Application Security Forum

Manoj Kumar Kemisetty
Sap Advanced Business Application Programming Consultant at Accenture
Jun 17 2021

Is SonarQube is the best tool for static analysis or there are any good tools which compete with SonarQube?

Peter ArvedlundI am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look at the Gartner Maqic Quadeant for Application Security Testing (AST) . In the latest Gartner Quadrant for AST (Static and Dynamic App Security testing) these are the "Leaders" as per April 2020 according to Gartner ranking: 1. Synopsys 2. Checkmarx 3. MicroFocus  (Fortify) 4. Veracode 5. WhiteHat Security I used to work as a Fortify Sales Specialist in HP before Fortify was acquired by MicroFocus a few years ago. I can strongly recommend Fortify because they have both the Static and Dynamic testing - and you can even choose to have the solution(-s) deployed as an "on-premise " or "Cloud" solution . In fact you can even have a "hybrid" between Cloud and On-Prem if you want depending on your organisations need and need for automation in different countries.  I can see you work for ACCENTURE? That is a big WW org. with different requirements for app testing accross different countries, I imagine?  So you can decide to have e.g. a Fortify "on-premise" version in one country and in another country you can have the solution deployed as a "Cloud service" so you get full freedom and the flexibility for automation and continous AppSec testing of the development teams coding.  This will also educate the Developer teams into becoming better coders because they will learn from the corrections in the coding done by Fortify. And remember that you can also use this in your Sales advertising, because you can get a report to document that your coding and DevOps has been Security tested and analysed by the Fortify solution and therefore you can advertise your services are proved and documented as  " Secure by design" by the Fortify solution. I can help connect you directly with my old collegue from HP. He is today Fortify EMEA Global Head of Sales (based in UK). Let me know if you want me to connect you or if you want to look at some other AppSec (AST) solution from the Gartner AST MQ report I mentioned above instead? 
Purushothaman KThe static tool we can use is Fortify or IBM Appscan. SonarQube is widely used for coding standards.
Rama SusarlaSonarQube is one of the widely used and easy-to-use tools.  With some easy plug-ins, it would provide some very good insights into code quality, code coverage, static security, pattern-based errors, and performance engineering lapses in code.  But it is not a comprehensive static security-focused tool, like Veracode or Fortify. Also, the usability depends on whether you are using the free version or the enterprise edition (It has some associated cost) but not to the extent of other commercial tools. Hope this helps.
Kit Ted
User at h
May 20 2021

I'm currently researching the following two application security tools: Coverity and SonarQube.

Can anyone point me out to main differences between these 2 products?

Thanks for your help!

Ariel Lindenfeld
Sr. Director of Community
IT Central Station
Apr 05 2021

Let the community know what you think. Share your opinions now!

reviewer1434390I would check the authentication steps required. How does the data storage work in-app? Encryption and if any ciphering algorithm is used in applications.
IT Central Station
Mar 02 2021

Many companies wonder about whether SAST or DAST is better for application security testing. What are the relative benefits of each methodology? Is it possible to make use of both?

Dan DoggendorfSAST and  DAST are not mutually exclusive and should be used in conjunction with each other.  One should be used by the developers to ensure security is being addressed as they are writing the code.  The other is used for evaluating existing applications already in production to ensure they are not susceptible to any new vulnerabilities that have been discovered.   The real question is which should have a higher priority when it comes to introducing the concepts into your application security model.  Unfortunately, there is no single answer to which comes first.  It all depends on your organizations culture, business model, and your relationships with the various impacted groups.
Oscar Van Der MeerFor application security you ideally need SAST, SCA and DAST. You need all three as they essentially measure different things: SAST identifies bad coding practices that potentially could be exploited SCA identifies known vulnerabilities in the libraries and components you are using and this is the main attack vector on applications. DAST identifies some of the weaknesses that SAST and SCA identified, but also identifies weaknesses in the configuration. You might have the perfect application code with zero vulnerabilities, but if it is misconfigured, for instance using a default password, it still can be breached. If you have to choose, look at SCA and then DATS first as that gives you the best bang for your buck from a risk reduction perspective
Thomas RyanThe easiest way to remember the role of each: SCA & SAST = Am I Vulnerable DAST & IAST = Am I Exploitable (In some cases together, they compliment SAST) RASP & WAF = Can I Protect Myself  (Fixing the code is the primary option)
IT Central Station
Jan 13 2021

There are many cybersecurity tools available, but some aren't doing the job that they should be doing. 

What are some of the threats that may be associated with using 'fake' cybersecurity tools?

What can people do to ensure that they're using a tool that actually does what it says it does?

SimonClark Dan Doggendorf gave sound advice. Whilst some of the free or cheap platforms will provide valuable information and protection, your security strategy has to be layered. Understand what you want to protect and from whom. At some point you will need to spend money but how do you know where to spend it? There are over 5,000 security vendors to choose from. There is no silver bullet and throwing money at it won’t necessarily fix what you are at risk from but at the same time free products are free for a reason. If your organisation doesn’t have a large team of security experts to research the market and build labs then you need to get outside advice. Good Cyber-advisors will understand your business and network architecture therefore will ask the right questions to help you to navigate the plethora of vendors and find the ones that are right for where your business is now and where you intend it to be in the future. Large IT resellers will sell you what they have in their catalogues based on what you ask for and give a healthy discount too but that may not fix the specific risks your business is vulnerable to. A consultative approach is required for such critical decisions. By the way, there are free security products and services that I recommend.
Dan DoggendorfThe biggest threat is risks you think you have managed are not managed at all so you and your executive team have a completely false sense of security.  This is even worse than not having any tool in place.  With no tool in place, you at least know you have a vulnerability. There several ways to ensure a tool is doing what it is supposed to do. 1. Product Selection - when selecting a tool, do not focus on what a tool can do.  Focus on what you want the tool to do.  You drive the direction of the sales demo, not the sales team. 2. Product Implementation - use professional services to implement and configure the solution.  Your team should be right there with them as a knowledge transfer session but the professional who installs and configures the product every day should drive the install, not someone who wants to learn. 3. Trusted Partners - find yourself a trusted partner(s) who can help guide you.  This should consist of product testing labs partners, advisors who live and breathe the space daily, and resellers with a strong engineering team.
Javier MedinaYou should build a lab, try the tools and analyze the traffic and behavior with a traffic analizer like wireshark and any sandbox or edr that shows you what the tools do, but all this should be outside your production environment, use tools that has been released by the company provider and not third party downloads or unknown or untrusted sources.
Menachem D Pritzker
Director of Growth
IT Central Station

On July 15, 2020, several verified Twitter accounts with millions of followers were compromised in a cyberattack. Many of the hacked accounts we protected using two-factor authentication, which the hackers were somehow able to bypass.

Hacked accounts included Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffett, Kim Kardashian, and Kanye West, Benjamin Netanyahu, and several high profile tech companies, including Apple and Uber.

The hackers posted variation of a message asking follower to transfer thousands of dollars in Bitcoin, with the promise that double the donated amount would be returned.

How could Twitter have been better prepared for this? How do you rate their response?

Ken ShauretteFor some good information from a leading expert check out the webinar today 7/17 on Brighttalk by Alex Holden..... We have a lot of questions about the Twitter breach but not so many answers. I can tell you that similar cryptocurrency fraud campaigns are on-going on different social media platforms and on a different scale. Tomorrow (Friday) at 11 am CT on BrightTalk We will discuss what we know about the breach and disturbing patterns that are emerging everywhere.
Ken ShauretteI like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360.  It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.  
Russell WebsterSpan of control, Solid RBAC, Privileged Access Management (PAM)