I am setting up a software security initiative at a small software company. Part of this is selecting a static analysis tool for early and automated detection of security vulnerabilities.
Many languages have several incumbent static analysis tools. C#, our backend language, has a plethora of them, like HP Fortify or Checkmarx CxSuite to name a few.
Many of these tools also scan JavaScript code in the browser. They check for common things like cross-site scripting (XSS) and cross-site request forgery (CSRF or XSRF) attacks. They even understand JQuery and older JavaScript libraries.
However, I have been unable to find a static analysis tool that looks at JavaScript MVC frameworks. AngularJS, the JavaScript framework we are using, mitigates many common security vulnerabilities (such as many DOM injection attacks through data binding) but provides different solutions to other vulnerabilities (such as its own XSRF protection mechanism).
What static analysis tools exist that support AngularJS websites? Cost is not so much an issue, rather than a good set of rules. AngularJS-specific or JavaScript-specific tools are fine, too.
Please keep in mind:
- This static analysis tool is not a replacement for manual or penetration testing. This will come later but static analysis tools allow discovery of issues as soon as the code is written rather than near the end when the product is complete. While I am working with good developers, they are not security experts. The code base is increasingly large (100K+ lines) and I personally cannot review each and every change.
- Many static analysis tools allow the creation of new rules and I am happy to so do. However, my focus is on delivering software instead of creating and debugging basic security checks.