Hello,
Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST?
Please don't just list tools you found via a google search :)
Regards,
Robert A.
http://www.cgisecurity.com/
http://www.qasec.com/
http://www.webappsec.org/
Out of curiosity, why not a SaaS solution?
TIM JARRETT
Sr. Director, Product Management
E-Mail tjarrett@veracode.commailto:tjarrett@veracode.com
Office 339.674.2885
Mobile 617.671.9588
Twitter @tojarrett
LinkedIn http://www.linkedin.com/in/tjarrett
On Jun 12, 2014, at 2:40 PM, Robert A. <robert@webappsec.orgmailto:robert@webappsec.org> wrote:
Hello,
Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? Please don't just list tools you found via a google search :)
Regards,
Robert A.
http://www.cgisecurity.com/
http://www.qasec.com/
http://www.webappsec.org/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I don't want to turn this thread into a tool vs Saas solution discussion
(which you just did by asking the question as a Saas vendor).
Just looking for tool suggestions.
Regards,
Robert A.
On Thu, 12 Jun 2014, Tim Jarrett wrote:
Out of curiosity, why not a SaaS solution?
TIM JARRETT
Sr. Director, Product Management
E-Mail tjarrett@veracode.commailto:tjarrett@veracode.com
Office 339.674.2885
Mobile 617.671.9588
Twitter @tojarrett
LinkedIn http://www.linkedin.com/in/tjarrett
On Jun 12, 2014, at 2:40 PM, Robert A. <robert@webappsec.orgmailto:robert@webappsec.org> wrote:
Hello,
Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? Please don't just list tools you found via a google search :)
Regards,
Robert A.
http://www.cgisecurity.com/
http://www.qasec.com/
http://www.webappsec.org/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Okay let's ask a different question: What are you criteria for a tool that
you are looking for that is not a top level google result? Without you
being a bit more specific about your filtering system it would be difficult
to give you advice beyond generalities.
Cheers,
Ahmed
Ahmed Masud <ahmed.masud@trustifier.com ahmed.masud@trustifier.com>
Trustifier Inc.
CEO
Toll Free: 1-855-534-5434 x 700
Intl.: +1 301-500-0084 x700
Cell Phone: 240-264-9699
Website: www.trustifier.com
On Thu, Jun 12, 2014 at 3:15 PM, Robert A. robert@webappsec.org wrote:
I don't want to turn this thread into a tool vs Saas solution discussion
(which you just did by asking the question as a Saas vendor).
Just looking for tool suggestions.
Regards,
Robert A.
On Thu, 12 Jun 2014, Tim Jarrett wrote:
Out of curiosity, why not a SaaS solution?
TIM JARRETT
Sr. Director, Product Management
E-Mail tjarrett@veracode.commailto:tjarrett@veracode.com
Office 339.674.2885
Mobile 617.671.9588
Twitter @tojarrett
LinkedIn http://www.linkedin.com/in/tjarrett
On Jun 12, 2014, at 2:40 PM, Robert A. <robert@webappsec.org<mailto:r
obert@webappsec.org>> wrote:
Hello,
Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST?
Please don't just list tools you found via a google search :)
Regards,
Robert A.
http://www.cgisecurity.com/
http://www.qasec.com/
http://www.webappsec.org/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_
lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_
lists.webappsec.org
I know Fortify supports PHP but I am not sure how 'good' that tool is as a
PHP scanner.
On Fri, Jun 13, 2014 at 12:10 AM, Robert A. robert@webappsec.org wrote:
Hello,
Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST?
Please don't just list tools you found via a google search :)
Regards,
Robert A.
http://www.cgisecurity.com/
http://www.qasec.com/
http://www.webappsec.org/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_
lists.webappsec.org
--
Thanks,
Pankaj Upadhyay
Sent from my iPhone
On Aug 19, 2014, at 8:52 AM, "Pankaj Upadhyay" <mr.p.upadhyay@gmail.commailto:mr.p.upadhyay@gmail.com> wrote:
I know Fortify supports PHP but I am not sure how 'good' that tool is as a PHP scanner.
On Fri, Jun 13, 2014 at 12:10 AM, Robert A. <robert@webappsec.orgmailto:robert@webappsec.org> wrote:
Hello,
Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST? Please don't just list tools you found via a google search :)
Regards,
Robert A.
http://www.cgisecurity.com/
http://www.qasec.com/
http://www.webappsec.org/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Thanks,
Pankaj Upadhyay
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service
</body></html>Just tried a quick search of 'PHP' string in the Gartner's quadrant report
for SAST and DAST and seems there are a couple of products which offer SAST
for PHP but nothing for SCALA
If you don't mind, can I add one more question to the list? Do we know any
tool to scan SQL or PL/SQL code to find security issues?
On Tue, Aug 19, 2014 at 9:27 PM, Menerick, John jmenerick@netsuite.com
wrote:
I have not seen any SAST for Scala. I have had to tackle Scala in a much
more dynamic approach.
Sent from my iPhone
On Aug 19, 2014, at 8:52 AM, "Pankaj Upadhyay" mr.p.upadhyay@gmail.com
wrote:
I know Fortify supports PHP but I am not sure how 'good' that tool is
as a PHP scanner.
On Fri, Jun 13, 2014 at 12:10 AM, Robert A. robert@webappsec.org wrote:
Hello,
Are there any 'GOOD' tools (NOT services/SaaS) for PHP and Scala SAST?
Please don't just list tools you found via a google search :)
Regards,
Robert A.
http://www.cgisecurity.com/
http://www.qasec.com/
http://www.webappsec.org/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_
lists.webappsec.org
--
Thanks,
Pankaj Upadhyay
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
NOTICE: This email and any attachments may contain confidential and
proprietary information of NetSuite Inc. and is for the sole use of the
intended recipient for the stated purpose. Any improper use or distribution
is prohibited. If you are not the intended recipient, please notify the
sender; do not review, copy or distribute; and promptly delete or destroy
all transmitted information. Please note that all communications and
information transmitted through this email system may be monitored and
retained by NetSuite or its agents and that all incoming email is
automatically scanned by a third party spam and filtering service which may
result in deletion of a legitimate e-mail before it is read by the intended
recipient.
--
Thanks,
Pankaj Upadhyay
Hi,
If you don't mind, can I add one more question to the list? Do we know
any tool to scan SQL or PL/SQL code to find security issues?
I don't know such a tool, but I wonder:
What kind of issues would you want the tool to find?
Would you want to scan SQL or PL/SQL standalone, or as a part of a
larger application?
How would you want to pass the SQL or PL/SQL to the tool?
Regards,
Paul
--
Pentest - The Application Security Specialists
Shortlisted for Best Security Company, SC Magazine Europe 2014
Pentest Limited
Paul Johnston - IT Security Consultant
Office : +44 (0) 161 233 0100
Mobile : +44 (0) 7817 219 072
Email policy : http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: : 4217114 England & Wales
Registered Office: : 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
Certifications : ISO 9001 (50155) / ISO 27001 (IS 558982) / Tiger Scheme
You're right but generally when you work for an organization, things are
not that plain. There could be a separate team working only on frontend,
some on middleware and some may be writing DB queries SQL or HQL. In this
scenario, other than the scanning of the integrated product, what if they
want separate scans for their components in early development stages.
What kind of issues?
We talk of parametrized queries to mitigate SQL Injection. What if, a
scanning utility scan a PL/SQL code and highlight all such queries which
are not parametrized. I'm not a SQL expert but I am wondering what if a
scanning utility can find all those objects which got created inside the
PL/SQL block and haven't been deleted after their use.
On Wed, Aug 20, 2014 at 3:06 AM, Paul Johnston paul.johnston@pentest.co.uk
wrote:
Hi,
If you don't mind, can I add one more question to the list? Do we know
any tool to scan SQL or PL/SQL code to find security issues?
I don't know such a tool, but I wonder:
What kind of issues would you want the tool to find?
Would you want to scan SQL or PL/SQL standalone, or as a part of a
larger application?
How would you want to pass the SQL or PL/SQL to the tool?
Regards,
Paul
--
Pentest - The Application Security Specialists
Shortlisted for Best Security Company, SC Magazine Europe 2014
Pentest Limited
Paul Johnston - IT Security Consultant
Office : +44 (0) 161 233 0100
Mobile : +44 (0) 7817 219 072
Email policy : http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: : 4217114 England & Wales
Registered Office: : 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
Certifications : ISO 9001 (50155) / ISO 27001 (IS 558982) / Tiger Scheme
--
Thanks,
Pankaj Upadhyay