | A Go Linters aggregator – One of the Linters is [gosec (Go Security)](https://github.com/securego/gosec), which is off by default but can easily be enabled. | ||
| Google CodeSearchDiggity | Open Source or Free | Uses Google Code Search to identify vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. *Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.* | ||
| Graudit | Open Source or Free | Linux | Scans multiple languages for various security flaws. Basically security enhanced code Grep. | |
| HCL AppScan CodeSweep – GitHub Action | HCL Software | Open Source or Free | Scan the new code on a push/pull request using a GitHub action. Findings are highlighted in the `Files Changed` view and details about the issue and mitigation steps can be found in the `Actions` page. Unrestricted usage allowed with a free trial account. The tool currently supports Python, Ruby, JS (Vue, React, Node, Angular, JQuery, etc), PHP, Perl, COBOL, APEX & a few more. | |
| HCL AppScan CodeSweep – VS Code | HCL Software | Open Source or Free | This is the first Community edition version of AppScan. It is delivered as a VS Code plugin and scans files upon saving them. The results show the location of a finding, type and remediation advice. The tool currently supports Python, Ruby, JS (Node, Angular, JQuery, etc) , PHP, Perl, COBOL, APEX & a few more. | |
| HCL AppScan on Cloud | HCL Software | Open Source or Free | Apex, ASP, C, C++, COBOL, ColdFusion, Go, Java, JavaScript(Client-side JavaScript, Kotlin, NodeJS, and AngularJS), .NET (C#, ASP.NET, VB.NET), .NET Core, Perl, PHP, PL/SQL, Python, Ruby, T-SQL, Swift, Visual Basic 6 | |
| HCL AppScan Source | HCL Software | Commercial | Android, Apex, ASP, C, C++, COBOL, ColdFusion, Go, Java, JavaScript(Client-side JavaScript, NodeJS, and AngularJS), .NET (C#, ASP.NET, VB.NET), .NET Core, Perl, PHP, PL/SQL, Python, Ruby, T-SQL, Visual Basic 6 | |
| Hdiv Detection | Hdiv Security | Commercial | Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis. | |
| Horusec | Open Source or Free | Python(3.x), Ruby, Javascript, GoLang, .NetCore(3.x), Java, Kotlin, Terraform | ||
| HuskyCI | Open Source or Free | HuskyCI is an open-source tool that orchestrates security tests inside CI pipelines of multiple projects and centralizes all results into a database for further analysis and metrics. HuskyCI can perform static security analysis in Python (Bandit and Safety), Ruby (Brakeman), JavaScript (Npm Audit and Yarn Audit), Golang (Gosec), and Java(SpotBugs plus Find Sec Bugs) | ||
| Insider CLI | InsiderSec | Open Source or Free | A open source Static Application Security Testing tool (SAST) written in GoLang for Java Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js). | |
| Kiuwan | a division of Idera, Inc. | Commercial | provides an application security testing and analytics platform – including SAST and SCA solutions – that reduces risk and improves change management and DevOps processes | |
| Klocwork | Perforce | Commercial | Static Code Analysis for C, C++, C#, and Java | |
| Klocwork | Open Source or Free | C, C++, C\#, Java | ||
| Kroogal | Commercial | C, C++ | ||
| LGTM | Open Source or Free | A free for open source static analysis service that automatically monitors commits to publicly accessible code in Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C\#, Go, Java, JavaScript/TypeScript, Python. | ||
| Microsoft FxCop | Open Source or Free | .NET | ||
| Microsoft PREFast | Open Source or Free | C, C++ | ||
| MobSF | Open Source or Free | Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. | ||
| MobSF | Open Source or Free | Windows, Unix | Android Java, Objective C, Swift | |
| NextGen Static Analysis | ShiftLeft | Commercial | SaaS | Free version available. Currently supports Java, JavaScript, C\#, TypeScript, Python, and Terraform. Create your free account at https://shiftleft.io/register. |
| nodejsscan | Open Source or Free | Unix | Node.js | |
| Nucleaus Core | Nucleaus | Commercial | SaaS | Scans Git repos daily and provides a web-based dashboard to track code and dependency vulnerabilities. Handles team-based access patterns, vulnerability exception lifecycle, and is built on API first principles. |
| Offensive360 | Commercial | SAST technology that attacks the source code from all corners it has all in one. Malware, SCA, License, and deep source code analysis. | ||
| Oversecured | Oversecured Inc | Commercial | Android | A static SaaS-based vulnerability scanner for Android apps (APK files), supports apps written on Java and Kotlin. Also allows integrations into DevOps processes. |
| OWASP ASST (Automated Software Security Toolkit) | Tarik Seyceri & OWASP | Open Source or Free | Ubuntu, MacOSX and Windows | An Open Source, Source Code Scanning Tool, developed with JavaScript (Node.js framework), Scans for PHP & MySQL Security Vulnerabilities According to OWASP Top 10 and Some other OWASP’s famous vulnerabilities, and it teaches developers of how to secure their codes after scan. |
| OWASP Code Crawler | OWASP | Open Source | .NET, Java | |
| OWASP LAPSE Project | OWASP | Open Source | Java | |
| OWASP Orizon Project | OWASP | Open Source | Java | |
| OWASP WAP (Web Application Protection) | OWASP | Open Source | PHP | |
| ParaSoft | Open Source or Free | C, C++, Java, .NET | ||
| Parasoft Test | Parasoft | Commercial | Test tools for C/C++, .NET, Java | |
| phpcs-security-audit | Open Source or Free | A set of PHP_CodeSniffer rules to finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules. | ||
| PITSS.CON | PITTS | Commercial | Scans Oracle Forms and Reports Applications | |
| PMD | Open Source or Free | PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues). | ||
| Polyspace Static Analysis | Open Source or Free | C, C++, Ada | ||
| PreFast | Microsoft | Open Source or Free | PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006. | |
| Progpilot | Open Source or Free | Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection. | ||
| Psalm | Vimeo, Inc. | Open Source | Static code analysis for PHP projects, written in PHP. | |
| PT Application Inspector | Positive Technologies | Commercial | Combines SAST, DAST, IAST, SCA, configuration analysis and other technologies for high accuracy. Can generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis. Supports Java, C\#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. | |
| Puma Scan | Puma Security | Commercial | A .NET C\# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable. | |
| Puma Scan Professional | Open Source or Free | .NET, C\# | ||
| PVS-Studio | Open Source or Free | C, C++, C\# | ||
| PVS-Studio Analyzer | PVS-Studio | Commercial | Static code security analysis for C, C++, C#, and Java. A commercial B2B solution, but provides several free [licensing options](https://www.viva64.com/en/b/0614/). | |
| Pyre | Open Source or Free | A performant type-checker for Python 3, that also has [limited security/data flow analysis](https://pyre-check.org/docs/pysa-basics.html) capabilities. | ||
| reshift | Commercial | A CI/CD static code security analysis tool for Java that uses machine learning to give a prediction on false positives. | ||
| RIPS Code Analysis | RIPS Technologies – Acquired by SonarSource | Commercial | Static security analyzer for Java and PHP. | |
| SecureAssist | Synopsys | Commercial | Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio, etc. Supports Java, .NET, PHP, and JavaScript. | |
| Security Code Scan | Open Source or Free | Static code analyzer for .NET. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more. | ||
| Seeker | Synopsys | Commercial | Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis. | |
| Semgrep | Open Source or Free | Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. No compilation needed to scan source code. Supports Go, Java, JavaScript, JSON,Python, TypeScript, and more. | ||
| Sentinel Source | Whitehat | Commercial | Static security analysis for 10+ languages. | |
| ShiftLeft Scan | Open Source or Free | A free open-source DevSecOps platform for detecting security issues in source ode and dependencies. It supports a broad range of languages and CI/CD pipelines by bundling various open source scanners into the pipeline. | ||
| Sink Tank | Open Source or Free | Java byte code static code analyzer for performing source/sink (taint) analysis. | ||
| Snyk | Snyk Limited | Commercial or Free | SaaS, IDE Plugin | Find, learn and fix vulnerabilities in open source dependencies, in your application code, in container images or insecure configurations in Terraform and Kubernetes. |
| SonarCloud | Open Source or Free | ABAP, C, C++, Objective-C, COBOL, C\#, CSS, Flex, Go, HTML, Java, Javascript, Kotlin, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Swift, T-SQL, TypeScript, VB6, VB, XML | ||
| SonarQube | Open Source or Free | Scans source code for 15 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [SonarLint](https://www.sonarlint.org/). | ||
| Spectral | SpectralOps | Open Source or Free | Multi-platform & Multi-architecture. Linux/Windows/MacOSx/*nix. Programming-language agnostic | Discover, classify, and protect your codebases, logs, and other assets. Monitor and detect API keys, tokens, credentials, high-risk security misconfiguration and more. |
| Splint | Open Source or Free | C | ||
| SpotBugs | Open Source or Free | Java. This is the active fork replacement for FindBugs, which is not maintained anymore. Very little security. FindSecBugs plugin provides security rules. | ||
| Static Reviewer | Security Reviewer | Commercial | Windows and Linux; on-Premises and in Cloud; Desktop, CLI and CI/CD & IDE plugin integration | Static Reviewer executes code checks according to the most relevant Secure Coding Standards for 40+ programming languages, using 1000+ built-in validation rules. |
| Thunderscan SAST | DefenseCode | Commercial | Static security analysis for 27+ languages. | |
| Veracode | Open Source or Free | Android, ASP.NET, C\#, C, C++, Classic ASP, COBOL, ColdFusion/Java, Go, Groovy, iOS, Java, JavaScript, Perl, PhoneGap/Cordova, PHP, Python, React Native, RPG, Ruby on Rails, Scala, Titanium, TypeScript, VB.NET, Visual Basic 6, Xamarin | ||
| Veracode Static Analysis | Veracode | Commercial | ||
| VisualCodeGrepper | Open Source or Free | Windows | C/C++, C\#, VB, PHP, Java, PL/SQL | |
| VisualCodeGrepper (VCG) | Open Source or Free | Scans C/C++, C\#, VB, PHP, Java, PL/SQL, and COBOL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues. | ||
| VS Code OpenAPI (Swagger) Editor extension | Open Source or Free | Plugin to Microsoft Visual Studio Code that enables rich editing capabilities for REST API contracts and also includes linting and Security Audit (static security analysis). | ||
| Xanitizer | Xanitizer | Commercial | CLI and plugin integration | A SAST tool for Java, Scala, and JavaScript/TypeScript, mainly via taint analysis. Per this pricing page, it is free for Open Source projects if you contact the vendor. |
Neueste Kommentare