The 8 Best Static Code & Website Security Scanning Tools
We recently had a client asking for us to build a B2B website that was really secure. Obviously, we make all our B2B websites secure, but for this client, security was their absolute number one priority. They didn’t know exactly how they wanted to test the security of the code, or what security standards it needed to meet, but they wanted to agree on a level to which they could be completely confident that the site was secure – and that they could continue to test their security as the site developed.
We’ve worked on secure projects before, so we had a few tricks up our sleeve and some tools we knew and used. But we also put in some extra research to ensure we were totally up to date with the latest and greatest in the world of website security. We wanted to find the best tools for static code security and ongoing monthly security scans for websites.
This task was harder than we expected, as there are now so many tools out there that it’s hard to decipher which are best. Plus, many of the static code security tool sites don’t optimise themselves for SEO, making them harder to find (psst: if you want help with that, just drop us a line).
Luckily for you, we’ve done the hard work, so we thought we’d share our research so you can easily find and use the best website security tools to help you secure your static code or website.
What’s the difference between a static code security scanner and a website security scanner?
If you’ve started to dip your toe in the website security world, you probably will have heard of static code security scanners. These used to be the best option for anyone trying to secure their code, but there’s now been a whole load of innovation in this field. Static code security scanners are still very helpful, but often best used in tandem with website security scanners. Here’s the difference.
Static code: Essentially files on your computer scanned from the inside out
Static code security scanners can also be known as static code analysis, white box testing, or Static Application Security Testing (SAST). These work by scanning the static code for errors or issues from the inside out, mimicking a manual code review. They’re often used during development to periodically check for security issues that a human might miss – from security vulnerabilities, and coding best practices to any pre-set specifications.
Disadvantages of using just static code security scanners
Static application security testing can be really useful and very cost-effective, but it’s not foolproof. Because it looks for issues in the way the program data flows, it can often produce a bunch of false positives, which take time to deal with.
Additionally, because static code scanners deal with the source code, you may need to use different versions or entirely different tools for each language. Which adds up to a bunch of automated scans and software subscriptions.
All that said, many of the platforms we’ve suggested account for this, work on multi-language sites, and have developed ways of mitigating false positives. If you get the right tool, this is still a relatively faff-free easy option to quickly and effectively scan your code for security vulnerabilities.
Website security scanners: They scan from the outside in
For optimum security, it’s best practice to use a combination of static code security scanners and website security scanners.
These are often known as Dynamic Application Security Testing (DAST). It takes an automated penetration testing approach, working from the outside in by examining the site while it’s running and manipulating it where possible to reveal security issues. This better imitates actual cyber attacks by adapting to the way your application responds and attempting to infiltrate it.
This form of website security scanning or dynamic application security testing can expose important weaknesses like input/output validation issues or security misconfiguration. It’s one of the few ways to get real data about the performance of your application when met with security breaches or malicious inputs. They also throw up fewer false positives than static code scanners. However, it’s not an either or, and for ultimate security, you want to be using both. The easiest way of doing this is to use an IDE or integrated development environment.
What is an IDE?
An integrated development environment (IDE) is a software application designed to improve developer efficiency by including all the tools they need to develop and test software in one place. What this specifically entails depends on the software in question, but most IDEs will include at a minimum: a source code editor, compiler, build automation tools and a debugger.
More advanced IDEs can also include class browsers, object browsers and class hierarchy diagrams, which visualise the structure of object-oriented programming code. Many of these will also include a graphical user interface (GUI) which allows developers to easily view issues. IDEs can be especially helpful for security, as they can be used to combine many different forms of security scan in a single interface, either through built in tools or downloadable plugins.
Most of the team at Rixxo prefer to use Visual Studios (VS) Code, Sublime or Coda by Panic. All of them have similar features, each with their own benefits and quirks, so it’s worth playing around with the different interfaces to find what works for you.
8 Security scanning tools to make your code more secure
Here are the top 8 website security scanning tools we’ve found helpful when creating secure websites. So, in no particular order:
A great option if you’re looking for reliable and integrative static application security testing. They have a free and open source ‘community’ edition, with more features added as you start spending.
SonarQube fits with your existing tools and pro-actively raises a hand when the quality or security of your codebase is at risk. It has an impressive selection of thousands of automated Static Code Analysis rules, which are flagged during coding, saving developers’ time. These provide detailed issue descriptions and code highlights that explain why your code is at risk.
SonarQube also tries to mitigate false positives by distinguishing between security hotspots, which highlight suspicious code snippets, and security vulnerabilities, which always need actioning, both of which flag in real-time. Not only does this speed up the process, it makes you a better developer. They also have an active community regularly providing feedback, which again helps reduce false positives and improve the platform.
The platform covers 27 programming languages and works with multi-language applications. Read more here about how you can use SonarQube to improve your site security.
Coverity Quality Advisor is provided by Synopsys and originally was founded with the hope of hardening open source software that makes up the critical infrastructure of the web. The scan covers a whole heap of defects and vulnerabilities including:
- Resources leaks
- Dereferences of NULL pointers
- Incorrect usage of APIs
- Use of uninitialized data
- Memory corruptions
- Buffer overruns
- Control flow issues
- Error handling issues
- Incorrect expressions
- Concurrency issues
- Insecure data handling
- Unsafe use of signed values
- Use of resources that have been freed
Coverity is great for open source projects and it’s undeniably thorough. They pride themselves on being able to find bugs and issues that a lot of other scanners might miss. However, it requires you to open source your code, and doesn’t have the most user-friendly or integrative interface compared to some of the other options. Coverity does have loads of success stories, which you can read more about here.
A strong contender for seamless integration, Codacy provides either a cloud or self-hosted platform which checks for code standardisation, quality and security errors. An effective static analysis tool, Codacy identifies OWASP Top 10 vulnerabilities, including SQL injection, and can notify you of errors from within your current workflows and platforms. It has a beautiful user interface where you can view the quality of your code over time and tailor your dashboard to the standards you care about.
Codacy also boasts capabilities for 30 programming languages. Similarly to Coverity it has a free plan for open-source repositories, but the main package for on the cloud deployment comes in at $15/month. Codacy also provides self-hosted servers, so get in touch for more information if you’re a large business looking for admin tools.
Codacy also has a great selection of free ebooks on code reviews, quality and development best practice, which you can download here.
Resharper is a Visual Studios extension for .NET developers which analyses code quality, errors, and smells on the fly. It applies over 2200 code inspections and automated solution-wide code refactorings to help you safely update your codebase.
Working in real-time, it includes multiple code editing helpers to improve and fix your code quickly. It also differentiates between different issues to help sort important issues from false positives, which you can read more about here. For most inspections, they also provide quick fixes, which help speed up the development process. From a code quality perspective, Resharper also allows you to set up a code style based on your team standard, and then offers language-specific formatting suggestions.
Resharper is a great way to improve the functionality of Visual Studios Code as an IDE, so it’s a solid option if you’re already on VS.
Like the other options featured above, ReSharper is free for open source projects – but they’re also free for students and teachers, training companies, coding bootcamps, and anyone on a developer recognition programme. For organisations, it’s £23.90 a month, but only £9.90 a month for individuals. They also offer generous half-price discounts for universities, educational organisations, startups and nonprofits.
Veracode goes far beyond just static analysis, allowing you to manage your entire application security programme in a single platform. It claims to be the only solution that can provide visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing, in one centralized view.
As an IDE, Veracode provides real-time security feedback, automated fix advice and code reviews, which all help developers learn on the job. They have a comprehensive eLearning platform and the software can intuitively suggest learning modules that your team may need based on the kind of mistakes they regularly make. Not only that, they prioritise a fix-first policy in their recommendations, which can speed up the development process considerably. The platform is integration-friendly with hundreds of other applications, meaning you can seamlessly incorporate it into your existing workflows. Veracode also has a vulnerability database where you can search for all kinds of vulnerabilities on various languages and risk levels.
As for pricing, you have to get in touch and schedule a demo, which you can do here. It’s not cheap, but if you’re serious about security, it’s a great advanced SaaS application security solution.
We actually met the Sensei team at SXSW 2017 in Austin Texas. We really loved how passionate and focused they were on educating developers to improve, so instead of just scanning your code, you’re trained to deliver better code and not make the same mistakes in the future.
Sensei is an IDE plugin that monitors your code as you write it, immediately identifying insecure patterns or security issues and offering the necessary fixes. You can automate your coding best practices too, so software development teams can set requirements that developers will get flagged on. One of the other pros of Sensai is that it uses a simple syntax on top of YAML, so it’s a lot easier to get started. They also cover over 50 language:framework-specific categories like frontend web, mobile, IaC, backend and APIs. Their user interface makes you feel like you’re a spy in the best possible way, and they regularly host competitions between developers in industry or regional tournaments.
As part of their mission to empower developers to code better, they have a Secure Code Bootcamp, which is a free fun mobile app for early career coders. It covers how to tackle the OWASP Top 10 and progresses through increasingly challenging levels where you can earn badges for passing.
Intruder.io is an online vulnerability scanner boasting 9000 security checks including application bigs like cross-site scripting, configuration weaknesses, CMS issues and missing patches. They’re integratable with cloud providers and only report actionable issues that actually impact your security. They offer regular summary PDF reports, verified results from expert pen testers and integration with over 2,000 apps. You also only pay for active targets, which intruder.io automatically identifies for you.
Intruder.io also offers an API which you can add to your CI/CD pipeline. Their vulnerabilities reports are specifically designed to be easy to understand, to help entry-level or less experienced developers. Similarly to Codacy, they perform all OWASP top 10 security checks across your infrastructure, and sort any flagged issues into priority categories. Their user interface is stunning and easy to use and offers tracking over time of your vulnerabilities and threats.
It’s difficult to find their pricing without signing up for a 30-day free trial. When we talked to their team they said their essential plan is £76/ month, and the pro plan is £127/ month, but they do offer discounts for not-for-profits.
Sucuri is a cloud-based platform which fixes and defends against security issues. They offer unlimited malware removal, a Web Application Firewall (WAF) and an Intrusion Prevention System (IPS). This includes automated patch updates, IP whitelisting, and Bad Bot and Geo Blocking. Sucuri block layer 3, 4, and 7 DDoS attacks and will work proactively to protect and improve your site: from submitting blacklist removal requests to repairing SEO spam keywords and link injections.
More than just an automated static scanner, Sucuri have dedicated researchers who monitor active malware campaigns, and their trained analysts will manually check your site, on top of their automated scanning. Sucuri’s support desk is open 24/7 for 365 days a year and is well reviewed. You definitely get what you pay for – their basic plan is $199.99 a year, which includes most of the platform’s key features, with more expensive enterprise plans which include a dedicated support team, security scans every 30 minutes and 6-hour malware removal response time. You can read more about how Sucuri works to protect your website here.
Static Code and Website scanning tools in summary
So which static code analysis or website security scanner is best for you? Honestly, it depends on your needs. We’ve included a range here from comprehensive and free static scanning tools to state of the art Saas security platforms. Many of them offer free trials, so try a few out and see what works for you.