Coding needs close attention on details. The vast codes are written by many developers and different developers have different abilities, and therefore quality of codes may be different, especially security problems may occur during this process. It is hard to guarantee that developers can apply security practice into coding, and both the time-cost and degree of difficulty of manually rechecking the security of codes will be extremely high, and therefore, automatic code scanning can be applied to decrease time-cost and degree of difficulty, and thereby add a feedback loop to discover and solve the security problems in the code immediately.
Code scanning can be conducted by using static code scanning tools before compilation, with various security problems detected at static code level. However, automatic code security scanning cannot detect out all security problems, and therefore, manual code reviews are required for project of high security needs, to find out security problems which cannot be detected via automatic code scanning.
List for some automatic static code scanning tools:
| Tool | Language support | Copyright | Homepage |
|---|---|---|---|
| Fortify | Most of languages | Commercial | http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ |
| Checkmarx | Most of languages | Commercial | https://www.checkmarx.com/ |
| Flawfinder | C/C++ | Free | http://www.dwheeler.com/flawfinder/ |
| LAPSE | Java | Free | http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project |
| Brakeman | Ruby on Rails | Free | https://github.com/presidentbeef/brakeman |