Static Analysis for Secure Application Development (SAST)

Static code analysis, data flow static analysis, code metrics analysis, runtime analysis

  • Out-of-the-box test configurations for PCI, OWASP, CWE/SANS, CERT, more
  • Analyzes C, C++, Java, and .NET languages
  • Integration with team workflow throughout the SDLC
  • Also includes peer code review, unit testing, coverage analysis, metrics analysis, and runtime error detection
  • Explore Parasoft DTP

CASE STUDIES

Cisco Static Analysis Case Study

To comply with corporate quality and security initiatives, Cisco Systems adopted static analysis, unit testing and code review. Learn how they automated these practices and seamlessly integrated them into their existing processes to deliver compliant code without impeding productivity.

MedicAlert API Testing Case Study

MedicAlert needed to more rapidly deliver new services in a secure and effective fashion. Learn how they established a process for managing the functional, security, and performance testing challenges associated with their new capabilities and offerings.

IMA Static Analysis Compliance Case Study

By working with Parasoft , IMA significantly increased the efficiency and auditability of the strict quality process they adopted to comply with pharmaceutical industry regulations.

Wipro Development Testing Case Study

To remain competitive, Wipro needed a more efficient and cost-effective way to maintain the exceptional quality standards that they pride themselves on. Find out how an automated testing infrastructure helped them achieve their quality objectives while reducing testing time and effort by 25%.

Policy Enforcement

For security, Parasoft’s core static analysis capability can easily be configured to automatically monitor adherence to custom security policies. The rule library includes hundreds of rules that deliver “out-of-the-box” monitoring of many common policy requirements. These static analysis rules can be customized as needed to match specific policy requirements, and the rule set can be rapidly extended to address even the most complex and unique requirements. Moreover, rule names, descriptions, and severities can be mapped to the organization’s policies, establishing a fully-customized policy management and reporting interface.

Out-of-the-box Templates for Application Security

In addition to enforcing organizations’ unique security policies, Parasoft’s static code analysis automatically identifies common security vulnerabilities with the most comprehensive static analysis rule set in the industry. The rules span the industry’s most popular technologies and platforms, including Apache Axis, WebSphere, Hibernate, servlets, Struts, and EJB 3. The following partial list includes some of the ready-to-use test configurations for rapidly analyzing code for application security defects:
  • CWE-SANS Top 25
  • Cigital
  • HIPAA Security Assessment
  • NIST SAMATE
  • OWASP Top 10
  • PCI DSS
  • Security Assessment
  • Secure Coding Best Practices
  • Sun Secure Coding Guidelines

Partial List of Types of Vulnerabilities Addressed

  • Input-based attacks
  • Backdoor vulnerabilities
  • Unsafe environment configuration
  • Weak security controls
  • Deadlocks and race conditions
  • Erratic application behavior
  • Unsafe error handling and logging
  • Exposing sensitive data

Partial List of Rules for Secure Application Development

  • Protect against injections
  • Prevent exposure of sensitive data
  • Protect against XSS vulnerabilities
  • Encapsulate all dangerous data returning methods with a validation function
  • Do not stop the JVM in a web component
  • Avoid using insecure algorithms for cryptography
  • Use ‘post’ instead of ‘get’ for credential transfers

More

Supported Languages for Application Security

Parasoft’s static analysis is supported across:
  • C and C++
  • .NET languages including: C#, VB.NET, ASP.NET, etc.
  • Java

Secure Application Development Beyond Static Analysis

Secure application development involves more than static analysis. Truly secure application development requires that testing involve a mixture of test and analysis methods applied throughout the SDLC, and also that a broad set of software life cycle management and vulnerability/risk management activities be integrated across the process to ensure the delivery of secure and reliable software.

Parasoft addresses both of these expectations with its Application Security Solution, which recently was awarded the Jolt award in the “Security” category. This integrated system extends Parasoft’s static analysis capabilities—providing a pre-configured system with processes and best practices that help organizations produce secure applications consistently and efficiently.

The complete solution integrates project & task management with a broad spectrum of secure application development practices—including penetration testing, authentication/encryption/access control validation, code review, runtime analysis, and more. It drives security tasks to a predictable outcome according to defined industry standards or management’s expectations. This gives organizations the comprehensive process visibility & control needed to effectively satisfy security requirements.