[Owasp-leaders] Access to SAST tooling

Michael Scovetta michael.scovetta at gmail.com
Sun Oct 29 16:11:10 UTC 2017


We released DevSkim (IDE-based security linter), but a CLI is also available for automated scanning.

https://github.com/Microsoft/DevSkim

Mike

-----Original Message-----
From: "Kim Carter" <kim.carter at owasp.org>
Sent: ‎10/‎28/‎2017 11:36 PM
To: "owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] Access to SAST tooling

and other countermeasures for consuming free and open source: http://f1.holisticinfosecforwebdevelopers.com/chap06.html#web-applications-countermeasures-consuming-free-and-open-source-tooling listed in my book.


 Kim Carter
OWASP New Zealand Chapter Leader (Christchurch)
Author of Holistic Info-Sec for Web Developers
c: +64 274 622 607 







On 28/10/17 04:12, Erlend Oftedal wrote:

For JavaScript projects you may want to look at :
https://github.com/mozfreddyb/eslint-plugin-scanjs-rules



And of course also dependency trackers such as nsp and retire.js


Best regards
Erlend




On Fri, 27 Oct 2017 at 17:02, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:

Mike, 


Coverity provides free scanning of FOSS projects. ESAPI has used it in the past. I suspect that other SAST vendors may have similar offers, but I don't have any experience with them. There's also things like PMD and Findbugs that are closer to 'list' than SAST tools, but that can be useful. Both have plug-ins for various IDEs.


HTH, 
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:  @KevinWWall
NSA: All your crypto bit are belong to us.


On Oct 27, 2017 07:24, "Mike Goodwin" <mike.goodwin at owasp.org> wrote:

Hello all, 


I'm interested in building static code scanning into my OWASP tool project but they are pretty expensive. Does OWASP have any organisation-wide license for a tool to do this? Or a subscription to an online service?


Best regards,
-- 

Mike Goodwin
OWASP Newcastle UK Chapter Leader 
OWASP Threat Dragon Project Leader
@theblacklabguy

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


 

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20171029/a15978ae/attachment.html>


More information about the OWASP-Leaders mailing list