vendredi 9 octobre 2015

How do open source static analysis tools stack up against commercial tools?

There are many static analysis tools that can be used to check an application for quality and security issues. Code Dx currently integrates with 24 of them. There’s a mix of both commercial and freely available tools. Many of the freely available tools are bundled directly within Code Dx and automatically run based on the source code supplied.
We know commercial tools have invested a lot of research and effort into providing the best static analysis capabilities, but we were curious how a given commercial tool would compare to a suite of open source tools. For this experiment, we took a leading commercial static analysis tool and ran it against the OWASP WebGoat Java and WebGoat.NET projects. These projects have known flaws in them, such as SQL Injection andCross-site scripting (XSS), and make for a great way to learn about application security. For our purposes, we used them as ground truth to compare tool results against.
Article complet  : ici

Aucun commentaire:

Enregistrer un commentaire