Fortify Plugin For Visual Studio

  1. Visual Studio Plugin For Fortify Sca
  2. Fortify Plugin For Visual Studio 2013

The HP Fortify Software Security Center Plug-in for Eclipse and HP Fortify Software Security Center Package for Visual Studio are supported on the following platforms: Operating System IDE. . Fortify Plugin for Eclipse. Fortify Analysis Plugin for IntelliJ and Android Studio. Fortify Extension for Visual Studio. Scan Wizard. Sample applications. Note:. Fortify Software Security Content (Rulepacks and external metadata) can be downloaded during the installation. The package includes the Fortify Remediation. To this end, Fortify plans to release plug-ins for Eclipse and Visual Studio.Net that enable developers to quickly verify their code before checking it in to the source control systems.

Contributor(s): Dave Wichers, itamarlavender, will-obrien, Eitan Worcel, Prabhu Subramanian, kingthorin, coadaflorin, hblankenship, GovorovViva64, pfhorman, GouveaHeitor, Clint Gibler, DSotnikov, Ajin Abraham, Noam Rathaus

Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code or compiled versions of code to help find security flaws.

Fortify plugin for visual studio 2013

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to findingvulnerabilities much later in the development cycle.

Strengths and Weaknesses

Strengths

  • Scales well – can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration).
  • Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth.
  • Output is good for developers – highlights the precise source files, line numbers, and even subsections of lines that are affected.

Weaknesses

  • Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.
  • High numbers of false positives.
  • Frequently can’t find configuration issues, since they are not represented in the code.
  • Difficult to ‘prove’ that an identified security issue is an actual vulnerability.
  • Many of these tools have difficulty analyzing code that can’t be compiled. Analysts frequently can’t compile code because they don’t have the right libraries, all the compilation instructions, all the code, etc.

Important Selection Criteria

  • Requirement: Must support your programming language, but not usually a key factor once it does.
  • Types of vulnerabilities it can detect (out of the OWASP Top Ten (plus more?))
  • How accurate is it? False Positive/False Negative rates? - Does the tool have an OWASP Benchmark score?
  • Does it understand the libraries/frameworks you use?
  • Does it require a fully buildable set of source?
  • Can it run against binaries instead of source?
  • Can it be integrated into the developer’s IDE?
  • How hard is it to setup/use?
  • Can it be run continuously and automatically?
  • License cost for the tool. (Some are sold per user, per organization, per application, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)
Fortify plugin for visual studio

Disclaimer

2019

The tools listed in the tables below are presented in alphabetical order. OWASP does not endorse any of the vendors or tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.

Visual Studio Plugin For Fortify Sca

Name/LinkOwnerLicensePlatformsNote
.NET Security GuardOpen Source or Free.NET, C#, VB.net
42CrunchCommercialREST API security platform that includes Security Audit (SAST), dynamic conformance scan, runtime protection, and monitoring.
APIsecurity.io Security AuditOpen Source or Freeonline tool for OpenAPI / Swagger file static security analysis
AgnitioOpen Source or FreeWindowsASP, ASP.NET, C#, Java, Javascript, Perl, PHP, Python, Ruby, VB.NET, XML
Application InspectorPositive TechnologiesCommercialcombines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.
BanditOpen Source or FreeBandit is a comprehensive source vulnerability scanner for Python
Beyond Security beSOURCEBeyond SecurityCommercialStatic application security testing (SAST) used to be divorced from Code quality reviews, resulting in limited impact and value. beSOURCE addresses the code security quality of applications and thus integrates SecOps into DevOps.
BlueClosure BC DetectBlueClosureCommercialAnalyzes client-side JavaScript.
BrakemanOpen Source or FreeBrakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
CAST AIPCommercialPerforms static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. [AIP's security specific coverage is here](https://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards).
Checkmarx Static Code AnalysisOpen Source or FreeAndroid, Apex, ASP.NET, C#, C++, Go, Groovy, HTML5, Java, JavaScript, JSP, .NET, Objective-C, Perl, PHP, PL/SQL, Python, Ruby, Scala, Swift, TypeScript, VB.NET, Visual Basic 6, Windows Phone
CoGuardHeinle Solutions Inc.CommercialSaaS or On-PremisesA SAST tool for infrastructure configuration analysis. Support for common web servers, databases, streaming services, authentication services, container orchestration and Infrastructure-as-Code tools.
CodacyCommercialOffers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)
CodeScan CloudCommercialA Salesforce focused, SaaS code quality tool leveraging SonarQube's OWASP security hotspots to give security visibility on Apex, Visualforce, and Lightning proprietary languages.
CodeSonarCommercialtool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.
CodeSonarOpen Source or FreeC, C++, Java
Contrast AssessCommercialContrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.
CoverityOpen Source or FreeAndroid, C#, C, C++, Java, JavaScript, Node.js, Objective-C, PHP, Python, Ruby, Scala, Swift, VB.NET
Coverity Static AnalysisSynopsysCommercial
CxSASTCheckmarxCommercial
DawnscannerOpen Source or FreeDawnscanner is an open source security source code analyzer for Ruby, supporting major MVC frameworks like Ruby on Rails, Padrino, and Sinatra. It also works on non-web applications written in Ruby.
Deep DiveOpen Source or FreeByte code analysis tool for discovering vulnerabilities in Java deployments (EAR, WAR, JAR).
DeepSourceDeepSource Corp.CommercialSaaS or On-PremisesDeepSource helps you automatically find and fix issues in your code during code reviews, such as bug risks, anti-patterns, performance issues, and security flaws. It takes less than 5 minutes to set up with your Bitbucket, GitHub, or GitLab account. It works for Python, Go, Ruby, and JavaScript.
DerScannerDerScanner Ltd.CommercialCapable of identifying vulnerabilities and backdoors (undocumented features) in over 30 programming languages by analyzing source code or executables, without requiring debug info.
DevBugOpen Source or FreeWeb BasedPHP
ECGVoidSecCommercialSaaS TCL Static Source Code Analysis Tool able to detect real and complex security vulnerabilities in TCL/ADP source-code. Discovered vulnerabilities will be mapped against the OWASP top 10 vulnerabilities.
EnlightnEnlightn SoftwareOpen SourceEnlightn is a vulnerability scanner specifically designed for Laravel PHP applications that combines SAST, DAST, IAST and configuration analysis techniques to detect vulnerabilities.
Find Security BugsOpen Source or FreeJava, Scala, Groovy
FindBugsOpen Source or FreeFind bugs (including a few security flaws) in Java programs [Legacy - NOT Maintained - Use SpotBugs (see other entry) instead]
FindSecBugsOpen Source or FreeA security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too.
FlawfinderOpen Source or FreeScans C and C++.
Fluid Attack's ScannerFluid AttacksOpen SourceSAST, DAST and SCA vulnerability detection tool with perfect OWASP Benchmark score.
FortifyMicro FocusCommercialWindows, Linux, and MacOSXFree trial scan available. Supported languages include: ABAP/BSP, ActionScript/MXML (Flex), APEX, ASP.NET, VB.NET, C# (.NET), C/C++, Classic ASP (w/VBScript), COBOL, ColdFusion CFML, Go, HTML, Java (including Android), JavaScript/AJAX, JSP, Kotlin, Objective-C, PHP, PL/SQL, Python, Typescript, T-SQL, Ruby, Scala, Swift, Visual Basic (VB.NET), Visual Basic 6, VBScript, XML
GitLabGitLabCommercialSaaS, Linux, Windows
GolangCI-LintOpen Source or FreeA Go Linters aggregator - One of the Linters is [gosec (Go Security)](https://github.com/securego/gosec), which is off by default but can easily be enabled.
Google CodeSearchDiggityOpen Source or FreeUses Google Code Search to identify vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. *Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.*
GrauditOpen Source or FreeLinuxScans multiple languages for various security flaws. Basically security enhanced code Grep.
HCL AppScan CodeSweep - GitHub ActionHCL SoftwareOpen Source or FreeScan the new code on a push/pull request using a GitHub action. Findings are highlighted in the `Files Changed` view and details about the issue and mitigation steps can be found in the `Actions` page. Unrestricted usage allowed with a free trial account. The tool currently supports Python, Ruby, JS (Vue, React, Node, Angular, JQuery, etc), PHP, Perl, COBOL, APEX & a few more.
HCL AppScan CodeSweep - VS CodeHCL SoftwareOpen Source or FreeThis is the first Community edition version of AppScan. It is delivered as a VS Code plugin and scans files upon saving them. The results show the location of a finding, type and remediation advice. The tool currently supports Python, Ruby, JS (Node, Angular, JQuery, etc) , PHP, Perl, COBOL, APEX & a few more.
HCL AppScan SourceHCL SoftwareCommercialAndroid, Apex, ASP, C, C++, COBOL, ColdFusion, Go, Java, JavaScript(Client-side JavaScript, NodeJS, and AngularJS), .NET (C#, ASP.NET, VB.NET), .NET Core, Perl, PHP, PL/SQL, Python, Ruby, T-SQL, Visual Basic 6
HCL AppScan on CloudHCL SoftwareOpen Source or FreeApex, ASP, C, C++, COBOL, ColdFusion, Go, Java, JavaScript(Client-side JavaScript, Kotlin, NodeJS, and AngularJS), .NET (C#, ASP.NET, VB.NET), .NET Core, Perl, PHP, PL/SQL, Python, Ruby, T-SQL, Swift, Visual Basic 6
Hdiv DetectionHdiv SecurityCommercialHdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis.
HorusecOpen Source or FreePython(3.x), Ruby, Javascript, GoLang, .NetCore(3.x), Java, Kotlin, Terraform
HuskyCIOpen Source or FreeHuskyCI is an open-source tool that orchestrates security tests inside CI pipelines of multiple projects and centralizes all results into a database for further analysis and metrics. HuskyCI can perform static security analysis in Python (Bandit and Safety), Ruby (Brakeman), JavaScript (Npm Audit and Yarn Audit), Golang (Gosec), and Java(SpotBugs plus Find Sec Bugs)
Insider CLIInsiderSecOpen Source or FreeA open source Static Application Security Testing tool (SAST) written in GoLang for Java Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
Kiuwana division of Idera, Inc.Commercialprovides an application security testing and analytics platform – including SAST and SCA solutions – that reduces risk and improves change management and DevOps processes
KlocworkPerforceCommercialStatic Code Analysis for C, C++, C#, and Java
KlocworkOpen Source or FreeC, C++, C#, Java
KroogalCommercialC, C++
LGTMOpen Source or FreeA free for open source static analysis service that automatically monitors commits to publicly accessible code in Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, Go, Java, JavaScript/TypeScript, Python.
Microsoft FxCopOpen Source or Free.NET
Microsoft PREFastOpen Source or FreeC, C++
MobSFOpen Source or FreeMobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
MobSFOpen Source or FreeWindows, UnixAndroid Java, Objective C, Swift
NextGen Static AnalysisShiftLeftCommercialSaaSFree version available. Currently supports Java, JavaScript, C#, TypeScript, Python, and Terraform. Create your free account at https://shiftleft.io/register.
Nucleaus CoreNucleausCommercialSaaSScans Git repos daily and provides a web-based dashboard to track code and dependency vulnerabilities. Handles team-based access patterns, vulnerability exception lifecycle, and is built on API first principles.
OWASP ASST (Automated Software Security Toolkit)Tarik Seyceri & OWASPOpen Source or FreeUbuntu, MacOSX and WindowsAn Open Source, Source Code Scanning Tool, developed with JavaScript (Node.js framework), Scans for PHP & MySQL Security Vulnerabilities According to OWASP Top 10 and Some other OWASP's famous vulnerabilities, and it teaches developers of how to secure their codes after scan.
OWASP Code CrawlerOWASPOpen Source.NET, Java
OWASP LAPSE ProjectOWASPOpen SourceJava
OWASP Orizon ProjectOWASPOpen SourceJava
OWASP WAP (Web Application Protection)OWASPOpen SourcePHP
Offensive360CommercialSAST technology that attacks the source code from all corners it has all in one. Malware, SCA, License, and deep source code analysis.
OversecuredOversecured IncCommercialAndroidA static SaaS-based vulnerability scanner for Android apps (APK files), supports apps written on Java and Kotlin. Also allows integrations into DevOps processes.
PITSS.CONPITTSCommercialScans Oracle Forms and Reports Applications
PMDOpen Source or FreePMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues).
PT Application InspectorPositive TechnologiesCommercialCombines SAST, DAST, IAST, SCA, configuration analysis and other technologies for high accuracy. Can generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis. Supports Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.
PVS-StudioOpen Source or FreeC, C++, C#
PVS-Studio AnalyzerPVS-StudioCommercialStatic code security analysis for C, C++, C#, and Java. A commercial B2B solution, but provides several free [licensing options](https://www.viva64.com/en/b/0614/).
ParaSoftOpen Source or FreeC, C++, Java, .NET
Parasoft TestParasoftCommercialTest tools for C/C++, .NET, Java
Polyspace Static AnalysisOpen Source or FreeC, C++, Ada
PreFastMicrosoftOpen Source or FreePREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.
ProgpilotOpen Source or FreeProgpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.
PsalmVimeo, Inc.Open SourceStatic code analysis for PHP projects, written in PHP.
Puma ScanPuma SecurityCommercialA .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.
Puma Scan ProfessionalOpen Source or Free.NET, C#
PyreOpen Source or FreeA performant type-checker for Python 3, that also has [limited security/data flow analysis](https://pyre-check.org/docs/pysa-basics.html) capabilities.
RIPS Code AnalysisRIPS Technologies - Acquired by SonarSourceCommercialStatic security analyzer for Java and PHP.
SecureAssistSynopsysCommercialScans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio, etc. Supports Java, .NET, PHP, and JavaScript.
Security Code ScanOpen Source or FreeStatic code analyzer for .NET. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.
SeekerSynopsysCommercialSeeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
SemgrepOpen Source or FreeLightweight static analysis for many languages. Find bug variants with patterns that look like source code. No compilation needed to scan source code. Supports Go, Java, JavaScript, JSON,Python, TypeScript, and more.
Sentinel SourceWhitehatCommercialStatic security analysis for 10+ languages.
ShiftLeft ScanOpen Source or FreeA free open-source DevSecOps platform for detecting security issues in source ode and dependencies. It supports a broad range of languages and CI/CD pipelines by bundling various open source scanners into the pipeline.
Sink TankOpen Source or FreeJava byte code static code analyzer for performing source/sink (taint) analysis.
Snyk CodeSnyk LimitedCommercialSaaS
SonarCloudOpen Source or FreeABAP, C, C++, Objective-C, COBOL, C#, CSS, Flex, Go, HTML, Java, Javascript, Kotlin, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Swift, T-SQL, TypeScript, VB6, VB, XML
SonarQubeOpen Source or FreeScans source code for 15 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [SonarLint](https://www.sonarlint.org/).
SpectralSpectralOpsOpen Source or FreeMulti-platform & Multi-architecture. Linux/Windows/MacOSx/*nix. Programming-language agnosticDiscover, classify, and protect your codebases, logs, and other assets. Monitor and detect API keys, tokens, credentials, high-risk security misconfiguration and more.
SplintOpen Source or FreeC
SpotBugsOpen Source or FreeJava. This is the active fork replacement for FindBugs, which is not maintained anymore. Very little security. FindSecBugs plugin provides security rules.
Static ReviewerSecurity ReviewerCommercialWindows and Linux; on-Premises and in Cloud; Desktop, CLI and CI/CD & IDE plugin integrationStatic Reviewer executes code checks according to the most relevant Secure Coding Standards for 40+ programming languages, using 1000+ built-in validation rules.
Thunderscan SASTDefenseCodeCommercialStatic security analysis for 27+ languages.
VS Code OpenAPI (Swagger) Editor extensionOpen Source or FreePlugin to Microsoft Visual Studio Code that enables rich editing capabilities for REST API contracts and also includes linting and Security Audit (static security analysis).
VeracodeOpen Source or FreeAndroid, ASP.NET, C#, C, C++, Classic ASP, COBOL, ColdFusion/Java, Go, Groovy, iOS, Java, JavaScript, Perl, PhoneGap/Cordova, PHP, Python, React Native, RPG, Ruby on Rails, Scala, Titanium, TypeScript, VB.NET, Visual Basic 6, Xamarin
Veracode Static AnalysisVeracodeCommercial
VisualCodeGrepperOpen Source or FreeWindowsC/C++, C#, VB, PHP, Java, PL/SQL
VisualCodeGrepper (VCG)Open Source or FreeScans C/C++, C#, VB, PHP, Java, PL/SQL, and COBOL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.
XanitizerXanitizerCommercialCLI and plugin integrationA SAST tool for Java, Scala, and JavaScript/TypeScript, mainly via taint analysis. Per this pricing page, it is free for Open Source projects if you contact the vendor.
bugScoutNalbatech, Formerly BugurooCommercial
nodejsscanOpen Source or FreeUnixNode.js
phpcs-security-auditOpen Source or FreeA set of PHP_CodeSniffer rules to finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.
reshiftCommercialA CI/CD static code security analysis tool for Java that uses machine learning to give a prediction on false positives.
Fortify Plugin For Visual Studio

Fortify Plugin For Visual Studio 2013

More info

  • NIST’s list of Source Code Security Analysis Tools.
  • DAST Tools - Similar info on Dynamic Application Security Testing (DAST) Tools.
  • Free for Open Source Application Security Tools - This page lists the Commercial Source Code Analysis Tools (SAST) we know of that are free for Open Source.