Here is just a quick list of free static analysers that we found very useful for scanning for security bugs during development or during a secure code review.
|PHP||RIPS||RIPS is a tool to find vulnerabilities in PHP applications using static code analysis. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.|
|Ruby on Rails||Brakeman||Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyses Rails application code to find security issues at any stage of development.|
The list is at this moment very incomplete, more analysers will be added soon. Obsolete scanners or scanners that do not really provide useful results will not be listed. Useful is defined as:
- The tool really does find security vulnerabilities
- It does not generate thousands of irrelevant results
- It works without the need for finding/installing/compiling obscure versions of Linux libraries that only can be made to work on a imaginary system from hell configured by a trainee goblin that just consumed 'Create your own Linux Distribution for dummies’ for breakfast.
At this moment we are investigating some Android scanners. Unfortunately many of them seem to focus on privacy related issues which are no item of concern at all for most companies or users, but we will persevere.
20130509 - added JSLint