Evaluation of the Security Tools. SL No. Tool Name Comments 1

Evaluation of the security tools.

Objective: Evaluation of the security tools.

SL No. Tool Name Comments

 Axivion Bauhaus 1 Suite – A tool for Ada, C, C++, C#, and Java code that performs various analyses such as architecture checking, interface analyses, and clone detection. 4

2  Black Duck Suite – Analyzes the composition of software source code and binary files, searches for reusable code, manages open source and third- party code approval, honors the legal obligations associated with mixed-origin code, and monitors related security vulnerabilities. --1

3  BugScout – Detects security flaws in Java, PHP, ASP and C# web applications. -2

4  CAST Application Intelligence Platform – Detailed, audience-specific dashboards to Evaluation of the security tools.

measure quality and productivity. 30+ languages, C, C++, Java, .NET, Oracle, PeopleSoft, SAP, Siebel, Spring, Struts, Hibernate and all major databases.

5  ChecKing – Integrated software quality portal that helps manage the quality of all phases of software development. It includes static code analyzers for Java, JSP, Javascript, HTML, XML, .NET (C#, ASP.NET, VB.NET, etc.), PL/SQL, embedded SQL, SAP ABAP IV, Natural/Adabas, C, C++, Cobol, JCL, and PowerBuilder.

6  ConQAT – Continuous quality assessment toolkit that allows flexible configuration of quality analyses (architecture conformance, clone detection, quality metrics, etc.) and dashboards. Supports Java, C#, C++, JavaScript, ABAP, Ada and many other languages. Evaluation of the security tools.

7  Coverity SAVE – A static code analysis tool for C, C++, C# and Java source code. Coverity commercialized a research tool for finding bugs through static analysis, the Stanford Checker, which used abstract interpretation to identify defects in source code.

8  DMS Software Reengineering Toolkit – Supports custom analysis of C, C++, C#, Java, COBOL, PHP, VisualBasic and many other languages. Also COTS tools for clone analysis, dead code analysis, and style checking.

9  HP Fortify Static Code Analyzer – Helps developers identify software security vulnerabilities in C/C++, Java, JSP, .NET, ASP.NET, classic ASP, ColdFusion, PHP, Visual Basic 6, VBScript, JavaScript, PL/SQL, T-SQL, Python, Objective-C and COBOL and Evaluation of the security tools.

configuration files.

1  GrammaTech 0 CodeSonar – Defect detection (buffer overruns, memory leaks, etc.), concurrency and security checks, architecture visualization and software metrics for C, C++, and Java source code.- 3

1  IBM Rational 1 AppScan Source Edition – Analyzes source code to identify security vulnerabilities while integrating security testing with software development processes and systems. Supports C/C++, .NET, Java, JSP, JavaScript, ColdFusion, Classic ASP, PHP, Perl, VisualBasic 6, PL/SQL, T-SQL, and COBOL -5

1  Imagix 4D – 2 Identifies problems in variable use, task interaction and concurrency, especially in embedded applications, as part of an overall system for understanding, Evaluation of the security tools.

improving and documenting C, C++ and Java code.

1  Klocwork Insight – 3 Provides security vulnerability, defect detection and build-over- build trend analysis for C, C+ +, C# and Java. – Evaluated not much use

1  LDRA Testbed – A 4 software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).

1  MALPAS – A 5 software static analysis toolset for a variety of languages including Ada, C, Pascal and Assembler (Intel, PowerPC and Motorola). Used primarily for safety critical applications in Nuclear and Aerospace industries.

1  Moose – Moose 6 started as a software analysis platform with many tools to manipulate, assess Evaluation of the security tools.

or visualize software. It can evolve to a more generic data analysis platform. Supported languages are C/C++, Java, Smalltalk, .NET, more may be added.

1  Parasoft – Provides 7 static analysis (pattern-based, flow-based, in-line, metrics) for C, C+ +, Java, .NET (C#, VB.NET, etc.), JSP, JavaScript, XML, and other languages. Through a Development Testing Platform, static code analysis functionality is integrated with unit testing, peer code review, runtime error detection and traceability. – commercial and code analysis only no security analysis done.

1  Copy/Paste 8 Detector (CPD) – PMDs duplicate code detection for (e.g.) Java, JSP, C, C++, ColdFusion, PHP and JavaScript [1] code. Evaluation of the security tools.

1  Polyspace – Uses 9 abstract interpretation to detect and prove the absence of certain run time errors in source code for C, C++, and Ada

2  Pretty Diff - A 0 language specific code comparison tool that features language specific analysis reporting in addition to language specific minification and beautification algorithms.

2  Protecode – 1 Analyzes the composition of software source code and binary files, searches for open source and third party code and their associated licensing obligations. Can also detect secuity vulnerabilities. -6

2  ResourceMiner – 2 Architecture down to details multipurpose analysis and metrics, develop own rules for masschange and generator development. Supports 30+ Evaluation of the security tools.

legacy and modern languages and all major databases.

2  Semmle – supports 3 Java, C, C++, C#.

2  SofCheck 4 Inspector – Static detection of logic errors, race conditions, and redundant code for Ada and Java; automatically extracts pre/postconditions from code.

2  SonarQube – A 5 continuous inspection engine to manage the technical debt: unit tests, complexity, duplication, design, comments, coding standards and potential problems. Supports languages: ABAP, C, Cobol, C#, Flex, Forms, Groovy, Java, JavaScript, Natural, PHP, PL/SQL, Visual Basic 6, Web, XML, Python.

2  Sotoarc/Sotograph 6 – Architecture and quality in-depth analysis and monitoring for C, C++, C#, Java. Evaluation of the security tools.

2  SQuORE is a multi- 7 purpose and multi- language monitoring tool[2] for software projects.

2  Understand – 8 Analyzes Ada, C, C++, C#, COBOL, CSS, Delphi, Fortran, HTML, Java, JavaScript, Jovial, Pascal, PHP, PL/M, Python, VHDL, and XML – reverse engineering of source, code navigation, and metrics tool.

2  Veracode – Finds 9 security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++, .NET (C#, C++/CLI, VB.NET, ASP.NET), Java, JSP, ColdFusion, PHP, Ruby on Rails, and Objective-C, including mobile applications on the Windows Mobile, BlackBerry, Android, and iOS platforms.

3  Visual Studio Team 0 System – Analyzes C++, C# source codes. only Evaluation of the security tools.

available in team suite and development edition.

3  Yasca – Yet 1 Another Source Code Analyzer, a plugin-based framework to scan arbitrary file types, with plugins for C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, including FindBugs, PMD, and Pixy.

Only .Net

1  CodeIt.Right – Combines static code analysis and automatic refactoring to best practices which allows automatically correct code errors and violations; supports C# and VB.NET.

2  CodeRush – A plugin for Visual Studio, it addresses a multitude of shortcomings with the popular IDE. Including alerting users to violations Evaluation of the security tools.

of best practices by using static code analysis.

3  FxCop – Free static  FxCop is a tool that performs static code analysis for analysis of .NET code. It provides hundreds of Microsoft .NET rules that perform various types of analysis. programs that compiles to CIL. . Design Standalone and integrated in some Microsoft Visual . Globalization Studio editions; by Microsoft. . Interoperability

. Maintainability

. Mobility

. Naming

. Performance

. Portability

. Reliability

. Security

. Usage

4  Kalistick – Mixing from the Cloud: static code analysis with best practice tips and collaborative tools for Agile teams.

5  NDepend – Simplifies managing a complex .NET code base by analyzing Evaluation of the security tools.

and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.

6  Parasoft dotTEST – A static analysis, unit testing, and code review plugin for Visual Studio; works with languages for Microsoft .NET Framework and .NET Compact Framework, including C#, VB.NET, ASP.NET and Managed C+ +.

7  StyleCop – Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project. Free download from Microsoft.