Do these 2 terminologies refer to the same thing? https://www.owasp.org/index.php/Source_Code_Analysis_Tools
http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#.NET
Some of the tools overlap. Makes you wonder. If they are different can someone explain to me the differences.
Often, people use these interchangeably within the security industry.
The lists you are pointing to are referring to the same types of tools/assessment, with the addition that the second list is broader, including static analysis tools that are not targeted at security, such as those used to check for code quality issues.
Some types of SAST technically do not review source, but binaries, so it can be a little bit of a misnomer to call it SCA, in that situation.
I personally like the DAST, SAST, MAST nomenclature, because it delineates between the broad types of assessing applications for security issues: by running tests against a running application (dynamic analysis), by examining the code components or a model of them (static analysis), or by tool-assisted expert inspection and testing (manual analysis).
In a popular book on the topic, "The Art of Software Security Assessment", strategies for code audits (Chapter 4) stem from three major concepts:
There are many contrasts among SAST and SCA devices. SAST instruments just recognize security weaknesses in exclusive code by examining an application's code for defects that are characteristic of security weaknesses while the code is still in a static/non-running state. This assists engineers with remediating issues in their code before it's conveyed. While numerous SAST suppliers offer SCA arrangements, they are not as thorough and compelling as a devoted SCA arrangement may be.
SCA tools distinguish and track all open source segments in an association's codebase, to assist engineers in dealing with their open-source parts. Progressed SCA instruments mechanize the whole cycle of overseeing open source segments, including determination, alarming on any security or consistency issues, or in any event, impeding them from the code. They likewise give extensive data about the open-source weaknesses found so engineers can undoubtedly fix them. SCA apparatuses can be utilized all through the SDLC, from creation to after creation.
There are plenty of tools available with free and commercial licenses. Our company uses Klocwork from Perforce.
SAST is one of the tools for C, C++, C#, and Java that identifies software security, quality, and reliability issues in addition to helping enforce compliance with standards.
Hope that helps.
There are various tools to scan and analyze code. It all depends on the OS of the application. Below is an example of a .Net Project resource file setup for Static analysis and security testing. (both C# and VB.Net)
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
[..]
<TargetFrameworkProfile />
<!-- Add the line below -->
<AdditionalFileItemNames>$(AdditionalFileItemNames);Content</AdditionalFileItemNames>
</PropertyGroup>
The helper PowerShell script can be used to do it automatically for all projects in a subfolder:
Get-ChildItem *.csproj -Recurse | ForEach-Object {
$content = [xml] (Get-Content $_)
if (-not $content.Project.PropertyGroup[0].AdditionalFileItemNames)
{
Write-Host "AdditionalFileItemNames missing in $_"
$additionalFileItemNamesElt = $content.CreateElement("AdditionalFileItemNames",
"http://schemas.microsoft.com/developer/msbuild/2003")
$additionalFileItemNamesElt.set_InnerText('$(AdditionalFileItemNames);Content')
$content.Project.PropertyGroup[0].AppendChild($additionalFileItemNamesElt)
}
Set-ItemProperty $_ -name IsReadOnly -value $false
$content.Save($_)
# Normalize line endings
(Get-Content $_ -Encoding UTF8) | Set-Content $_ -Encoding UTF8
}
