[Owasp-leaders] [balint:6040] Access to SAST tooling

Lucian Corlan lucian.corlan at owasp.org
Fri Oct 27 14:52:03 UTC 2017


The appsec world possibly needs a crowdfunded cloud platform for SAST
scanning by OWASP, initially putting together free OWASP or non-OWASP tools.
First effect hopefully it will calm down those expensive prices of
commercial SAST tools (with API).

That being said most commercial SAST vendors offer some form of limited
free scanning (e.g. coverity - free scanning of open source code).
Problem remains you can't cover code that cannot be shared and that needs
protection - for that either a classic on premise tool or CI plugin or
something similar to Browserstack.com for SAST scanning - end-to-end
encrypted client server that resolves to code protection issue - which
doesn't exist afaik.

Most commercial SAST tool vendors are collaborating with OWASP in various
countries or projects, but partnering with one of them would probably mean
we might be breaching our vendor neutral policy.

At the moment, if you develop a very critical software project and you want
to know that you threw every SAST tool available at it (somewhat similar to
virustotal in the anti-virus world) there's nothing out there to help you
achieve that. And we all know that SAST tools tend to provide very
different results on the same code.

Just my 2c,
Lucian

On 27 Oct 2017 12:46, "Timur 'x' Khrotko [owasp]" <timur at owasp.org> wrote:

Sonar?
The big and ridiculously overpriced tools not always better ;)

On Fri, 27 Oct 2017 at 13:23, Mike Goodwin <mike.goodwin at owasp.org> wrote:

> Hello all,
>
> I'm interested in building static code scanning into my OWASP tool project
> <https://www.owasp.org/index.php/OWASP_Threat_Dragon> but they are pretty
> expensive. Does OWASP have any organisation-wide license for a tool to do
> this? Or a subscription to an online service?
>
> Best regards,
> --
> *Mike Goodwin*
> OWASP Newcastle UK Chapter Leader
> <https://www.owasp.org/index.php/Newcastle>
> OWASP Threat Dragon Project Leader
> <https://github.com/mike-goodwin/owasp-threat-dragon>
> @theblacklabguy
>
> This message may contain confidential information - you should handle it
> accordingly.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-- 

secmachine․net #wepowersecdev

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20171027/9450ca70/attachment-0001.html>


More information about the OWASP-Leaders mailing list