Expanding CodeSonar SAST Capabilities with Java and C#
GrammaTech recently acquired the intellectual property and assets of JuliaSoft S.r.l. to extend its CodeSonar Static Application Security Testing (SAST) platform with automated code analysis for Java and C# code. This an exciting announcement because of how well the Julia static analysis engine fits with CodeSonar and both team’s approach to quality, safety and security. As a longtime partner, Juliasoft has already integrated their engine with CodeSonar and we’ve been familiar with their tools and how effective they are.
In the end, this acquisition and integration will provide customers with a unified solution for reliably detecting and tracking security vulnerabilities and other defects in their applications enabling developers to perform static analysis of C, C++, Java and C# code and develop secure applications, faster in a single, unified environment.
SAST is in Demand
As stated in our press release for the acquisition this quote from Gartner illustrates just how important SAST has become:
“Gartner has observed the major driver in the evolution of the AST (Application Security Testing) market is the need to support enterprise DevOps initiatives. Customers require offerings that provide high-assurance, high-value findings while not unnecessarily slowing down development efforts. Clients expect offerings to fit earlier in the development process, with testing often driven by developers rather than security specialists.”
Source: Gartner, “Magic Quadrant for Application Security,” by Mark Horvath, Dionisio Zumerle and Dale Gardner, 29 April 2020.
Enterprise customers from all fields of development are looking for a static analysis and SAST platform that supports the languages they work in. We are not just expanding CodeSonar with the Julia engine but unifying a best of breeds solution. It is due to Julia’s excellent performance in Java and C# that make it a great fit for GrammaTech and CodeSonar.
Julia is a Great Fit with CodeSonar
The Julia tools pride themselves on precision and recall in much the same way we do with CodeSonar. For more details on our approach see a previous post where we go into details on the human factors involved in evaluating static analysis tools and results. To summarize, false positives are inevitable with any static analysis tool and the real usefulness of a tool is presenting important security vulnerabilities and bugs without overwhelming developers with information. Static analysis is inexact since a fixed amount of computation time is available to get usable results in a reasonable timeframe, for example, during a typical project build. It is this focus on fidelity of results that makes the Julia engine a perfect fit.
Consider Julia’s results in the OWASP Benchmark, where it scores 100% in detecting all of the vulnerabilities with a overall false positive rate of 10%, beating most other open source and commercial tools in the market. To achieve this, Julia uses next generation static analysis, with a radically different approach compared to the traditional techniques used by most competitors. Based on more than ten years of academic research, the technology relies on a mathematical technique called Abstract Interpretation, which provides the precision and completeness of the results. In fact, Julia is the only tool (commercial or otherwise) to score in the “Ideal vulnerability detection” area of the benchmark results.
Julia OWASP Benchmark results
Just like CodeSonar, Julia interprets the code semantically and identifies errors with high precision in the categories covered by the analysis. The tools also work with Java bytecode which means analysis of third party libraries is possible even when source isn’t available. As with CodeSonar, Julia helps you to correct vulnerabilities; developers can consult the single warnings directly on the line of code within their IDE, categorize the results according to their context and based on the type and severity of the error, get help on the meaning of the warning and its impact and an execution trace leads to the root cause.
This post was originally published in https://blogs.grammatech.com/expanding-codesonar-sast-capabilities-with-java-and-c