No announcement yet.

Products for AppSec Code Testing

  • Filter
  • Time
  • Show
Clear All
new posts

  • Products for AppSec Code Testing

    What products are your companies using for testing of code for security checks?

    I've had interest in seeing how Veracode would perform for my company, but curious of opinions on that and others.
    Frank McGovern
    Founder - TheIKE, Blue Team Con

  • #2
    We have plans to implement SonarQube for static code analysis in our 2020 road map. I'm really curious what other solutions everyone is using to get adequate coverage!

    Twitter: @AccidentalCISO


    • #3
      SonarCloud seems to work well but not everyone is comfortable with code being scanned on a third-party's system. Still, it offers enough options to get some powerful insights. I've heard some good things about the Rosalyn Analyzers for .Net, but there is some work that still needs to happen there. One thing is for sure - Fortify has a price tag too large to be considered for most operations from what we revealed researching.

      FWIW: Honestly didn't find a lot of solid options outside of SonarQube & SonarCloud that met all of the needs we were trying to fill.
      Each person has one thing they can do better than those around them and a sacred obligation, to themselves, to find that thing - and do it.


      • #4
        We brought in Checkmarx to the last company I was at, tried it for about 2 years, and when I left they were making plans to abandon it. We evaluated a lot of products and felt good about the offering and they offered us a fair amount of training and professional services as part of the deal. Two things really limited its use for us in practice and led to the exit. One, you have to learn its own unique Reflection-like language to customize it and for the time and effort spent there, I was growing increasingly bullish on using Roslyn instead. Two, it struggled with false positives and the company expressed doubt they could improve it. This was areas like issues it flagged in view pages that I thought it should have been able to better evaluate from other context in the view. It was looking increasingly like we'd have to write or design the applications differently just to reduce those positives and wasn't comfortable with that.



        • #5
          We work with a range of companies, but WhiteHat has a flexible solution.


          • #6
            +1 for SonarQube


            • #7
              Blackduck and SonarQube, but I can’t speak from experience. Each fills a different need for various teams. I came across this a while back. Some of it seems outdated a tad. I also cannot speak from experience with these:

              Another resource:


              • #8
                As requsted by accidentalciso here are my thoughts on this topic.
                I'm tasked with creating / implementing a SSDLC. Especially the first S is in my concern naturally.

                Coming from Quality Reconaissance my take on this one will be as follows:

                As for SAST - and a general major improvement on QA - we're implementing SonarQube Enterprise this quarter.
                Main goals are bug prevention due to built in Scans as well as recommendations, QA-Gating and reporting on Quality, Risks and Compliance
                Using this data we'll check where our Dev has weaknesses and deploy training via SecureCodeWarriors. We already had a trial run for 2 weeks, which was mostly positively received, and they're actually fun to interact with. Training material is gamified and OK.

                That leaves IAST and DAST, which some kind of a new field.
                As for these two we're / I am looking into these solutions:
                Crashtest Security - They offer black box testing in your pipeline. Workshop will - most likely - be held in Q2 to determine usability for us.
                Code intelligence - They have a take on automating fuzzy testing. That seems to be quite valuable, especially in finding hard to detect probs in your app. Nothing determined yet from our side. I'll defenitely will check it out though.

                As we're regulated we also have to tackle compliance (Fuck yeah!) and follow regulations (MaRISK, ISO27k1, and others).
                As a result we need to get a grip on our 3rd party libraries.
                THAT is fun, especially when we come to npm.

                For this I'm looking into white source, which seems to be good and helps with compliance.

                Last but not least I'm also checking out Security Rat, which is basically a requirement generator checker in the pipeline.
                So that's an interesting one, as I have to see if I can wrangle it into usability with C# and TFS.
                That'll be my journey for 2020, resp. the years coming, depending on how quickly I can handle all of this, and - more importantly - convince higher up level deciders to spend the money / resources.
                Even though, that shouldn't be too much of a problem, as punishment for failures in data security are draconian - aka they can quickly cost a friggin shitload and then some - and C-level normally is averse on spending money without ANY effect.


                • #9
                  Thank you for sharing, this is great info!

                  Twitter: @AccidentalCISO


                  • #10
                    Great info, thanks Wedge.

                    I came into an environment that had Accunetix which is fairly basic.

                    We just finished up a PoC with Veracode which was good. Static analysis worked well and our devs that tested it liked the platform and IDE integration.
                    Not sure we'll pull the trigger due to cost difference just yet.