SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

SonarSource Delivers High-Precision SAST Tooling for Developers

December 21, 2020

SonarSource upgraded its tools to bring unmatched SAST (Static Application Security Testing) precision and performance to developers. Now there's a tool that enables developers to own Code Security!

What that means for developers is code security analysis in the SonarSource tools they are already familiar with: SonarQube and SonarCloud. And SonarSource has taken pains to apply the same "no false positives" rule to security analysis that it uses for its code quality analysis.

SonarSource's has been adding SAST analysis to its tools for several years, but its efforts were boosted by the May 2020 acquisition of RIPS-TECH, which specialized in highly precise SAST analysis of PHP. Since the acquisition, the combined team has re-engineered SonarSource's detection of injection vulnerabilities from the ground up to incorporate the best from both companies. The result: today developers have access to unparalleled precision in security analysis of Java, C#, PHP, Python, and JavaScript code in SonarQube and SonarCloud, with more languages to come.

The availability of highly precise SAST analysis in developer tooling represents a stark departure from the previous state of the art. Other SAST tools are built for a security auditor audience rather than developers. They raise a broad swath of issues with the expectation that security auditors will sort through the results to find any true positives.

By targeting developers, SonarSource has taken a different approach: tune the SAST rules to raise only true positives and accept that a few borderline issues may fall through the cracks. "Our approach to Code Security is a true change of paradigm, taking the opposite approach from traditional players who address CISOs, risk and compliance needs, and feel the pain to bridge to development in order to fix issues. With the precision that we offer, developers can be the direct recipient of vulnerabilities issues. And when you know the level of integration of our products with development pipelines and its level of adoption, it is not difficult to imagine the kind of impact it will have on the security market.", SonarSource CEO Olivier Gaudin said.

Terms of Use | Copyright 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement