67 Application Security Tools to Build a Mature AppSec Program [2022]

Summary

Check out my curated list of application security tools to secure your web applications and APIs.

17 min read

Application Security Tools
Application Security Tools

According to Software Engineering Institute (SEI), 90 per cent of reported security incidents result from exploits against defects in the design or code of the software. 

 

Even with all the bold claims of security vendors, It is no secret that one type of security tool is never enough to say we are secure. (Law of the Instrument)

 

How can you work smarter and faster with application security?

 

It starts with having the right tools and understanding what are these tools doing?

Let me start with great physicist Richard Feynman, a brilliant mind and a teacher.

 

Please go and get familiar if you haven't seen how he is able to explain electromagnetic forces with day to day experiences.

Richard Feynman 1988

When we speak without jargon, it frees us from hiding behind knowledge we don’t have.

Big words and fluffy “business speak” cripple us from getting to the point and passing knowledge to others.

- Richard Feynman

And It's encouraged me to explain application security tools with a “washing machine”.

Static Application Security Testing (SAST)

Our washing machine (application) is wide-open, not plugged in, and we have a manual at hand.

 

We look at all the pipes and pieces and figure out what can go wrong in case of a security attack. This is what SAST tools do!

 

As we have full access to source code, we are sure that %100 of our code will be scanned, and It's fast. Our SAST tool should support the programming languages we are using and understand the framework very well. (no help from a manual in Finnish) 

 

But we have a limitation because the machine is not working yet, and we are not %100 sure how it will run when we plugged in. Initially, it may seem like an issue, but the result can differ in the running state. (false-positives)

Washing Machine SAST Tools

PROS:

1-Coverage

2-Speed

3-Exact location of issue

4-Early in the process

CONS:

1-Language dependency

2-Accuracy

3-Framework/library dependency

 

 

and here are some of the great SAST Tools:

It is a free (open-source) static security scanner for Python applications.

Bandit Python Security Scanner

Supported Languages: Python

License: Free (Open-Source)

Official Website: https://pypi.org/project/bandit/

It is a free (open-source) vulnerability scanner for Ruby on Rails applications.

Brakeman Vulnerability Scanner for Ruby on Rails

Supported Languages: Ruby on Rails

License: Free (Open-Source)

Official Website: https://brakemanscanner.org/

Enterprise-level static code scanner supports all popular languages and is nominated as “Leaders” in Gartner Magic Quadrant 2022.

Checkmarx Dashboard

Supported Languages: JavaScript, Apex, Java, PHP, Python, Swift, Scala, Perl, Grovy, Ruby, C#, .NET, C++, Oracle PL/SQL, VB.NET, Android, Apple, ASP.NET, HTML 5, Windows Mobile, Go

 

License: Commercial

Official Website: https://checkmarx.com/

An enterprise-level application security testing suite contains a source code scanner for 11 languages and is nominated as “Visionaries” in Gartner Magic Quadrant 2022.

Supported Languages: 

Java, JavaScript, .NET, .NET Core, Node.js, Ruby, Python, Golang, Scala, PHP, Kotlin

 

License: Commercial (with Free Community Edition)

Official Website: https://www.contrastsecurity.com/contrast-scan

It's the SAST part of Synopsys application security suite.

Coverity Scan Result

Supported Languages: Apex, C/C++,  C#, CUDA, Java, JavaScript, PHP, Python, .NET Core, ASP.NET, Objective-C, Go, JSP, Ruby, Swift, Fortran, Scala, VB.NET, iOS, Android, TypeScript, Kotlin

 

License: Commercial

Official Website: https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html

An enterprise-level static scanner supports 20 languages and is nominated as “Leaders” in Gartner Magic Quadrant 2022.

Fortify static code analyzer

Supported Languages: .NET, .NET Framework, .NET Core, ABAP/BSP, ActionScript, Apex, C#, C/C++, Classic ASP (with VBScript), COBOL, ColdFusion, Go, HTML, Java (including Android), JavaScript, JSON, JSP, Kotlin, MXML (Flex), Objective-C/C++, PHP, PL/SQL, Python, Ruby, Scala, Swift, T-SQL, TypeScript, VBScript, Visual Basic (VB.NET), Visual Basic, XML, YAML

 

License: Commercial 

Official Website: https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer

An enterprise-level application security tool suite that contains a static scanner supports 34 languages and gets nominated as “Leaders” in Gartner Magic Quadrant 2022.

HCL AppScan CodeSweep

Supported Languages: ABAP, Android, Angular, AngularJS, APEX, ASP Classic
Java™ and Java™ web content, .NET (C#, ASP.NET, VB.NET), C/C++, COBOL, ColdFusion, Dart, Go, Groovy, Infrastructure as Code (IaC), JavaScript, Kotlin, Objective-C/Objective-C++, NodeJS, Perl, PHP, PL/SQL, Python, ReactJS, ReactNative, RPG, Ruby, Scala, Swift, TSQL, TypeScript, Visual Basic, Vue.js, Xamarin

 

License: Commercial, AppScan CodeSweep (Free)

Official Website: https://www.hcltechsw.com/appscan/offerings/source

A practical and efficient static code scanner for 28 programming languages.

Kiuwan Code Security

Supported Languages: ABAP, ActionScript, ASP.NET, C, COBOL, C++, C#, Go, HTML, Informix, Java, JavaScript /TypeScript, JCL, JSP, Kotlin, Natural, Objective C, OracleForms, PHP, PL-SQL, PowerScript, Python, RPG4, Scala, Swift, Transact-SQL, VisualBasic 6, VB.NET

 

License: Commercial

Official Website: https://www.kiuwan.com/code-security-sast/

An advanced source code security testing tool for C, C++, C#, Java, JavaScript, Python, and Kotlin applications.

Klocwork Dashboard

Supported Languages: C, C++, C#, Java, JavaScript, Python, and Kotlin

License: Commercial (with Free Trial)

Official Website: https://www.perforce.com/products/klocwork

An automated code review solution for Java, Python, JavaScript, TypeScript, C#, Go, C and C++.

Lgtm.com Scan Result

Supported Languages: Java, Python, JavaScript, TypeScript, C#, Go, C and C++

License: Commercial (Free for open source projects)

Official Website:  https://lgtm.com

A lightweight static code scanner for Node.js

Reshift Security Scan Result

Supported Languages: Node.js

License: Commercial (Free for a single user)

Official Website: https://www.reshiftsecurity.com

A fast open-source code vulnerability scanner for 11 language support. 

Semgrep Scan Result

Supported Languages: C#, Go, Java, JavaScript, JSON, JSX, Python, Ruby, Scala, TSX, TypeScript

 

License: Commercial (with Free Community Edition)

Official Website: https://semgrep.dev

An enterprise-level DevSecOps solution that contains a static code scanner for 11 languages and is nominated as “Challengers” in Magic Quadrant 2022.

Snyk Scan Results

Supported Languages: JavaScript, Java (Gradle, Maven), .NET, Python, Golang, Swift, Objective-C (CocoaPods), Scala, Ruby, PHP, and Bazel

 

License: Commercial (with Free Limited Test edition)

Official Website: https://snyk.io/product/snyk-code/

A very popular static code scanner for 29 languages.

Sonarqube Scan Result

Supported Languages: Java (including Android), C#, C, C++, JavaScript, TypeScript, Python, Go, Swift, COBOL, Apex, PHP, Kotlin, Ruby, Scala, HTML, CSS, ABAP, Flex, Objective-C, PL/I, PL/SQL, RPG, T-SQL, VB.NET, VB6, and XML

 

License: Commercial (with Free Community edition)

Official Website: https://www.sonarqube.org/features/security/

It is an enterprise-level SAST tool that will provide automated feedback to your developers in the IDE and CI/CD pipeline. It is nominated as “Leaders” in Gartner Magic Quadrant 2022.

 

Veracode SAST Scan Results

Supported Languages: Java, .NET and .NET Core, C#.NET and VB.NET, C and C++, TypeScript and JavaScript,  Node.js, React, Ember.js, and AngularJS, Swift and Objective-C applications, Kotlin, COBOL, Visual Basic 6, and RPG.

 

License: Commercial 

Official Website: https://www.veracode.com/security/static-code-analysis

Software Composition Analysis (SCA)

This one is more about what's your machine made of?

 

It doesn't need to analyse all source code, and some SCA tools can work with manifest files. It will detect all the open sources and libraries that we have used in the application and find if there is a known vulnerability for that version. 

 

It is fast and can easily save you a lot of trouble (some SCA tools offer auto-remediation). Also, open-source doesn't always mean “Free” to use in your commercial application.

 

SCA tools can check for license compliance and eventually save your company from lawsuits.

 

Meanwhile, SCA tools may report hundreds of issues; however, It doesn't mean all of these vulnerabilities are executable.

 

You may use an open-source library only for a limited function, and that library might have dependencies which may never get executed in your application in runtime. (some of the SCA tools now can filter it)

Machine parts with SCA Tools

PROS:

1- Less dependency

2- Speed

3-Easy to adopt

4-License compliance check

CONS:

1- Limited surface

2- Unkown impact

and some of the SCA tools in the market:

It can be integrated into your IDE or CI/CD pipeline, generate a Software Bill of Materials (SBOM) and detect policy/license violations. 

black duck scan results

It has a free community edition to start and is useful to detect misconfiguration and secret management.

BlueBracket secret management

License: Commercial (with Free Community Edition)

Official Website: https://blubracket.com

It has a nice Chrome extension to see security reports while checking the open-source component repository websites. Also, SBOM reports can be exported to CycloneDX, Word, Excel, PPT, and XML formats and have REST API support.

License: Commercial (starts from $26k/year)

Official Website: https://www.castsoftware.com/products/highlight

It was added into the Checkmarx suite with the Dustico acquisition last year.

 

It has a three-pronged approach to a security check for open sources:

 

1-the credibility of the package provider,

2-update cadence and level of maintenance

3-and behavioural analysis for malicious attacks.

Checkmarx SCA Scan Result

License: Commercial (with Free Trial)

Official Website: https://checkmarx.com/product/cxsca-open-source-scanning/

It has advantages with prioritising issues in runtime libraries. For example, you can see which libraries are actually executed at runtime and how often down to the specific class, file, or module.

Contrast Security SCA Scan Result

License: Commercial (with Free Trial)

Official Website: https://www.contrastsecurity.com/contrast-sca

It is recently acquired (March 2022) by Micro Focus and may soon join in Fortify WebInspect application security suite.

Debricked SCA Scan Results

License: Commercial (Free Limited Edition + starting from €25/month per user)

Official Website: https://debricked.com/

Some big names like Uber, Twitter, Verizon, and PWC use FOSSA for software composition analysis. Their policy engine was designed in collaboration with leading OSS attorney Heather Meeker.

FOSSA SCA Scan Result

License: Commercial (Free Limited Edition + starting from $52/month)

Official Website: https://fossa.com/

It scans your source code to detect API keys, passwords, certificates, encryption keys and other sensitive data.

GitGuardian Scan Result

License: Commercial (Free up to 25 dev+ starting from $434/month for 26 developers)

Official Website: https://www.gitguardian.com/

It has strong integration capabilities with many IDEs, CI/CD and binary management.

JFrog Xray SCA Scan Result

License: Commercial (Free Limited Edition + $98/month)

Official Website: https://jfrog.com/xray/

A popular SCA tool designed to be part of your SDLC.

License: Commercial (Free Trial+ starting from $134/month per developer)

Official Website: https://www.sonatype.com/products/open-source-security-dependency-management

It is a light-weight open source SCA tool with multiplatform support: -Linux, -Windows, -macOS

SCANOSS SCA Scan Result

License: Commercial (Free Community Edition + €100/month per user)

Official Website: https://www.scanoss.com

It is a solid SCA tool in Shiftleft Core platform and also NTT Application Security relly on Shiftleft's scanning engine in their SCA product. (Sentinel SCA)

Shiftleft Core SCA Scan Result

License: Commercial (Free Limited Edition + $175/month)

Official Website: https://www.shiftleft.io

It is one of the most popular SCA solutions and added C/C++ support after acquiring FossID last year. (March 2021)

Snyk Open Source SCA Scan Result

License: Commercial (Free Limited Edition +  starting from $98/month per developer)

Official Website: https://snyk.io/product/open-source-security-management/

It is the SCA part of the Veracode suite and will identify known vulnerabilities in open-source libraries used by your applications.

Veracode SCA Scan Result

It is one of the most popular SCA tools available in the market and nominated as “Leaders” in Forrester Wave Software Composition Analysis, Q3 2021.

Whitesource SCA Scan Result

License: Commercial 

Official Website: https://www.whitesourcesoftware.com/

Dynamic Application Security Testing (DAST)

Now, we are plug-in our washing machine!

 

DAST tools crawl our applications in a running state (no language dependency) and attack all possible ways. It is pretty much stimulating what a hacker does.

 

It will take longer to scan, and It is not guaranteed that all the pages will be covered. Especially if you are scanning a Single-Page Application, you need to confirm that your DAST tool can simulate all DOM activities to crawl all pages.

DAST Tools

PROS:

1-Less dependency

2-Accuracy +1

3-Tests in real-life state

4-Easy to adopt

CONS:

1-Coverage (not guaranteed)

2-Speed (slower than SAST)

3-Not exact location of issues

 

and here are some of the best DAST tools:

It is a straight-forward vulnerability scanner with an easy-to-use interface.

Acunetix Scan Result

Some features: Business Logic Recorder, Multi-platform (Linux, Mac, Windows, SaaS)

License: Commercial 

Official Website: https://www.acunetix.com

It was an internal penetration tool in SEC-1 (part of Claranet Group now), and now also offers tailor-made solutions.

AppCheck Scan Result

 

License: Commercial 

Official Website: https://appcheck-ng.com

It is a automated scanner and pentest platform for SMB ‘s.

Astra Security Scan Results

Some features: Managed pentest service, resolution center for collaboration, Risk Score

License: Commercial 

Official Website: https://www.getastra.com

It is easy to use for non-technical (cybersecurity) users.

Beagle Security Scan Result

Some features: WordPress plugin

License: Commercial (starting from $49/month)

Official Website: https://beaglesecurity.com

It is a new generation of DAST tools and has a “developer-friendly” approach.

Bright Scan Result

Some features: Docker client, working with HTTP Archive File (HAR file)

License: Commercial (Free Limited Edition + starting from $79/month)

Official Website: https://brightsec.com

It is a must tool for manual penetration testing.

Burp Suite Scan Result

Some features: BApp Store (extension directory)

License: Commercial (Free Community Edition +  €349/month)

Official Website: https://portswigger.net/burp

It is an effective DAST tool with Crowdsource supported vulnerability database.

Detectify Scan Result

Some features: Attack Surface Management

License: Commercial (starting from €70/month)

Official Website: https://detectify.com

It is a mobile application security testing tool (MAST). It executes your applications on real mobile devices and launches attacks to detect failures in self-protection on .apk or .ipa files.

esChecker Report Dashboard

Some features: real device farm

License: Commercial (starting around $10k/year per app)

Official Website: https://eshard.com/eschecker

WebInspect is an Enterprise-level DAST tool capable of scaling to hundreds of applications.

Fortify Webinspect Scan Result

Some features: support for Two Factor Authentication, API testing, CI/CD integrations

License: Commercial 

Official Website: https://www.microfocus.com/en-us/cyberres/application-security/webinspect

It is an enterprise-level DAST tool in HCL AppScan security suite.

HCL AppScan Dashboard

License: Commercial 

Official Website: https://www.hcltechsw.com/appscan

It is a power vulnerability scanner for cybersecurity engineers from Rapid7.

Some features: Universal Translator, Attack Replay

License: Commercial (starting from $166/month per app)

Official Website: https://www.rapid7.com/products/insightappsec/

It is an easy dast tool to start which also offers a monthly subscription.

Some features:  Penetration testing service offerings

License: Commercial (starting from €94/month per app)

Official Website: https://www.intruder.io

It is an enterprise-level DAST tool to integrate into SDLC and is highly useful if you need to manage hundreds or thousands of applications.

Invicti Integrations

Some features: Advanced integrations, Proof-based scanning, IAST + SCA capabilities

License: Commercial 

Official Website: https://www.invicti.com

It is a very advanced open-source vulnerability scanner with community-supported scanning templates.

Nuclei Scan Result

Some features: Custom scanning templates

License: Free 

Official Website: https://nuclei.projectdiscovery.io/

It is the most popular open-source dynamic application security testing tool.

OWASP ZAP Scan Result

Some features: extensive community support

License: Free 

Official Website: https://www.zaproxy.org/

It is a set of tools for web vulnerability scanning.

Pentest tools Scan Result

Some features: includes many other niche security scanners

License: Commercial (starts from €100/month for 10 targets) 

Official Website: https://pentest-tools.com/

It is a DAST scanner designed for security and DevOps teams to work together on reducing security risks on web applications & APIs.

Probely Scan Result

 

License: Commercial (Free Limited Edition + starts from €49/month per application) 

Official Website: https://probely.com/

It is an advance fully-cloud web application security scanner.

Qualys WAS Scan Result

 

License: Commercial

Official Website: https://www.qualys.com/apps/web-app-scanning/

It is the DAST tool in the Sentinel security suite. (known as Whitehat)

Sentinel Dynamic Scan Result

It is a multi-platform supporting DAST tool in Syhunt application security suite.

Syhunt Dynamic Scan Result

Some features:

License: Commercial (starting from $4099/year)

Official Website: https://www.syhunt.com/en/index.php?n=Products.SyhuntDynamic

It is the DAST tool in Synopsys application security testing portfolio for enterprises.

Synopsys Web-Scanner Scan Result

Some features:

License: Commercial

Official Website: https://www.synopsys.com/software-integrity/security-testing/web-scanner.html

It is a cloud-based vulnerability scanner powered by Nessus technology.

Tenable IO Scan Result

Some features:

License: Commercial (€4610/year for 5 FQDN)

Official Website: https://www.tenable.com/products/tenable-io

It is the DAST part of the Veracode application security suite that provides the scale necessary to audit hundreds of target applications simultaneously, including APIs 

Veracode DAST Scan Result

Some features:

License: Commercial

Official Website: https://www.veracode.com/products/dynamic-analysis-dast

Interactive Application Security Testing (IAST)

Let us combine SAST and DAST, and now we have IAST.

 

Now we can look at our washing machine parts while working and get more accurate results!

 

IAST tools will be installed into an application server, and It will analyse all the application interactions (manual or automated tests) and detect vulnerabilities in real-time.

Washing machine IAST tools

PROS:

1-Source code + Running state

2-Accuracy +2

CONS:

1-Hard to deploy (for Cloud-native)

2-Test automation requirement

3-Language dependency -1

 

and here are some of the best IAST tools:

It is the most popular IAST solution in the market at the moment.

Contrast Assess Scan Result

 

License: Commercial (with Free Community Edition)

Official Website: https://www.contrastsecurity.com/contrast-assess

It is the IAST part of Hdiv application security suite.

HDIV IAST Scan Result

It is the IAST part of Synopsys application security testing suite.

Seeker IAST Scan Result

Runtime Application Self-Protection (RASP)

The new era of application security firewalls starts with naming, Runtime application self-protection.

 

This one is not for scanning and finding a vulnerability in the application. This is for monitoring and blocking attacks in real-time.

 

Old friend web application firewalls usually sit in front of the traffic and inspect all coming HTTP requests and report/block if there is a suspicious-looking pattern.

 

On the other hand, RASP tools will be integrated into your application, and It will make decisions according to how your application will execute these requests. It is excellent to avoid false positives; however, it may cause performance issues as the RASP agent sits between the application and the server.

PROS:

1- No need to train

2- Saves time for fixing

3- Contextual awareness

CONS:

1- Performance issues

2- Language dependency -2

3- Use case abuse

4- False sense of security

 

and here are some of the best RASP tools:

It is the RAST part of Contrast application security suite.

Contrast Protect Scan Result

 

License: Commercial 

Official Website: https://www.contrastsecurity.com/contrast-protect

It is the RASP module in Dynatrace platform.

Dynatrace RASP Scan Result

 

License: Commercial (starting from $12/month for 8GB per host)

Official Website: https://www.dynatrace.com/platform/application-security/

It is the RASP part of Hdiv application security suite.

Hdiv Protection Scan Result

It can be a good combination if you are already using Imperva WAF.

Imperva RASP Scan Result

It is a signatureless RASP solution that doesn’t rely on behavioural analytics or machine learning with attack detection and blocking capabilities.

K2 Security RASP Scan Result

Some features: IAST 

License: Commercial 

Official Website: https://www.k2io.com/

It is the most popular open-source RASP tool and is maintained by the Baidu team.

OpenRASP Scan Result

 

License: Free 

Official Website: https://github.com/baidu/openrasp

It is one of the most popular open-source RASP tools.

OpenRASP Scan Result

Application Security Orchestration and Correlation

You will add many tools while maturing in your application security program, and you need a control centre for all these activities. Efficiency is the priority when you are building your appsec program.

 

a typical application security journey:

 

1-you need to detect vulnerabilities

2-deliver them to the right people to check

3-follow up the actions (triage)

4-confirm once it gets fixed

5-and make all this visible to management.

 

By integrating all the application security tools into your ASOC tool, you will be able to manage all these steps and find answers to your questions.

 

Are we making more issues than we fix in every release, what type of issues keep coming, and which team requires training more than the others?

 

Also, some of the new ASOC tools these days come with built-in open-source scanners. So you can add your applications and activate the most popular open-source scanners. In an hour, you will have decent reports to look at. (SAST, DAST, SCA)

 

Also, It will be a great platform to compare the performance of your appsec tools.

DAST tool benchmark
Benchmark result
Washing machine ASOC tools

PROS:

1-Better management

2-Vendor agnostic

3-Increase efficiency

CONS:

1-Correlation is not fully there yet

2-Single point of failure

 

 

and here are some of the best ASOC tools:

It is the application security platform of Synopsys suite.

CodeDX Scan Result

License: Commercial 

Official Website: https://www.synopsys.com/software-integrity/code-dx.html

It is an open-source vulnerability management platform and is maintained by OWASP.

DefectDojo Scan Result

License: Free 

Official Website: https://github.com/DefectDojo/django-DefectDojo

It is coming with all different types of ready-to-go open-source scanners, which may save a lot of time.

Kondukto Dashboard

License: Commercial (starting from $500/month) 

Official Website: https://kondukto.io/

It is one of the oldest ASOC platforms in the market and last year acquired by Coalfire. (June 2021)

Threadfix Dashboard

License: Commercial 

Official Website: https://www.coalfire.com/solutions/threadfix

Anything I Missed?

So those are my favourite application security tools.

 

And now I’d like to hear from you:

 

Are there any tools that you love… but didn’t see on this list?

 

Or maybe you have a question.

 

Either way, let me know by leaving a comment below right now.

Application Security Tools
We will be happy to hear your thoughts

Leave a reply

AppSec Santa