Feature
Checking for security flaws in your applications is essential. These tools can help find and fix them.
By David Strom
CSO |
The 2018 Verizon Data Breach Investigations Report says most hacks still happen through breaches of web applications. For this reason, testing and securing applications has become a priority for many organizations. That job is made easier by a growing selection of application security tools. Below is a list of some of the best application security tools available, with descriptions of the situations where they can be most effective.
To compile this list, we consulted several sources, including:
- IT Central Station list of security application testing tools (ITCS) (September 2018), which is based on its large community of IT professionals who personally use and rate the various products.
- Gartner’s Market Guide for Application Shielding (June 2017).
- Gartner’s Magic Quadrant for Application Security Testing (March 2018).
- The SecTools top 125 network security tools, which is continuously updated. While specific to network-oriented tools, a few are useful for testing apps as well.
We highlight both commercial and free products. The commercial products very rarely provide list prices are often bundled with other tools from the vendor with volume or longer-term licensing discounts. Some of the free tools, such as Burp Suite, also have fee-based versions that offer more features.
Here are our 13 favorites, listed in alphabetical order:
Arxan Application Protection
This tool can be used for Runtime Applications Self Protection (RASP). Arxan Application Protection shields against reverse engineering and code tampering, particularly useful for mobile apps.
Target audience: Experienced developers
App focus: RASP
Packaging: Mac, Windows, Android, iOS, Linux
Pricing: Contact vendor
Black Duck from Synopsys
Black Duck automates open-source security and license compliance during application development. It can be used to detect, monitor, remediate and manage your entire open-source app portfolio. Synopsys has been buying up other app security vendors such as Coverity and Codenomicon.
Gartner MQ Leader
Target audience: Open-source developers
App focus: Open-source app testing
Packaging: SaaS
Pricing: Live demo, contact vendor
Burp Suite from PortSwigger
Burp Suite is one of the more popular penetration testing tools and has been widely extended and enhanced over the years. All the tools share a common framework for handling and displaying HTTP messages, persistence, authentication, proxies, logging and alerting. The paid versions include more automated and manual testing tools and integration with various other frameworks such as Jenkins and with a well-documented REST API.
ITCS rank #7
Target audience: Experienced developers
App focus: Web app penetration testing and vulnerability scanner
Packaging: Mac, Windows, Linux, JAR
Pricing: Versions ranging from free to $4,000 per year, with 60-day free trials
CA/Veracode App Security Platform
Veracode offers a wide range of security testing and threat mitigation techniques, all hosted on a central platform. It is used to find vulnerabilities and assess risks across both development and production situations. The product has been around for many years and has a wide following. It has been used in testing hundreds of thousands of different apps. Veracode also can be used for both the smallest and largest installations with superior ease of use frequently mentioned by its users.
ITCS rank #1, Gartner MQ Leader
Target audience: Developers
App focus: Static and dynamic code scanning
Packaging: SaaS
Pricing: Contact vendor
Checkmarx
Checkmarx makes a variety of application testing tools, including static and dynamic code scanning tools and tools used to analyze your open-source content. These tools continuously monitor your apps to detect vulnerabilities. It supports a wide variety of programming languages and has a wide following. The company acquired Codebashing and has integrated it into its software to expand its secure coding training features.
ITCS rank #2, Gartner MQ Leader
Target audience: Developers
App focus: Static and dynamic code scanning, secure code training
Packaging: SaaS and on-premises
Pricing: Contact vendor, free demo
Fortify from MicroFocus
Fortify has both SaaS and on-premise versions of its integrated development and testing tool. It offers continuous app monitoring and mobile versions, too. It comes to MicroFocus from the HPE software group and has a long history and large installed base despite the numerous corporate overseers. Fortify can integrate with the Eclipse IDE and Visual Studio as well.
ITCS rank #3, Gartner MQ Leader
Target audience: Developers
App focus: Static and mobile code scanning
Packaging: SaaS and on-premises versions
Pricing: 15-day free trial, contact vendor
IBM Security AppScan
IBM has a vast application security software portfolio, including Security AppScan. It comes in three different versions, Source, Standard and Enterprise. The software is notable for being able to import a variety of data formats from manual code reviews, penetration tests and even from competitor’s software vulnerability scanners. There are also mobile versions for scanning iOS and Android apps.
ITCS rank #4, Gartner MQ Leader
Target audience: Large enterprises
App focus: Application code scanning, including mobile, static and dynamic methods
Packaging: SaaS and on-premises
Pricing: 30-day free trial, contact vendor
Klocwork from Rogue Wave
Klocwork offers a variety of features that include static application scanning, continuous code integration and a code architecture visualization tool. It comes with checking tools built-in for various security standards, such as for CERT, CWE and OWASP. It can flag code injections, cross-site scripting, memory leaks and other vulnerable coding practices.
ITCS rank #9
Target audience: Developers
App focus: Static code analyzer
Packaging: SaaS
Pricing: Free trial
Qualys Web App Scanning
Qualys has been in the app protection market for a long time, and Qualys Web App Scanning can find and catalog all your web apps across your enterprise. It performs dynamic scans and can report on malware infections along with how to remediate your code. This product is part of a complete portfolio called Cloud Apps that does billions of annual scans and also includes infrastructure and endpoint security tools. There is wide support for other web app firewalls, too. Free stripped-down versions of these services are available, along with various free tools for checking SSL websites, certificates, and browser configurations.
ITCS rank #8
Target audience:Web app developers
App focus: Dynamic app scanning
Packaging: SaaS
Pricing: Free and 30-day free trial, various subscriptions and usage charges
Prevoty from Imperva
Prevoty is another tool that can be used for Runtime Applications Self Protection (RASP). It shields against reverse engineering and code tampering, particularly useful for mobile apps.
Target audience: Developers
App focus: RASP
Packaging: SaaS
Pricing: Contact vendor
Selenium
Selenium has a suite of tools for automated testing of web applications and how they function across a wide collection of different browser versions. These work with its own integrated development environment for Selenium scripts. It is implemented as a browser extension, and allows you to record, edit, and debug tests, along with recording and playback of its scripts. Selenium has wide third-party support for various plug-ins that detect security issues with mobile and specific web browsers.
Target audience: App developers
App focus: Web app testing
Packaging: Requires its own server and supports a wide variety of programming languages, including C#, Ruby and Python
Pricing: Free
WebGoat from OWASP
WebGoat is a deliberately insecure web application and created by Open Web Applications Security Project (OWASP), which maintains the de facto list of the most critical web vulnerabilities. It is designed as a teaching tool to show you the effect of these common exploits and how you need to avoid them in your own applications. WebGoat offers plenty of coding examples and other tips and is now on its eighth version after being around for more than 15 years.
Target audience: Developers
App focus: Testing for code injection, cross-site scripting and insecure credentials, among other issues
Packaging: JAR file
Pricing: Free
Zed Attack Proxy from OWASP
Zed Attack also comes from OWASP. The tool is the result of the work of a large open-source community and is designed to help you automatically find security vulnerabilities in your web applications while you are building them. Zed Attack sits between your app and a browser and intercepts web traffic and examines it for vulnerabilities.
ITCS rank #6
Target audience: Developers, especially beginners
App focus: Web apps only
Packaging: Windows, Linux, Mac and Docker apps available, requires Java 7+
Pricing: Free
Related:
- Application Security
- Security
David Strom writes and speaks about security, networking and communications topics for CSO Online, Network World, Computerworld and other publications. He can be reached through his web site, or on Twitter @dstrom.
Copyright © 2018 IDG Communications, Inc.
7 hot cybersecurity trends (and 2 going cold)