Professional Documents
Culture Documents
Introduction...........................................................................................................................1
Conclusion.............................................................................................................................3
synopsys.com |
Introduction
Static analysis security testing (SAST) technologies were developed to help security professionals find
software vulnerabilities by scanning and analyzing application code for bugs and code quality defects.
Yet as useful as these tools are, many developers are disenchanted with SAST owing to previous
experiences using time-consuming security testing tools that can’t match the pace of DevOps cultures.
Common complaints include:
• Workflow interruptions. Interruptions generated by automated tools force developers to turn away
from their primary objectives to remediate issues.
• Operational matters. High false-positive rates, confusing output, and poor integration into the
developers’ workflow all contribute to their reluctance to use SAST in everyday development activities.
• Scalability concerns. Many codebases today contain multiple specialized frameworks and languages
and therefore require that a SAST tool be able to scale across them all. But this is a hefty demand to
place on a SAST tool. For example, researchers at Google stated that in their experience, they had yet to
encounter a SAST solution that could meet the demands of their large and complex codebase.1
The SAST tools available today alleviate many of these pain points and are optimized to integrate into the
agile and DevOps workflows that dominate the modern software development life cycle (SDLC). However,
not every SAST tool is created equal, so it is crucial that organizations weigh their options carefully, as a
misstep may incur significant financial costs in the future. This white paper compares open source and
enterprise SAST solutions and provides organizations with relevant information to help them select the
option that best suits their needs.
synopsys.com | 1
Open source vs. enterprise SAST
Both enterprise (also known as commercial) and open source SAST tools are available, but each type—and each instrument—has
characteristics that make it more or less suitable for a particular organization’s development environment and needs.
Open source solutions provide support in specific programming languages. But they rely on the open source community for
enhancements and support, and they might not reliably maintain in-depth coverage of vulnerabilities.
Enterprise solutions provide comprehensive analysis, reporting on code quality and security status, risk and trend information,
and regulatory compliance for security and vertical markets requirements. Enterprise solutions also offer integrations and
plugins for standard development tools, environments, and CI/CD build workflows.
Language-specific features are another differentiator. We find that one of the best features of open source solutions is their
breadth in finding simple, less sophisticated vulnerabilities using basic rule checkers for certain languages (e.g., Java and C++).
Some open source software (OSS) can be configured to detect the types of errors that pose particular risk for certain products.
Experienced software developers can write checkers quickly and share them internally (and possibly externally), and the
community can tweak and improve them. OSS tools are typically language-specific and often find weaknesses that enterprise
tools might miss without fine-tuning.
• Does it integrate with your IDE, facilitating faster feedback and remediation?
• Will you rely on the open source community for support? Will that work for your organization?
• Does the tool integrate with your existing DevOps tools?
• What is the false-positive rate?
• Is the tool stable? What about the community supporting it?
• What kinds of vulnerabilities and other issues do you need to find in your code? Can the tool find them?
• Will you need additional tools to create a complete SAST solution?
• SonarQube has strong dashboarding capabilities and can import results from other tools, such as .NET Code Coverage.
• FindBugs (and its successor SpotBugs) examines compiled Java code and finds defects.
• PMD is a source code analyzer that exposes common programming flaws such as unused variables, empty catch blocks, and
unnecessary object creation in several languages.
• Security Code Scan detects security vulnerability patterns in .NET and .NET Core projects, with separate modes for
developers and auditors.
• Clang for C languages touts fast compilers and low memory use, as well as expressive diagnostics and GCC.
synopsys.com | 2
When to select an enterprise SAST tool
As noted above, organizations want to minimize capital expenditures wherever possible. Consequently, they are rightfully
tempted to use software that seems comparable to enterprise tools, only without license fees. However, what appears to be free
right now can end up being more costly further along in the software development life cycle.
Below are some of the disadvantages of using open source SAST tools:
• Resource scarcity. Open source solutions may not be as comprehensive in their analysis or as frequently updated as
commercial SAST tools. The community that supports them may lack the resources required to stay on top of the latest
technology to ensure results are comprehensive and accurate.
• Lack of support. Some enterprise SAST vendors provide on-site consulting, technical support, and guidance as part of the
licensing agreement. The open source community cannot provide these types of support services.
• Scalability concerns. Expertise and staff are required to ensure the product is an enterprise-sized application.
• High false-positive rates. The additional time and resources that development teams must spend resolving high numbers
of false positives or feature vagaries/bugs associated with unsupported open source tools far outweigh any license fee cost
savings in the long term.
• Lack of actionable results. The best enterprise SAST solutions provide remediation advice and recommend strategies for
fixing the issues discovered during each scan. Not all open source options have this feature.
In summary, no single tool finds or solves all problems, but all tools are useful in developing secure software. Open source tools
may require you to use multiple tools to address different needs, but using no SAST tools at all exposes your organization to
serious code quality and security risks. Open source tools also may be useful as an additional check to enterprise SAST tools.
Conclusion
Shifting left in the development cycle by implementing static application security testing tools plays a vital role in reducing
potential defects. But no single tool is correct for every organization. Select a SAST tool that has the right features for your
organization, specifically one that integrates into your build tools and runs automatically. Or choose multiple SAST tools that
offer all the benefits you need at a total sustainable cost. You might select Coverity, another enterprise SAST tool, one or more
open source tools, or some combination of enterprise and open source tools. Only you know what will work best for your
organization and environment.
• eBook: Are Static Application Security Testing (SAST) Tools Glorified Grep?
• Report: The Forrester Wave™: Static Application Security Testing, Q4 2017
• Datasheet: Coverity Static Analysis
• Study: Total Economic Impact of Coverity and Defensics
References
1. Caitlin Sadowski, Jeffrey van Gogh, et al., Tricorder: Building a Program Analysis Ecosystem, Google, 2015.
synopsys.com | 3
THE SYNOPSYS DIFFERENCE
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and
productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and
dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source
components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys
helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.
For more information, go to www.synopsys.com/software .
©2019 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at
http://www.synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners.
02/19/19. wp-enterprise-opensource-sast.