29.12.2024 –, Bühne HUFF
Sprache: English
We give a short intro to static security analysis tools for Java and showcase three.
Historically, coding errors have resulted in significant breaches of personally identifiable information and other vulnerabilities (Equifax breach, Log4Shell, Heartbleed). To mitigate such risks in the future, developing secure applications is crucial. Static code analysis emerges as a valuable technique to assist developers in proactively identifying and rectifying security flaws. Leveraging compiler techniques, static analysis can be seamlessly integrated into established development workflows, including IDEs and CI/CD pipelines. We examine 19 static security analysis tools specifically for Java, categorizing them based on their security capabilities and design characteristics. The security features analyzed encompass coding standards adherence, bug detection, software bill of materials generation, secret detection, identification of dangerous API usage, and data flow analysis. From a design perspective, the tools are classified as general-purpose, deep analysis, security-focused, specialized for cryptographic APIs, and other specialized tools.
The following tools are investigated: ErrorProne, PMD, SpotBugs, SonarSource, Infer, CodeQL, Semgrep, DevSkim, Bearer, CogniCrypt, SEADER, NullAway, Dependency-Check, Detect-Secrets, Understand, Oversecured, AVM, PTAI, PVSStudio, Snyk.
We quickly showcase Error Prone, CodeQL and CogniCrypt.
The tools are selected based on work from other authors and independent search.
Markus Toran is a security consultant from Karlsruhe. His consulting area include offensive security, cryptography and secure software development. He previously studied computer science at KIT, specializing in IT security. He is a proud member of KITCTF.