Congratulations! That app your team was working on is finally built. Now it’s time to scan for all the different holes in it—like unencrypted data, a bad library, or a lack of logs.
At April’s RSA Conference, two code pros—David Melamed, co-founder and CTO of code-security provider Jit, and Luke O’Malley, co-founder and CPO of the analysis tool Semgrep—recommended five open-source detection tools for developers in search of vulnerabilities.
The “starter set” offers detection and remediation capabilities for applications—a popular attack vector for hackers. (A 2022 Forrester survey of compromised orgs found that the top external-attack vectors were software supply-chain breaches and software vulnerability exploits.)
The fab five:
- Semgrep: O’Malley may be slightly biased, given his affiliations, but the Semgrep scanner looks at developer-written code and offers many checks (pulled from other code-scanning tools like Gitleaks and Brakeman). The tool supports 30-plus languages, like Java, Python, or React.
Highlight: “You can write your own rules,” said O’Malley, including ones that automate code-review comments or identify secure-code violations.
Other noted code scanners: SpotBugs, RuboCop, Bandit - OSV-Scanner: Many developers pull from libraries, in the spirit of not recreating the wheel. Google’s dependency checker aggregates vulnerability libraries, including those from GitHub. The tool also scans software bill of materials (SBOMs) and locked database files.
Highlight: OSV supports all major language systems.
Other noted dependency checkers: Retire.js, npm-audit, dependency-check - KICS: For some modern companies, the infrastructure is configured in code. The KICS infrastructure as code (IaC) scanner detects misconfigurations, like overly permissive permissions or a lack of encryption on an S3 bucket.
Highlight: KICS has auto-remediation options. “That’s one of the things that is hit or miss for open-source tools: They may find the problem, but may not tell you how to fix the problem,” O’Malley told the RSA audience.
Other noted IaC scanners: Terrascan by Tenable, Checkov by Bridgecrew, Tfsec by Aqua Security - Trivy: Aqua Security’s tool detects vulnerabilities and misconfigurations by scanning container images, file systems, and git repositories. Trivy also generates SBOMs.
Highlight: The tool has its own database. “You don’t need to have a special setup,” said Melamed.
Other noted container scanners: Clair by Quay.io, Grype by Anchore - OWASP Zap: Maintained by the Open Worldwide Application Security Project (OWASP), the runtime scanner finds vulnerabilities in apps and APIs while they’re up and appin’. Originally built to spot the top 10 OWASP risks, the zapper now has many more active scan rules.
Highlight: The site is actively maintained by a large group of users around the world. “It’s a super, super popular project,” said Melamed.
Other noted runtime scanners: Wapiti, Nikto, Arachni
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The RSA duo recommended the starter set, but not deploying it all at once. Phased rollouts ease implementation.
“Don’t try to solve the problem everywhere to start, but pick a development team, and start small in scope,” said O’Malley, who also told the RSA crowd to get feedback from the developers related to performance indicators like speed.
With any top five, after all, there’s going to be a debate.