https://www.owasp.org/index.php/Appendix_A:_Testing_Tools
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
- Google CodeSearchDiggity - Utilizes Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.
- FindBugs - Find Bugs (including some security flaws) in Java Programs
- FxCop (Microsoft) - FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.
- PMD - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
- PreFast (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs
- RATS (Fortify) - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
- OWASP SWAAT Project - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
- Flawfinder Flawfinder - Scans C and C++
- RIPS - RIPS is a static source code analyzer for vulnerabilities in PHP web applications
- Brakeman - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
- Codesake Dawn - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino and Ruby on Rails applications. It can work also for non web application wrote in Ruby programming language
- VCG - Scans C/C++, Java, C# and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.
