5 dev tools for better code security

Static and dynamic analysis can catch vulnerabilities in the development process -- before the bad guys can even access your code

5 dev tools for securing your code

5 dev tools for securing your code

Information security is of paramount importance these days, and there is no better place to start securing systems and data than in the software development process itself.

Lapses in coding can leave systems vulnerable to attackers. But examining thousands and thousands of lines of code for a wide array of potential weaknesses is no easy task. Thankfully, a variety of tools are emerging to help ensure the security of your code. With the help of capabilities such as static analysis, these tools not only flag possible issues but enforce security a priority in the development process.

Following are five tools aimed at analyzing your code for security flaws, ranging from open source to commercial offerings, available as on-premises solutions or services in the cloud.

Codiscope Jacks

Codiscope Jacks

Static analysis, in which code is debugged without being executed, is a solid first step in uncovering vulnerabilities. For organizations storing repos at GitHub, Codiscope’s Jacks, still in beta, can perform static analysis as a service by importing code from GitHub and scanning it. Jacks currently scans JavaScript programs; Codiscope has plans in place to scan code from Java programs as well. Support for other languages will follow.

“We don’t retain the code of any of our users,” says Katie Lyon, marketing director at Codiscope, which plans to support other hosted repositories besides GitHub in the future. “We’re very much focused on highlighting areas where you can make improvements long term.”

Jacks tags potential issues by line number, recommends best practices, and notifies users in the event that patches are available to address issues in their code. Each flagged line of code is accompanied by an explanation, and Jacks triggers alerts for situations such as insecure scripts that could allow a hacker to take control of connection; server-side includes injection, in which malicious JavaScript code is executing on the server, and Enable HttpOnly Session, preventing a cookie’s value from being accessed by client-side scripts.

“The strongest triggers that we currently have implemented are around cryptography so that they can ensure you are using a secure math.random number generator and that the types of crypto things that you implement in your code are following best practices,” Lyon says.

The service is due to reach general availability status in the first half of this year. Plans call for making the service more collaborative, to enable developers to learn more about code security while they are coding and have team discussions.



Flawfinder is an open source tool that examines C/C++ code and reports on potential weaknesses, sorted by the level of risk. It uses a built-in database of language functions with known risks, such as buffer overflow problems, format string issues, race conditions, and poor random-number acquisition.

“I want software to be far more secure than it often is today,” says software developer and analyst David Wheeler, who built Flawfinder as a side project. “Many application developers keep making the same mistakes that lead to security vulnerabilities. Flawfinder is a simple tool that points out specific areas in code that may need further examination. My hope is that this simple tool will reduce the number of vulnerabilities in deployed software.”

Wheeler urges developers to find flaws before software is deployed. Plans call for adding more to Flawfinder’s rule set of patterns that are more likely to be vulnerabilities.

“Flawfinder is not a sophisticated tool; it uses a naive algorithm. Technically it’s a lexical source code static analyzer,” Wheeler says. Despite its simplicity, testimonials on the Flawfinder website attest to its usefulness.

“I just sent tons of C/C++ source through Flawfinder 1.0. Thanks for the tool, it found several places that I have now fixed,” one user writes.

Geared to server and desktop development, Flawfinder works on Unix-like systems, having been tested on GNU/Linux; it also runs on Windows via the Cygwin environment. Python 2 is required to use it.

IBM Security AppScan

IBM Security AppScan

Positioned as enhancing Web and mobile application security, IBM Security AppScan is an on-premises tool that leverages both static and dynamic analysis, in which an application is treated as a black box and tests are performed to find vulnerabilities.

“It will crawl the Web applications and look for the input forms and basically test those input forms to see if they’re vulnerable,” says Larry Gerard, program director for application security product management at IBM.

AppScan also performs interactive analysis, in which an agent is placed on the application server to examine how an application reacts to a test, such as observing whether an application cleans up a SQL injection issue.

A specialized analysis also is offered for mobile applications.

If multiple traces of code are vulnerable and a common method is found, AppScan notifies the developer of the point in the code where he or she should fix a method to close out multiple vulnerabilities. Vulnerabilities such as SQL injection, cross-site scripting, and dozens of other issues are examined. AppScan rolls up its findings in reports, and it features analytics to reduce false positives. The intent is to deal with vulnerabilities before applications are put before customers. But some customers are only now getting around to testing and fixing long-running applications.

Parasoft Development Testing Platform

Parasoft Development Testing Platform

Parasoft’s Development Testing Platform (DTP) performs static analysis either in the IDE or as part of a build or continuous integration.

If DTP is enabled during CI, then “results are round-tripped to the dev in a couple of ways -- email, Web report, direct in IDE as if the analysis were run locally,” Parasoft evangelist Arthur Hicken says. “Our static analysis tools for C/C++, .Net, and Java have about 1,500 rules per platform. The rules have extensive docs with security relevance listed, links to references like common weakness enumeration (CWE), user-controllable severity, parameters, and more.”

Parasoft also offers a tool for creating custom rules called RuleWizard.

Parasoft’s Process Intelligence Engine (PIE) is targeted at defect prevention and exposure. PIE finds defects by correlating observations across the software development lifecycle. With PIE, stricter static analysis rules can be put in place when security vulnerabilities are found during testing. Application risks can be found that dashboards overlook, according to the company.

Information from DTP can be exported to IDEs, including Visual Studio, Eclipse, and IntelliJ Idea.

Parasoft’s view of static analysis has changed over the years.

“We’ve found that [static analysis] can really overwhelm people for a variety of reasons -- things like false positives, legacy code, inappropriate rules, running too late in the process,” Hicken says. “To address these issues we’ve built a DTP around our static analysis.” Doing so has enabled better prioritization and tracking of findings, according to Hicken.

Rogue Wave Klocwork

Rogue Wave Klocwork

Working with continuous integration systems such as Jenkins, Rogue Wave Klocwork is an on-premises tool that analyzes incremental code changes.

“It’s a tool that helps developers find quality and security defects as early as possible in the software development lifecycle” using static source code analysis, says Walter Capitani, product manager for Klocwork at Rogue Wave. “What we do is analyze the source code to find those defects almost like a human would find them, by reading the source code. But obviously, we’re more reliable than a human and we can do things that a human can’t.”

The tool builds a model of source code as it will be executed and understands factors such as range values for a loop iterator variable.

“It evaluates all the possible execution paths,” Capitani says. For example, when Klocwork encounters a SQL function call, it can trace back through the code to the point where the parameters of the function call were obtained. The tool then can determine whether an input was used in a SQL query string without being escaped as it should be or cleaned up to ensure there are no commands inside that data that could cause unintended behavior. Problems such as SQL injection can be flagged.

Other issues, including cross-site scripting and memory overflow, also are uncovered.

Checkers in Klocwork look for the use of data or the behavior of a function in relation to an input. “If the input wasn’t properly treated before it’s used by the function, we trigger that kind of defect,” Capitani says.