Skip to main content

Source Code Analysis Tools

Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.

Strengths and Weaknesses

Strengths
  • Scales well — can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)
  • Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
  • Output is good for developers — highlights the precise source files, line numbers, and even subsections of lines that are affected
Weaknesses
  • Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.
  • High numbers of false positives.
  • Frequently can’t find configuration issues, since they are not represented in the code.
  • Difficult to ‘prove’ that an identified security issue is an actual vulnerability.
  • Many of these tools have difficulty analyzing code that can’t be compiled. Analysts frequently can’t compile code because they don’t have the right libraries, all the compilation instructions, all the code, etc.

Open Source or Free Tools Of This Type

  • Bandit – bandit is a comprehensive source vulnerability scanner for Python
  • Brakeman – Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
  • Codesake Dawn – Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby
  • FindBugs – (Legacy – NOT Maintained – Use SpotBugs (see below) instead) – Find bugs (including a few security flaws) in Java programs
  • FindSecBugs – A security specific plugin for SpotBugs that significantly improves SpotBugs’s ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,
  • Flawfinder Flawfinder – Scans C and C++
  • Google CodeSearchDiggity – Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.
  • Graudit – Scans multiple languages for various security flaws.
  • LGTM – A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python
  • PMD – PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
  • Progpilot – Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.
  • PreFast (Microsoft) – PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.
  • Puma Scan – Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.
  • .NET Security Guard – Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.
  • RIPS – RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.
  • phpcs-security-audit – phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.
  • SonarQube – Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by SonarLint.
  • SpotBugs – This is the active fork replacement for FindBugs, which is not maintained anymore.
  • VisualCodeGrepper (VCG) – Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

GitLab has lashed a free SAST tool for a bunch of different languages natively into GitLab. So you might be able to use that, or at least identify a free SAST tool for the language you need from that list.

Source:
https://www.owasp.org/index.php/Source_Code_Analysis_Tools

All-in-One Monitoring Solution

 


We can use your own monitoring systems, we can install a new system for you and migrate the hosts or if you have a small operation you can use our own monitoring system.

Our NOC team help our customers with:

  • Website Monitoring
  • Application Performance Monitoring
  • Server Monitoring
  • Network Monitoring
  • Cloud Monitoring, Private and Public

We have customers of all sizes, from a large Telecom with more than 500 hosts, mid size and small companies with only 2 hosts. Our NOC team works around the clock 24x7x365.

Our customers save resources, their engineers have more time for important projects, we improve the operations and reduce downtime.

We have a custom solution for you.

The Best Free Network Monitoring Tools

Open-source choices are good and can even match commercial tools, but you should know that using open-source monitoring requires a high level of involvement with the tool, which may not suit your needs. Open source requires a significant investment in time and resources to learn, install, configure, and use. Features may have to be built with the help of community support or an in-house IT team. The second consideration is security, which becomes an issue if your enterprise has strict security guidelines. Immediate custom fixes may not be available unless you spend time developing them. Or there could be instances when major security flaws aren’t discovered in the auditing process.

ICINGA2

Icinga 2 is an open source monitoring system which checks the availability of your network resources, notifies users of outages, and generates performance data for reporting.

Scalable and extensible, Icinga 2 can monitor large, complex environments across multiple locations.

 

If you have NAGIOS clients already in your systems, the migration is very easy you can continue using same NAGIOS clients as they are like Nagios NRPE, NSClient, etc.

Many companies used NAGIOS for years and now have migrated to Icinga2.

NAGIOS CORE

Nagios® is one of the most popular and widely used free network monitoring tools. Network admins like Nagios because it does everything. Whatever it doesn’t have can be built, or has been built by the Nagios community.

There are two versions of Nagios. Nagios Core is open source and free, and Nagios XI is a commercial tool based on the Nagios Core but with added features. Nagios is popular due to its active development community and external plug-in support. You can create and use external plugins in the form of executable files or Perl® and shell scripts to monitor and collect metrics from every hardware and software used in a network. There are plugins that provide an easier and better GUI, address many limitations in the Core®, and support features, such as auto discovery, extended graphing, notification escalation, and more. Nagios can be overwhelming for beginners and enterprises that do not have enough IT support staff, but it provides good monitoring powers. For support, users can always get help from the Nagios community, or opt for a commercial support package from Nagios Enterprise. Quality NOC can provide support for installation, configuration and development of new features to check software and hardware.

If you have the time to invest in learning and mastering this tool, Nagios Core offers good network monitoring capabilities.

CACTI

Cacti® is a network monitoring tool that allows you to collect data from almost any network element, including routing and switching systems, firewalls, load balancers, and servers, and put that data into robust graphs. If you have a device, it’s possible that Cacti’s active community of developers has created a monitoring template for it.

Cacti supports SNMP polling, which itself covers a wide range of network devices. You can also extend Cacti’s capabilities to use scripts, queries, or commands for data collection, and save it as a template to use for polling other devices for similar data sets. Cacti leverages the power of RRDTool, which is an open-source data logging and graphing system for storing polled data in the database, and creating graphs from the stored data sets. RRDTool’s data consolidation lets you store collected data forever, and is limited only by the size your storage. Cacti leveraging on RRDTool has the ability to generate any type of graph for any data set, and the graphing used in Cacti is the standard used by many open-source and commercial tools. Cacti also allows you to add multiple users and give them access with or without edit permissions, which is perfect for service providers and enterprises with a large NOC team.

Cacti’s strength lies in its community of developers who have contributed many plug-ins, scripts, and templates that can be used to monitor almost every type of device. We especially like its device support and graphing capabilities.

ZABBIX

Zabbix is probably the most widely used open-source network monitoring tool after Nagios
Complex to set up, Zabbix® comes with a simple and clean GUI that makes it easy to manage, once you get the hang of it.



Zabbix supports agent-less monitoring using technologies such as SNMP, ICMP, Telnet, SSH, etc., and agent-based monitoring for all Linux® distros, Windows® OS, and Solaris®. It supports a number of databases, including MySQL®, PostgreSQL™, SQLite, Oracle®, and IBM® DB2®. Zabbix’s VMware® monitoring capabilities allow you to customize using any scripting or programming language, which is widely regarded as its best feature.

NTOP

ntop, which is now ntopng (ng for next generation), is a traffic probe that uses libpcap (for packet capture) to report on network traffic.

You can install ntopng on a server with multiple interfaces, and use port mirroring or a network tap to feed ntopng with the data packets from the network for analysis. ntopng can analyze traffic even at 10G speeds; report on IP addresses, volume, and bytes for each transaction; sort traffic based on IP, port, and protocol; generate reports for usage; view top talkers; and even report on AS information. This level of traffic analysis helps you make informed decisions about capacity planning and QoS design, and also helps you find bandwidth-hogging users and applications in the network. ntopng has a commercial version called ntopng pro that comes with some additional features, but the open-source version is good enough to quickly gain insight into traffic behavior. ntop can also integrate with external monitoring applications such as Nagios for alerting, and provide data for monitoring.

Ntopng has some limitations, but the level of network traffic visibility it provides makes it well worth the effort.

Cloud servers status?

Do you know how is the status of your cloud servers? 

If you have your systems in the cloud, you should know the status of your servers, it is very important to monitor http traffic, check CPU load, Mem load, Disk usage, processes, etc.

Quality NOC can use different tools to monitor your servers, we have a price list based on number of hosts, so if you have to monitor just 1 or 2 we do the job for a very convenient price, starting from € 15 per month for 1 host with basic monitoring and email alerts.

Let us know about your needs, we are glad to send a quotation based on your hosts and services you need to monitor.

We keep your systems UP and your customers happy.

Federico Piergentili, Founder, Quality NOC S.L., which provides remote monitoring and management 24/7 Network Operations Center (NOC) that enables monitor, troubleshoot and maintain IT environments.

What is DOWN & what is UP?

Start monitoring your systems with Open Source Icinga2.

We help you doing the migration and monitoring of your hosts/systems from Nagios to Icinga2. If you dont have any monitoring tool, we recomend to use Icinga2.

Quality NOC provides outsourced network monitoring, server monitoring, application monitoring, website monitoring, switches, routers, SIP Trunk monitoring, etc.

Federico Piergentili, Founder, Quality NOC S.L., which provides remote monitoring and management 24/7 Network Operations Center (NOC) that enables monitor, troubleshoot and maintain IT environments.

Whitelabel NOC – Service desk

Service desk: 

Quality NOC outsourced support services:

Our technicians take on the burden of supporting your customers, freeing up your time for other tasks. This allows you and your team to focus on sales, marketing, and building your company while we work hand in hand with your clients. All of our technicians are trained Windows and Linux Experts and we’re capable of handling simple issues and all the way up to some of the most difficult tasks.

We can use any system you are working with, and as soon as we get the ticket, we react.
This way we contact (email or call) your engineers based on the contact and escalation matrix.
We can replay the ticket, forward or contact to the engineer, do a followup and send updates to the customer based on your SLA.
We will also do escalations if needed and we can prepare a monthly report about the incidents.

We are ready to take your tickets and we speak English, Spanish, Norwegian/Swedish and Portuguese. We are planning to add German soon too.

We can offer you a fixed monthly price based on monthly number of tickets you receive. This is a great solution for your company.

Outsourcing-NOC-operations-with-fixed-fee-pricing-model

noc-150x147

Our NOC engineers complements your company staff, and our services are priced in a way that your company just pay for what you need as you grow with managed services practice.

We can provide different solutions:

  • Per week 24/7/365
    Fixed fee.
  • Per week outside business hours
    We have a customer paying fixed fee for 2 weeks per month, with monitoring from 16:00 to 8:00, monday to friday and 24hrs on weekends.
  • All month 24/7
    Fixed fee.
  • All month outside business hours
    Fixed fee, from 16:00 to 8:00, monday to friday and 24hrs on weekends.

We are open to hear your needs and prepare a good offer and solution to your company.

Federico Piergentili, Founder, Quality NOC S.L., which provides remote monitoring and management 24/7 Network Operations Center (NOC) that enables monitor, troubleshoot and maintain IT environments.

WHITE LABEL NOC SERVICES

An extension of your business There is another way. An increasing number of MSPs (Managed Services Provider) have recognised the benefits of outsourcing NOC to a specialist partner who will provide services under a white label. The operation may be integrated with the MSP’s business and customers to whatever extent they (the MSP) chooses. The NOC partner will monitor and manage MSP client networks round-the-clock using their infrastructure and expert staff. For the MSP, this avoids the need to finance the creation, running and staffing of the NOC; instead there are predictable, fixed monthly payments that help them to control and reduce operational expenditure (OPEX).

nocimage001