Check out my curated list of application security tools to secure your web applications and APIs.
17 min read
According to Software Engineering Institute (SEI), 90 per cent of reported security incidents result from exploits against defects in the design or code of the software.
Even with all the bold claims of security vendors, It is no secret that one type of security tool is never enough to say we are secure. (Law of the Instrument)
How can you work smarter and faster with application security?
It starts with having the right tools and understanding what are these tools doing?
Let me start with great physicist Richard Feynman, a brilliant mind and a teacher.
Please go and get familiar if you haven't seen how he is able to explain electromagnetic forces with day to day experiences.
And It's encouraged me to explain application security tools with a “washing machine”.
Also, you can join the CandyShop project to see the security testing results of the most popular vulnerability scanners.
Our washing machine (application) is wide-open, not plugged in, and we have a manual at hand.
We look at all the pipes and pieces and figure out what can go wrong in case of a security attack. This is what SAST tools do!
As we have full access to source code, we are sure that %100 of our code will be scanned, and It's fast. Our SAST tool should support the programming languages we are using and understand the framework very well. (no help from a manual in Finnish)
But we have a limitation because the machine is not working yet, and we are not %100 sure how it will run when we plugged in. Initially, it may seem like an issue, but the result can differ in the running state. (false-positives)
3-Exact location of issue
4-Early in the process
and here are some of the great SAST Tools:
It is a free (open-source) static security scanner for Python applications.
Supported Languages: Python
License: Free (Open-Source)
Official Website: https://pypi.org/project/bandit/
It is a free (open-source) vulnerability scanner for Ruby on Rails applications.
Supported Languages: Ruby on Rails
License: Free (Open-Source)
Official Website: https://brakemanscanner.org/
Enterprise-level static code scanner supports all popular languages and is nominated as “Leaders” in Gartner Magic Quadrant 2022.
Official Website: https://checkmarx.com/
An enterprise-level application security testing suite contains a source code scanner for 11 languages and is nominated as “Visionaries” in Gartner Magic Quadrant 2022.
It's the SAST part of Synopsys application security suite.
An enterprise-level static scanner supports 20 languages and is nominated as “Leaders” in Gartner Magic Quadrant 2022.
An enterprise-level application security tool suite that contains a static scanner supports 34 languages and gets nominated as “Leaders” in Gartner Magic Quadrant 2022.
Supported Languages: ABAP, Android, Angular, AngularJS, APEX, ASP Classic
License: Commercial, AppScan CodeSweep (Free)
A practical and efficient static code scanner for 28 programming languages.
License: Commercial (with Free Trial)
License: Commercial (Free for open source projects)
A lightweight static code scanner for Node.js
Supported Languages: Node.js
License: Commercial (Free for a single user)
A fast open-source code vulnerability scanner for 11 language support.
License: Commercial (with Free Community Edition)
An enterprise-level DevSecOps solution that contains a static code scanner for 11 languages and is nominated as “Challengers” in Magic Quadrant 2022.
License: Commercial (with Free Limited Test edition)
A very popular static code scanner for 29 languages.
License: Commercial (with Free Community edition)
It is an enterprise-level SAST tool that will provide automated feedback to your developers in the IDE and CI/CD pipeline. It is nominated as “Leaders” in Gartner Magic Quadrant 2022.
This one is more about what's your machine made of?
It doesn't need to analyse all source code, and some SCA tools can work with manifest files. It will detect all the open sources and libraries that we have used in the application and find if there is a known vulnerability for that version.
It is fast and can easily save you a lot of trouble (some SCA tools offer auto-remediation). Also, open-source doesn't always mean “Free” to use in your commercial application.
SCA tools can check for license compliance and eventually save your company from lawsuits.
Meanwhile, SCA tools may report hundreds of issues; however, It doesn't mean all of these vulnerabilities are executable.
You may use an open-source library only for a limited function, and that library might have dependencies which may never get executed in your application in runtime. (some of the SCA tools now can filter it)
1- Less dependency
3-Easy to adopt
4-License compliance check
1- Limited surface
2- Unkown impact
and some of the SCA tools in the market:
It can be integrated into your IDE or CI/CD pipeline, generate a Software Bill of Materials (SBOM) and detect policy/license violations.
It has a free community edition to start and is useful to detect misconfiguration and secret management.
It has a nice Chrome extension to see security reports while checking the open-source component repository websites. Also, SBOM reports can be exported to CycloneDX, Word, Excel, PPT, and XML formats and have REST API support.
License: Commercial (starts from $26k/year)
It was added into the Checkmarx suite with the Dustico acquisition last year.
It has a three-pronged approach to a security check for open sources:
1-the credibility of the package provider,
2-update cadence and level of maintenance
3-and behavioural analysis for malicious attacks.
It has advantages with prioritising issues in runtime libraries. For example, you can see which libraries are actually executed at runtime and how often down to the specific class, file, or module.
It is recently acquired (March 2022) by Micro Focus and may soon join in Fortify WebInspect application security suite.
License: Commercial (Free Limited Edition + starting from €25/month per user)
Some big names like Uber, Twitter, Verizon, and PWC use FOSSA for software composition analysis. Their policy engine was designed in collaboration with leading OSS attorney Heather Meeker.
License: Commercial (Free Limited Edition + starting from $52/month)
It scans your source code to detect API keys, passwords, certificates, encryption keys and other sensitive data.
License: Commercial (Free up to 25 dev+ starting from $434/month for 26 developers)
It has strong integration capabilities with many IDEs, CI/CD and binary management.
License: Commercial (Free Limited Edition + $98/month)
A popular SCA tool designed to be part of your SDLC.
License: Commercial (Free Trial+ starting from $134/month per developer)
It is one of the most popular open-source SCA tools, created by OWASP.
It is a light-weight open source SCA tool with multiplatform support: -Linux, -Windows, -macOS
License: Commercial (Free Community Edition + €100/month per user)
It is a solid SCA tool in Shiftleft Core platform and also NTT Application Security relly on Shiftleft's scanning engine in their SCA product. (Sentinel SCA)
License: Commercial (Free Limited Edition + $175/month)
It is one of the most popular SCA solutions and added C/C++ support after acquiring FossID last year. (March 2021) It can be integrated into your IDE or CI/CD pipeline, generate a software bill of materials (SBOM), and detect policy/license violations.
License: Commercial (Free Limited Edition + starting from $98/month per developer)
It is the SCA part of the Veracode suite and will identify known vulnerabilities in open-source libraries used by your applications.
It is one of the most popular SCA tools available in the market and nominated as “Leaders” in Forrester Wave Software Composition Analysis, Q3 2021.
Now, we are plug in our washing machine!
DAST tools crawl our applications in a running state (no language dependency) and attack all possible ways. It is pretty much stimulating what a hacker does.
It will take longer to scan, and It is not guaranteed that all the pages will be covered. Especially if you are scanning a Single-Page Application, you need to confirm that your DAST tool can simulate all DOM activities to crawl all pages.
3-Tests in real-life state
4-Easy to adopt
1-Coverage (not guaranteed)
2-Speed (slower than SAST)
3-Not exact location of issues
and here are some of the best DAST tools:
It is a straight-forward vulnerability scanner with an easy-to-use interface.
Some features: Business Logic Recorder, Multi-platform (Linux, Mac, Windows, SaaS)
It was an internal penetration tool in SEC-1 (part of Claranet Group now), and now also offers tailor-made solutions.
It is a automated scanner and pentest platform for SMB ‘s.
Some features: Managed pentest service, resolution center for collaboration, Risk Score
It is easy to use for non-technical (cybersecurity) users.
Some features: WordPress plugin
License: Commercial (starting from $49/month)
It is a new generation of DAST tools and has a “developer-friendly” approach.
Some features: Docker client, working with HTTP Archive File (HAR file)
License: Commercial (Free Limited Edition + starting from $79/month)
It is a must tool for manual penetration testing.
Some features: BApp Store (extension directory)
License: Commercial (Free Community Edition + €349/month)
It is an effective DAST tool with Crowdsource supported vulnerability database.
Some features: Attack Surface Management
License: Commercial (starting from €70/month)
WebInspect is an Enterprise-level DAST tool capable of scaling to hundreds of applications.
Some features: support for Two Factor Authentication, API testing, CI/CD integrations
It is an enterprise-level DAST tool in HCL AppScan security suite.
It is a power vulnerability scanner for cybersecurity engineers from Rapid7.
Some features: Universal Translator, Attack Replay
License: Commercial (starting from $166/month per app)
It is an easy dast tool to start which also offers a monthly subscription.
Some features: Penetration testing service offerings
License: Commercial (starting from €94/month per app)
It is an enterprise-level DAST tool to integrate into SDLC and is highly useful if you need to manage hundreds or thousands of applications.
Some features: Advanced integrations, Proof-based scanning, IAST + SCA capabilities
It is a very advanced open-source vulnerability scanner with community-supported scanning templates.
Some features: Custom scanning templates
It is the most popular open-source dynamic application security testing tool.
Some features: extensive community support
It is a set of tools for web vulnerability scanning.
Some features: includes many other niche security scanners
License: Commercial (starts from €100/month for 10 targets)
It is a DAST scanner designed for security and DevOps teams to work together on reducing security risks on web applications & APIs.
License: Commercial (Free Limited Edition + starts from €49/month per application)
It is an advance fully-cloud web application security scanner.
It is the DAST tool in the Sentinel security suite. (known as Whitehat)
It is a multi-platform supporting DAST tool in Syhunt application security suite.
License: Commercial (starting from $4099/year)
It is the DAST tool in Synopsys application security testing portfolio for enterprises.
It is a cloud-based vulnerability scanner powered by Nessus technology.
License: Commercial (€4610/year for 5 FQDN)
It is the DAST part of the Veracode application security suite that provides the scale necessary to audit hundreds of target applications simultaneously, including APIs
Let us combine SAST and DAST, and now we have IAST.
Now we can look at our washing machine parts while working and get more accurate results!
IAST tools will be installed into an application server, and It will analyse all the application interactions (manual or automated tests) and detect vulnerabilities in real-time.
1-Source code + Running state
1-Hard to deploy (for Cloud-native)
2-Test automation requirement
3-Language dependency -1
and here are some of the best IAST tools:
It is the most popular IAST solution in the market at the moment.
It is the IAST part of Hdiv application security suite.
It is the IAST part of Synopsys application security testing suite.
The new era of application security firewalls starts with naming, Runtime application self-protection.
This one is not for scanning and finding a vulnerability in the application. This is for monitoring and blocking attacks in real-time.
Old friend web application firewalls usually sit in front of the traffic and inspect all coming HTTP requests and report/block if there is a suspicious-looking pattern.
On the other hand, RASP tools will be integrated into your application, and It will make decisions according to how your application will execute these requests. It is excellent to avoid false positives; however, it may cause performance issues as the RASP agent sits between the application and the server.
1- No need to train
2- Saves time for fixing
3- Contextual awareness
1- Performance issues
2- Language dependency -2
3- Use case abuse
4- False sense of security
and here are some of the best RASP tools:
It is the RAST part of Contrast application security suite.
It is the RASP module in Dynatrace platform.
License: Commercial (starting from $12/month for 8GB per host)
It is the RASP part of Hdiv application security suite.
It can be a good combination if you are already using Imperva WAF.
It is a signatureless RASP solution that doesn’t rely on behavioural analytics or machine learning with attack detection and blocking capabilities.
Some features: IAST
It is the most popular open-source RASP tool and is maintained by the Baidu team.
It is one of the most popular open-source RASP tools.
You will add many tools while maturing in your application security program, and you need a control centre for all these activities. Efficiency is the priority when you are building your appsec program. A typical application security journey:
1-you need to detect vulnerabilities
2-deliver them to the right people to check
3-follow up the actions (triage)
4-confirm once it gets fixed
5-and make all this visible to management.
By integrating all the application security tools into your ASOC tool, you will be able to manage all these steps and find answers to your questions.
Are we making more issues than we fix in every release, what type of issues keep coming, and which team requires training more than the others?
Also, some of the new ASOC tools these days come with built-in open-source scanners. So you can add your applications and activate the most popular open-source scanners. In an hour, you will have decent reports to look at. (SAST, DAST, SCA)
Also, It will be a great platform to compare the performance of your appsec tools.
1-Correlation is not fully there yet
2-Single point of failure
and here are some of the best ASOC tools:
It is the application security platform of Synopsys suite.
It is an open-source vulnerability management platform and is maintained by OWASP.
Faraday is a platform that orchestrates security tools to optimise response time and efficiency for vulnerability management.
License: Commercial (starting at $2600/year with free Community edition)
Kondukto is an ASOC Tool to get all security testing tool results in one view, automate vulnerability remediation workflow and manage risks with security KPIs.
License: Commercial (starting from $500/month)
It is one of the oldest ASOC platforms in the market and last year acquired by Coalfire. (June 2021)
Mobile app security is a little bit different from other types of analysis. The security posture of your app is highly interrelated with a platform like iOS, Android or Windows Phone.
Mobile application security requires a certain type of expertise and It is a field that getting popular in recent years.
Let me list some of the best mobile application security testing tools to check your app against reverse engineering, tampering, key loggers, and other types of interference attacks.
It is a mobile application security testing tool (MAST). It executes your applications on real mobile devices and launches attacks to detect failures in self-protection on .apk or .ipa files.
Some features: real device farm, Test Sequence recording, No False Positive
License: Commercial (starting around $10k/year per app)
Talsec offers a multi-platform SDK that focuses on app shielding, API protection, and network traffic control. It enables you to combat reverse engineering attempts, session hijacking, or brute force attacks.
Some features: traffic control, open-source rasp
Anything I Missed?
So those are my favourite application security tools. And now I’d like to hear from you. Are there any tools that you love… but didn’t see on this list?
Or maybe you have a question.
Either way, let me know by leaving a comment below right now.