Code ScanningSecure Coding Course

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Courses Secure Coding Course Code Scanning

This topic contains 10 replies, has 9 voices, and was last updated by  s3crafcp 3 years, 3 months ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
  • #46065


    What are some recommended code scanners for conducting code reviews to help catch some of these errors?


    Sunny Wear

    Thank you for your question. Static code analyzers (scanners) can be either purchased or freely available for every language. Start with the target language you wish to scan. Then, start to google for “code scanners” in that language. If, for example, you wish to find a code scanner for Java, there are a plethora of code scanners available as Eclipse plugins; take a look at the Eclipse marketplace as a starting point:,31/favorites. Those scanners tend to be free for individual use. Commercial use would be scanners like HP Fortify, Veracode, Checkmarx. These products have different models and pricing for various types of scans (e.g., on-premise, cloud-based, etc.).

    Is there a particular language you are looking to scan?
    I hope this information is helpful to you.



    Thank you for the response. The app is a hybrid of Java Script with calls to Angular JS and it uses Ionic as well. I will try the Eclipse for a Java scanner. Right now I will have to use a free scanner.



    @sunnywear Glad to check your course on Cybrary. Thanks for the nice explanation.

    Can you please suggest the tools and methodologies to carry out the secure Code review process for different languages.
    What are the ways to perform Secure code review.



    Sunny Wear

    Thank you for your question. OWASP is a great website to start your search for secure code review guides and checklists. For example,

    These are just starting points, however, to help focus your energies in a particular direction. You will still need to customize the checklists to tailor fit your code base. For example, if you wish to perform a secure code review on Java, then you can google for the Java Secure Code Cheat sheet to help you get started. But, if you are also using Struts framework, then you would need to tailor that checklist to include areas where vulnerabilities or bugs are commonly found when programmers code in Struts.

    Tools to assist in this endeavor include static code analyzers which I’ve provided details about in an earlier forum response, so please consult that.

    Methodologies to assist you should include the OWASP Application Security Verification Standard (ASVS) Project:
    These tasks would need to be blended into your existing SDLC in order to mitigate risk and lower costs associated with coding vulnerabilities.

    I hope this is helpful to you.



    Thanks for sharing.



    Nice info.


    Haroon Mansoori

    Anyone knows info/links for cheat sheet and tools for .Net/C# (Microsoft Platform)?



    some problems can be solved with scanners, but human intuition is needed as well.



    I’m trying to become a web application security analyst and have talked to someone already in the industry who told me it’s important to know how to use a static scanner. Does Cybrary have a course on code scanning? I haven’t been able to find it.



    Thanks for sharing!

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?