The growing demand for open source code review tools has been spurred by the predictions for the need for trustworthy and dependable means to build secure applications. In the world of software, data and application security counts for everything. It is important to ensure that the applications that are built are secure to the maximum possible extent. This is more important considering the fact that most known security hacks are the ones that are known to the people. It just means that the IT community failed to foresee, capture and address these issues during the design, development or testing phase.
For many organizations, open source static code analysis toolsare the only way to plug this major issue. The reason being that many of the commercial static code analysis tools may be expensive and beyond their budget. Also, the licensing models may not be suitable for the smaller development teams etc.
Points to consider when choosing an open source code review tool
Whether commercial or open source static analysis tools, most of the parameters that one should consider in choosing the tool remains the same. Here is a list that can help with this.
- What programming languages does the tool support? Does it support all or most of the languages and the IDEs that your organization uses?
- Will the tool work well with the other tools in your development environment or can it be easily integrated into it?
- How much of a vulnerability database does the tool work with? Does this cover all the issues that you as an organization strive to address most?
- How easy is it to install and use the tool? Is it complex and will it need any comprehensive training?
- Will this make life simpler for the development and testing team or will it affect the productivity of the people? How much of a tradeoff can you afford on these factors?
- Is there a dedicated support available for the tool? Issues are likely to come up and will need to be addressed.
- What is the accuracy rate of the tool?
Answers to the above questions can be obtained by decision makers through a trial or evaluation period by using the tool and noting down all aspects of the usage with respect to the parameters.
The options to consider are VisualCodeGrepper, YASCA, OWASP LAPSE+, RIPS, DevBug, FlawFinder, CPPCheck, Brakeman etc. Each of them has its own pros and cons and supported languages, configurations etc. which can be checked out. The idea would be to arrive at an optimum tool that will address the main issue of ensuring that secure applications are built, in time with allocated budgets. There cannot be any compromise on security, and using these open source static code review tools are a big step in enforcing that. Whichever tool is chosen and used, the complete team will have to be in sync with the objective and work as one with that in mind. A basic training may be provided to the team to bring in that awareness.