IDE Plug-ins - A Security Testing Way to Automate Code Review

In traditional SDLC process, manual code review is done after the code is constructed and finding & fixing the defects require more time and resources which is costly and overburdening.
With IDE plugins, the code review is automatically done as the developer writes code by detecting various kinds of coding defects (e.g. security vulnerabilities, coding errors, wrong coding practices etc.) during development phase. Some IDE plugins help detect the defects and provide informative fixes during the construction of programs itself. With this, manual code review effort is minimized & developers can jump to the defects immediately to see the explanation on how to fix it. The IDE plugins also allow to write customized rules and/or guidelines as per the company’s frameworks and policies.
Plugins That Detect Security Vulnerabilities
ASIDE
Application Security plugin for Integrated Development Environment (ASIDE) from OWASP is an open source Eclipse Plugin designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing correct fixes during the construction of programs in IDEs.
It consists of two branches, the ASIDE branch that is responsible for detecting software vulnerabilities for Java & PHP and helping developer write secure code, and the ESIDE branch that is focusing on help educating students acquire secure programming knowledge and practices (for Java).
SecureAssist:
Cigital SecureAssist is a commercial lightweight static analysis tool that identifies security related vulnerabilities and provides informative guidance to enable the developers to immediately fix the problem. SecureAssist supports Java, .NET and PHP and is integrated directly into development environments, such as Eclipse and Visual Studio. It comes with an enterprise server portal that helps manage the users or groups and helps track & manage the usage statistics and reports.
FindSecBugs:
FindSecBugs is an open source static code analysis plugin that detects and identifies potentially vulnerable code and provides informative fixes during the construction of Java programs. FindSecBugs can be used within IDEs like Eclipse, Netbeans & IntelliJ IDEA.
Plugins that Detect Generic Code Defects
FindBugs:
FindBugs is an open source tool for static analysis of Java programs. It is a defect detection tool for Java that uses static analysis to look for more than 200 bug patterns, such as null pointer dereferences, infinite recursive loops, bad uses of the Java libraries and deadlocks. FindBugs can identify hundreds of serious defects in large applications (typically about 1 defect per 1000-2000 lines of non-commenting source statements). FindBugs can be used from the command line or within ANT, Eclipse, Maven, Netbeans and emacs.
PMD:
PMD is an IDE plugin that scans Java source code and looks for potential problems like:
- Generic bugs - empty try/catch/finally/switch statements
- Dead code - unused local variables, parameters and private methods
- Suboptimal code - wasteful String/StringBuffer usage
- Overcomplicated expressions - unnecessary if statements, for loops that could be while loops
- Duplicate code - copied/pasted code means copied/pasted bugs
 

Rate this article: 
Average: 4.3 (12 votes)
Article category: