WHITE PAPER

Enterprise or Open Source:

Which SAST Tool Is Right for You?
Table of contents

Introduction...........................................................................................................................1

Open source vs. enterprise SAST........................................................................................2

When to select an open source SAST tool..........................................................................2

How to choose an open source SAST tool.......................................................................................................... 2

Options for open source SAST tools.................................................................................................................... 2

When to select an enterprise SAST tool..............................................................................3

The Synopsys enterprise SAST solution: Coverity..............................................................3

Conclusion.............................................................................................................................3

synopsys.com |
Introduction
Static analysis security testing (SAST) technologies were developed to help security professionals find
software vulnerabilities by scanning and analyzing application code for bugs and code quality defects.
Yet as useful as these tools are, many developers are disenchanted with SAST owing to previous
experiences using time-consuming security testing tools that can’t match the pace of DevOps cultures.
Common complaints include:
• Workflow interruptions. Interruptions generated by automated tools force developers to turn away
from their primary objectives to remediate issues.
• Operational matters. High false-positive rates, confusing output, and poor integration into the
developers’ workflow all contribute to their reluctance to use SAST in everyday development activities.
• Scalability concerns. Many codebases today contain multiple specialized frameworks and languages
and therefore require that a SAST tool be able to scale across them all. But this is a hefty demand to
place on a SAST tool. For example, researchers at Google stated that in their experience, they had yet to
encounter a SAST solution that could meet the demands of their large and complex codebase.1
The SAST tools available today alleviate many of these pain points and are optimized to integrate into the
agile and DevOps workflows that dominate the modern software development life cycle (SDLC). However,
not every SAST tool is created equal, so it is crucial that organizations weigh their options carefully, as a
misstep may incur significant financial costs in the future. This white paper compares open source and
enterprise SAST solutions and provides organizations with relevant information to help them select the
option that best suits their needs.

synopsys.com | 1
Open source vs. enterprise SAST
Both enterprise (also known as commercial) and open source SAST tools are available, but each type—and each instrument—has
characteristics that make it more or less suitable for a particular organization’s development environment and needs.

Open source solutions provide support in specific programming languages. But they rely on the open source community for
enhancements and support, and they might not reliably maintain in-depth coverage of vulnerabilities.

Enterprise solutions provide comprehensive analysis, reporting on code quality and security status, risk and trend information,
and regulatory compliance for security and vertical markets requirements. Enterprise solutions also offer integrations and
plugins for standard development tools, environments, and CI/CD build workflows.

When to select an open source SAST tool

When you compare enterprise and open source SAST at a high level, the immediate differentiator is the absence of licensing
fees for open source solutions. This feature is an important consideration for many companies, especially smaller businesses or
those in industries that don’t have the budget for the licensing fees that accompany enterprise solutions.

Language-specific features are another differentiator. We find that one of the best features of open source solutions is their
breadth in finding simple, less sophisticated vulnerabilities using basic rule checkers for certain languages (e.g., Java and C++).
Some open source software (OSS) can be configured to detect the types of errors that pose particular risk for certain products.
Experienced software developers can write checkers quickly and share them internally (and possibly externally), and the
community can tweak and improve them. OSS tools are typically language-specific and often find weaknesses that enterprise
tools might miss without fine-tuning.

How to choose an open source SAST tool

Open source software can meet some companies’ needs initially. However, it is important to note that not all their shortcomings
are obvious immediately. If you decide to explore open source options, ask the following questions to ensure the solution you
choose is the best one for your needs:

• Does it integrate with your IDE, facilitating faster feedback and remediation?
• Will you rely on the open source community for support? Will that work for your organization?
• Does the tool integrate with your existing DevOps tools?
• What is the false-positive rate?
• Is the tool stable? What about the community supporting it?
• What kinds of vulnerabilities and other issues do you need to find in your code? Can the tool find them?
• Will you need additional tools to create a complete SAST solution?

Options for open source SAST tools

Several reputable open source SAST tools may fit into your organization’s DevSecOps workflow. Here are a few of the
most prominent:

• SonarQube has strong dashboarding capabilities and can import results from other tools, such as .NET Code Coverage.
• FindBugs (and its successor SpotBugs) examines compiled Java code and finds defects.
• PMD is a source code analyzer that exposes common programming flaws such as unused variables, empty catch blocks, and
unnecessary object creation in several languages.
• Security Code Scan detects security vulnerability patterns in .NET and .NET Core projects, with separate modes for
developers and auditors.
• Clang for C languages touts fast compilers and low memory use, as well as expressive diagnostics and GCC.

synopsys.com | 2
When to select an enterprise SAST tool
As noted above, organizations want to minimize capital expenditures wherever possible. Consequently, they are rightfully
tempted to use software that seems comparable to enterprise tools, only without license fees. However, what appears to be free
right now can end up being more costly further along in the software development life cycle.

Below are some of the disadvantages of using open source SAST tools:

• Resource scarcity. Open source solutions may not be as comprehensive in their analysis or as frequently updated as
commercial SAST tools. The community that supports them may lack the resources required to stay on top of the latest
technology to ensure results are comprehensive and accurate.
• Lack of support. Some enterprise SAST vendors provide on-site consulting, technical support, and guidance as part of the
licensing agreement. The open source community cannot provide these types of support services.
• Scalability concerns. Expertise and staff are required to ensure the product is an enterprise-sized application.
• High false-positive rates. The additional time and resources that development teams must spend resolving high numbers
of false positives or feature vagaries/bugs associated with unsupported open source tools far outweigh any license fee cost
savings in the long term.
• Lack of actionable results. The best enterprise SAST solutions provide remediation advice and recommend strategies for
fixing the issues discovered during each scan. Not all open source options have this feature.
In summary, no single tool finds or solves all problems, but all tools are useful in developing secure software. Open source tools
may require you to use multiple tools to address different needs, but using no SAST tools at all exposes your organization to
serious code quality and security risks. Open source tools also may be useful as an additional check to enterprise SAST tools.

The Synopsys enterprise SAST solution: Coverity

Coverity, our static application security testing solution, provides integrations across the SDLC, in line with DevSecOps trends
oriented around creating secure code quickly and continuously. Its broad language and framework support ensures that your
entire application inventory is covered, regardless of its complexity. Coverity scales to support organizations of all sizes, with
a modern, flexible platform that can support thousands of projects with low setup time. Most importantly, Coverity provides
actionable vulnerability remediation advice, offering the most precise and efficient fix.

Conclusion
Shifting left in the development cycle by implementing static application security testing tools plays a vital role in reducing
potential defects. But no single tool is correct for every organization. Select a SAST tool that has the right features for your
organization, specifically one that integrates into your build tools and runs automatically. Or choose multiple SAST tools that
offer all the benefits you need at a total sustainable cost. You might select Coverity, another enterprise SAST tool, one or more
open source tools, or some combination of enterprise and open source tools. Only you know what will work best for your
organization and environment.

To learn more, check out these resources:

• eBook: Are Static Application Security Testing (SAST) Tools Glorified Grep?
• Report: The Forrester Wave™: Static Application Security Testing, Q4 2017
• Datasheet: Coverity Static Analysis
• Study: Total Economic Impact of Coverity and Defensics
References

1. Caitlin Sadowski, Jeffrey van Gogh, et al., Tricorder: Building a Program Analysis Ecosystem, Google, 2015.

Ready to talk SAST?

Contact us

synopsys.com | 3
THE SYNOPSYS DIFFERENCE

Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and
productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and
dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source
components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys
helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.
For more information, go to www.synopsys.com/software .

185 Berry Street, Suite 6500

San Francisco, CA 94107 USA
U.S. Sales: 800.873.8193
International Sales: +1 415.321.5237
Email: sig-info@synopsys.com

©2019 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at
http://www.synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners.
02/19/19. wp-enterprise-opensource-sast.