Discussion:
SAST for PHP and Scala
Robert A.
2014-06-12 18:40:00 UTC
Permalink
Hello,
Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST?
Please don't just list tools you found via a google search :)

Regards,
Robert A.
http://www.cgisecurity.com/
http://www.qasec.com/
http://www.webappsec.org/

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

***@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Tim Jarrett
2014-06-12 18:46:20 UTC
Permalink
Out of curiosity, why not a SaaS solution?

TIM JARRETT
Sr. Director, Product Management

E-Mail ***@veracode.com<mailto:***@veracode.com>
Office 339.674.2885
Mobile 617.671.9588
Twitter @tojarrett
LinkedIn http://www.linkedin.com/in/tjarrett




On Jun 12, 2014, at 2:40 PM, Robert A. <***@webappsec.org<mailto:***@webappsec.org>> wrote:

Hello,
Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? Please don't just list tools you found via a google search :)

Regards,
Robert A.
http://www.cgisecurity.com/
http://www.qasec.com/
http://www.webappsec.org/

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

***@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Robert A.
2014-06-12 19:15:53 UTC
Permalink
I don't want to turn this thread into a tool vs Saas solution discussion
(which you just did by asking the question as a Saas vendor).

Just looking for tool suggestions.

Regards,
Robert A.

On Thu, 12 Jun 2014, Tim Jarrett wrote:

> Out of curiosity, why not a SaaS solution?
>
> TIM JARRETT
> Sr. Director, Product Management
>
> E-Mail ***@veracode.com<mailto:***@veracode.com>
> Office 339.674.2885
> Mobile 617.671.9588
> Twitter @tojarrett
> LinkedIn http://www.linkedin.com/in/tjarrett
>
>
>
>
> On Jun 12, 2014, at 2:40 PM, Robert A. <***@webappsec.org<mailto:***@webappsec.org>> wrote:
>
> Hello,
> Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? Please don't just list tools you found via a google search :)
>
> Regards,
> Robert A.
> http://www.cgisecurity.com/
> http://www.qasec.com/
> http://www.webappsec.org/
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> ***@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

***@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Ahmed Masud
2014-06-12 20:47:41 UTC
Permalink
Okay let's ask a different question: What are you criteria for a tool that
you are looking for that is not a top level google result? Without you
being a bit more specific about your filtering system it would be difficult
to give you advice beyond generalities.

Cheers,

Ahmed

*Ahmed Masud <***@trustifier.com <***@trustifier.com>>*


Trustifier Inc.
CEO

Toll Free: 1-855-534-5434 x 700
Intl.: +1 301-500-0084 x700
Cell Phone: 240-264-9699
Website: www.trustifier.com



On Thu, Jun 12, 2014 at 3:15 PM, Robert A. <***@webappsec.org> wrote:

> I don't want to turn this thread into a tool vs Saas solution discussion
> (which you just did by asking the question as a Saas vendor).
>
> Just looking for tool suggestions.
>
> Regards,
> Robert A.
>
>
> On Thu, 12 Jun 2014, Tim Jarrett wrote:
>
> Out of curiosity, why not a SaaS solution?
>>
>> TIM JARRETT
>> Sr. Director, Product Management
>>
>> E-Mail ***@veracode.com<mailto:***@veracode.com>
>>
>> Office 339.674.2885
>> Mobile 617.671.9588
>> Twitter @tojarrett
>> LinkedIn http://www.linkedin.com/in/tjarrett
>>
>>
>>
>>
>> On Jun 12, 2014, at 2:40 PM, Robert A. <***@webappsec.org<mailto:r
>> ***@webappsec.org>> wrote:
>>
>> Hello,
>> Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST?
>> Please don't just list tools you found via a google search :)
>>
>> Regards,
>> Robert A.
>> http://www.cgisecurity.com/
>> http://www.qasec.com/
>> http://www.webappsec.org/
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> ***@lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_
>> lists.webappsec.org
>>
>>
>>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> ***@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_
> lists.webappsec.org
>
Menerick, John
2014-08-19 15:57:42 UTC
Permalink
<html><bodyI have not seen any SAST for Scala. I have had to tackle Scala in a much more dynamic approach.

Sent from my iPhone

On Aug 19, 2014, at 8:52 AM, "Pankaj Upadhyay" <***@gmail.com<mailto:***@gmail.com>> wrote:

I know Fortify supports PHP but I am not sure how 'good' that tool is as a PHP scanner.


On Fri, Jun 13, 2014 at 12:10 AM, Robert A. <***@webappsec.org<mailto:***@webappsec.org>> wrote:
Hello,
Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? Please don't just list tools you found via a google search :)

Regards,
Robert A.
http://www.cgisecurity.com/
http://www.qasec.com/
http://www.webappsec.org/

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

***@lists.webappsec.org<mailto:***@lists.webappsec.org>
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



--
Thanks,
Pankaj Upadhyay

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

***@lists.webappsec.org<mailto:***@lists.webappsec.org>
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org


NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service

</body></html>
Pankaj Upadhyay
2014-08-19 16:11:34 UTC
Permalink
Just tried a quick search of 'PHP' string in the Gartner's quadrant report
for SAST and DAST and seems there are a couple of products which offer SAST
for PHP but nothing for SCALA

http://www.gartner.com/technology/reprints.do?id=1-1WJ75OR&ct=140701&st=sb&mkt_tok=3RkMMJWWfF9wsRoiuazLZKXonjHpfsX66O8sW6a0lMI%252F0ER3fOvrPUfGjI4HRcJjI%252BSLDwEYGJlv6SgFTbnFMbprzbgPUhA%253D

If you don't mind, can I add one more question to the list? Do we know any
tool to scan SQL or PL/SQL code to find security issues?


On Tue, Aug 19, 2014 at 9:27 PM, Menerick, John <***@netsuite.com>
wrote:

>
> I have not seen any SAST for Scala. I have had to tackle Scala in a much
> more dynamic approach.
>
> Sent from my iPhone
>
> On Aug 19, 2014, at 8:52 AM, "Pankaj Upadhyay" <***@gmail.com>
> wrote:
>
> I know Fortify supports PHP but I am not sure how 'good' that tool is
> as a PHP scanner.
>
>
> On Fri, Jun 13, 2014 at 12:10 AM, Robert A. <***@webappsec.org> wrote:
>
>> Hello,
>> Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST?
>> Please don't just list tools you found via a google search :)
>>
>> Regards,
>> Robert A.
>> http://www.cgisecurity.com/
>> http://www.qasec.com/
>> http://www.webappsec.org/
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> ***@lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_
>> lists.webappsec.org
>>
>
>
>
> --
> Thanks,
> Pankaj Upadhyay
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> ***@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
>
> NOTICE: This email and any attachments may contain confidential and
> proprietary information of NetSuite Inc. and is for the sole use of the
> intended recipient for the stated purpose. Any improper use or distribution
> is prohibited. If you are not the intended recipient, please notify the
> sender; do not review, copy or distribute; and promptly delete or destroy
> all transmitted information. Please note that all communications and
> information transmitted through this email system may be monitored and
> retained by NetSuite or its agents and that all incoming email is
> automatically scanned by a third party spam and filtering service which may
> result in deletion of a legitimate e-mail before it is read by the intended
> recipient.
>



--
Thanks,
Pankaj Upadhyay
Paul Johnston
2014-08-19 21:36:52 UTC
Permalink
Hi,

> If you don't mind, can I add one more question to the list? Do we know
> any tool to scan SQL or PL/SQL code to find security issues?

I don't know such a tool, but I wonder:

1) What kind of issues would you want the tool to find?

2) Would you want to scan SQL or PL/SQL standalone, or as a part of a
larger application?

3) How would you want to pass the SQL or PL/SQL to the tool?

Regards,

Paul

--
Pentest - The Application Security Specialists
*Shortlisted for Best Security Company, SC Magazine Europe 2014*

Pentest Limited

Paul Johnston - IT Security Consultant
Office : +44 (0) 161 233 0100
Mobile : +44 (0) 7817 219 072
Email policy : http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: : 4217114 England & Wales
Registered Office: : 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
Certifications : ISO 9001 (50155) / ISO 27001 (IS 558982) / Tiger Scheme


_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

***@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Pankaj Upadhyay
2014-08-28 15:00:15 UTC
Permalink
You're right but generally when you work for an organization, things are
not that plain. There could be a separate team working only on frontend,
some on middleware and some may be writing DB queries SQL or HQL. In this
scenario, other than the scanning of the integrated product, what if they
want separate scans for their components in early development stages.
>>What kind of issues?
We talk of parametrized queries to mitigate SQL Injection. What if, a
scanning utility scan a PL/SQL code and highlight all such queries which
are not parametrized. I'm not a SQL expert but I am wondering what if a
scanning utility can find all those objects which got created inside the
PL/SQL block and haven't been deleted after their use.




On Wed, Aug 20, 2014 at 3:06 AM, Paul Johnston <***@pentest.co.uk>
wrote:

> Hi,
>
> > If you don't mind, can I add one more question to the list? Do we know
> > any tool to scan SQL or PL/SQL code to find security issues?
>
> I don't know such a tool, but I wonder:
>
> 1) What kind of issues would you want the tool to find?
>
> 2) Would you want to scan SQL or PL/SQL standalone, or as a part of a
> larger application?
>
> 3) How would you want to pass the SQL or PL/SQL to the tool?
>
> Regards,
>
> Paul
>
> --
> Pentest - The Application Security Specialists
> *Shortlisted for Best Security Company, SC Magazine Europe 2014*
>
> Pentest Limited
>
> Paul Johnston - IT Security Consultant
> Office : +44 (0) 161 233 0100
> Mobile : +44 (0) 7817 219 072
> Email policy : http://www.pentest.co.uk/legal.shtml#emailpolicy
> Registered Number: : 4217114 England & Wales
> Registered Office: : 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
> Certifications : ISO 9001 (50155) / ISO 27001 (IS 558982) / Tiger Scheme
>
>


--
Thanks,
Pankaj Upadhyay
Pankaj Upadhyay
2014-08-19 15:50:16 UTC
Permalink
I know Fortify supports PHP but I am not sure how 'good' that tool is as a
PHP scanner.


On Fri, Jun 13, 2014 at 12:10 AM, Robert A. <***@webappsec.org> wrote:

> Hello,
> Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST?
> Please don't just list tools you found via a google search :)
>
> Regards,
> Robert A.
> http://www.cgisecurity.com/
> http://www.qasec.com/
> http://www.webappsec.org/
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> ***@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_
> lists.webappsec.org
>



--
Thanks,
Pankaj Upadhyay
Loading...