Hello, Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? Please don't just list tools you found via a google search :) Regards, Robert A. http://www.cgisecurity.com/ http://www.qasec.com/ http://www.webappsec.org/

Out of curiosity, why not a SaaS solution? TIM JARRETT Sr. Director, Product Management E-Mail tjarrett@veracode.com<mailto:tjarrett@veracode.com> Office 339.674.2885 Mobile 617.671.9588 Twitter @tojarrett LinkedIn http://www.linkedin.com/in/tjarrett On Jun 12, 2014, at 2:40 PM, Robert A. <robert@webappsec.org<mailto:robert@webappsec.org>> wrote: Hello, Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? Please don't just list tools you found via a google search :) Regards, Robert A. http://www.cgisecurity.com/ http://www.qasec.com/ http://www.webappsec.org/ _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

I don't want to turn this thread into a tool vs Saas solution discussion (which you just did by asking the question as a Saas vendor). Just looking for tool suggestions. Regards, Robert A. On Thu, 12 Jun 2014, Tim Jarrett wrote: > Out of curiosity, why not a SaaS solution? > > TIM JARRETT > Sr. Director, Product Management > > E-Mail tjarrett@veracode.com<mailto:tjarrett@veracode.com> > Office 339.674.2885 > Mobile 617.671.9588 > Twitter @tojarrett > LinkedIn http://www.linkedin.com/in/tjarrett > > > > > On Jun 12, 2014, at 2:40 PM, Robert A. <robert@webappsec.org<mailto:robert@webappsec.org>> wrote: > > Hello, > Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? Please don't just list tools you found via a google search :) > > Regards, > Robert A. > http://www.cgisecurity.com/ > http://www.qasec.com/ > http://www.webappsec.org/ > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >

Okay let's ask a different question: What are you criteria for a tool that you are looking for that is not a top level google result? Without you being a bit more specific about your filtering system it would be difficult to give you advice beyond generalities. Cheers, Ahmed *Ahmed Masud <ahmed.masud@trustifier.com <ahmed.masud@trustifier.com>>* Trustifier Inc. CEO Toll Free: 1-855-534-5434 x 700 Intl.: +1 301-500-0084 x700 Cell Phone: 240-264-9699 Website: www.trustifier.com On Thu, Jun 12, 2014 at 3:15 PM, Robert A. <robert@webappsec.org> wrote: > I don't want to turn this thread into a tool vs Saas solution discussion > (which you just did by asking the question as a Saas vendor). > > Just looking for tool suggestions. > > Regards, > Robert A. > > > On Thu, 12 Jun 2014, Tim Jarrett wrote: > > Out of curiosity, why not a SaaS solution? >> >> TIM JARRETT >> Sr. Director, Product Management >> >> E-Mail tjarrett@veracode.com<mailto:tjarrett@veracode.com> >> >> Office 339.674.2885 >> Mobile 617.671.9588 >> Twitter @tojarrett >> LinkedIn http://www.linkedin.com/in/tjarrett >> >> >> >> >> On Jun 12, 2014, at 2:40 PM, Robert A. <robert@webappsec.org<mailto:r >> obert@webappsec.org>> wrote: >> >> Hello, >> Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? >> Please don't just list tools you found via a google search :) >> >> Regards, >> Robert A. >> http://www.cgisecurity.com/ >> http://www.qasec.com/ >> http://www.webappsec.org/ >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_ >> lists.webappsec.org >> >> >> > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_ > lists.webappsec.org >

I know Fortify supports PHP but I am not sure how 'good' that tool is as a PHP scanner. On Fri, Jun 13, 2014 at 12:10 AM, Robert A. <robert@webappsec.org> wrote: > Hello, > Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? > Please don't just list tools you found via a google search :) > > Regards, > Robert A. > http://www.cgisecurity.com/ > http://www.qasec.com/ > http://www.webappsec.org/ > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_ > lists.webappsec.org > -- Thanks, Pankaj Upadhyay

<html><bodyI have not seen any SAST for Scala. I have had to tackle Scala in a much more dynamic approach. Sent from my iPhone On Aug 19, 2014, at 8:52 AM, "Pankaj Upadhyay" <mr.p.upadhyay@gmail.com<mailto:mr.p.upadhyay@gmail.com>> wrote: I know Fortify supports PHP but I am not sure how 'good' that tool is as a PHP scanner. On Fri, Jun 13, 2014 at 12:10 AM, Robert A. <robert@webappsec.org<mailto:robert@webappsec.org>> wrote: Hello, Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? Please don't just list tools you found via a google search :) Regards, Robert A. http://www.cgisecurity.com/ http://www.qasec.com/ http://www.webappsec.org/ _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org<mailto:websecurity@lists.webappsec.org> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org -- Thanks, Pankaj Upadhyay _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org<mailto:websecurity@lists.webappsec.org> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service </body></html>

Just tried a quick search of 'PHP' string in the Gartner's quadrant report for SAST and DAST and seems there are a couple of products which offer SAST for PHP but nothing for SCALA http://www.gartner.com/technology/reprints.do?id=1-1WJ75OR&ct=140701&st=sb&mkt_tok=3RkMMJWWfF9wsRoiuazLZKXonjHpfsX66O8sW6a0lMI%252F0ER3fOvrPUfGjI4HRcJjI%252BSLDwEYGJlv6SgFTbnFMbprzbgPUhA%253D If you don't mind, can I add one more question to the list? Do we know any tool to scan SQL or PL/SQL code to find security issues? On Tue, Aug 19, 2014 at 9:27 PM, Menerick, John <jmenerick@netsuite.com> wrote: > > I have not seen any SAST for Scala. I have had to tackle Scala in a much > more dynamic approach. > > Sent from my iPhone > > On Aug 19, 2014, at 8:52 AM, "Pankaj Upadhyay" <mr.p.upadhyay@gmail.com> > wrote: > > I know Fortify supports PHP but I am not sure how 'good' that tool is > as a PHP scanner. > > > On Fri, Jun 13, 2014 at 12:10 AM, Robert A. <robert@webappsec.org> wrote: > >> Hello, >> Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? >> Please don't just list tools you found via a google search :) >> >> Regards, >> Robert A. >> http://www.cgisecurity.com/ >> http://www.qasec.com/ >> http://www.webappsec.org/ >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_ >> lists.webappsec.org >> > > > > -- > Thanks, > Pankaj Upadhyay > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > NOTICE: This email and any attachments may contain confidential and > proprietary information of NetSuite Inc. and is for the sole use of the > intended recipient for the stated purpose. Any improper use or distribution > is prohibited. If you are not the intended recipient, please notify the > sender; do not review, copy or distribute; and promptly delete or destroy > all transmitted information. Please note that all communications and > information transmitted through this email system may be monitored and > retained by NetSuite or its agents and that all incoming email is > automatically scanned by a third party spam and filtering service which may > result in deletion of a legitimate e-mail before it is read by the intended > recipient. > -- Thanks, Pankaj Upadhyay

Hi, > If you don't mind, can I add one more question to the list? Do we know > any tool to scan SQL or PL/SQL code to find security issues? I don't know such a tool, but I wonder: 1) What kind of issues would you want the tool to find? 2) Would you want to scan SQL or PL/SQL standalone, or as a part of a larger application? 3) How would you want to pass the SQL or PL/SQL to the tool? Regards, Paul -- Pentest - The Application Security Specialists *Shortlisted for Best Security Company, SC Magazine Europe 2014* Pentest Limited Paul Johnston - IT Security Consultant Office : +44 (0) 161 233 0100 Mobile : +44 (0) 7817 219 072 Email policy : http://www.pentest.co.uk/legal.shtml#emailpolicy Registered Number: : 4217114 England & Wales Registered Office: : 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK Certifications : ISO 9001 (50155) / ISO 27001 (IS 558982) / Tiger Scheme

You're right but generally when you work for an organization, things are not that plain. There could be a separate team working only on frontend, some on middleware and some may be writing DB queries SQL or HQL. In this scenario, other than the scanning of the integrated product, what if they want separate scans for their components in early development stages. >>What kind of issues? We talk of parametrized queries to mitigate SQL Injection. What if, a scanning utility scan a PL/SQL code and highlight all such queries which are not parametrized. I'm not a SQL expert but I am wondering what if a scanning utility can find all those objects which got created inside the PL/SQL block and haven't been deleted after their use. On Wed, Aug 20, 2014 at 3:06 AM, Paul Johnston <paul.johnston@pentest.co.uk> wrote: > Hi, > > > If you don't mind, can I add one more question to the list? Do we know > > any tool to scan SQL or PL/SQL code to find security issues? > > I don't know such a tool, but I wonder: > > 1) What kind of issues would you want the tool to find? > > 2) Would you want to scan SQL or PL/SQL standalone, or as a part of a > larger application? > > 3) How would you want to pass the SQL or PL/SQL to the tool? > > Regards, > > Paul > > -- > Pentest - The Application Security Specialists > *Shortlisted for Best Security Company, SC Magazine Europe 2014* > > Pentest Limited > > Paul Johnston - IT Security Consultant > Office : +44 (0) 161 233 0100 > Mobile : +44 (0) 7817 219 072 > Email policy : http://www.pentest.co.uk/legal.shtml#emailpolicy > Registered Number: : 4217114 England & Wales > Registered Office: : 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK > Certifications : ISO 9001 (50155) / ISO 27001 (IS 558982) / Tiger Scheme > > -- Thanks, Pankaj Upadhyay