SlideShare uma empresa Scribd logo

SAST for JavaScript: A Brief Overview of Commercial Tools

Achim D. Brucker
Achim D. Brucker

Static application security testing (SAST) is a widely used technique that helps to find security vulnerabilities in program code at an early stage in the software development life-cycle. Since a few years, JavaScript is gaining more and more popularity as an implementation language for large applications. Consequently, there is a demand for SAST tools that support JavaScript. We report briefly on our method for evaluating SAST tools for JavaScript as well as summarize the results of our analysis.

Tecnologia
1 de 9
Baixar para ler offline
SAST for JavaScript A Brief Overview of Commercial Tools Achim D. Brucker achim.brucker@sap.com SAP AG, Central Code Analysis Team June 30, 2014
SAST for JavaScript: A Brief Overview of Commercial Tools Abstract Static application security testing (SAST) is a widely used technique that helps to find security vulnerabilities in program code at an early stage in the software development life-cycle. Since a few years, JavaScript is gaining more and more popularity as an implementation language for large applications. Consequently, there is a demand for SAST tools that support JavaScript. We report briefly on our method for evaluating SAST tools for JavaScript as well as summarize the results of our analysis. © 2014 SAP AG. All Rights Reserved. Page 2 of 8
Static Code Analysis at SAP ABAP 42% C/C++ 13% Java 30% JavaScript 7% Others 8% Analyzed Languages (LoC) in 12/2013 • Since 2010, mandatory for all products • Multiple billions lines analyzed (several thousands of products/projects) • JavaScript: • Will overtake C/C++ in 2014 • Average size ca. 200 kLoC (up to several mLoC) • Also important: SQLScript, Python, Ruby We also use: Perl, TCL, R, . . . • Mainly used tools: Language Tool Vendor ABAP CVA (SLIN_SEC) SAP C/C++ Coverity Coverity Others Fortify HP © 2014 SAP AG. All Rights Reserved. Page 3 of 8
Initial Observation and Assessment of Situation Initial Situation: • Increasing adoption of scripting languages (client-side and server-side, large frameworks, etc.) • High false negative rate (in contrast to most other languages) Market Analysis: • Only three tools • commercially supported • with broad security scope • Many other tools • specialized (e.g., only DOM-based XSS) • failed already on parsing our code © 2014 SAP AG. All Rights Reserved. Page 4 of 8
Evaluation and Assessment Approach Evaluation: • We used most sensitive “default” configuration (no SAP specific template/filters) • We used the same evaluation targets • library of JavaScript “challenges” (own examples, test cases from IBM Research) • three SAP applications of different size (including one with server-side JavaScript using the XS Engine) Assessment: • Overall analysis: • how many findings in total • reported categories • Detailed comparison for • XSS-variants • All findings of the two topmost priorities (high) © 2014 SAP AG. All Rights Reserved. Page 5 of 8
Result Overview (Test Library) X Z Y Scan duration (in s) 246 246 1147 Findings (all) 111 118 242 Findings (high) 52 80 119 True positive + +++ ++ False negatives - + + We also tested three SAP applications • Rather small (less than 100kLoC) • Scalability is not a (big) problem (nightly scans are acceptable) • Identified many aspects currently missing in test library Observations: • Only Z allows for • modifying existing checks • write own checks • Y and Z have a better understanding of core JavaScript (they are very close) • X and Z each have one check that reports most of the findings (false positives) • Z includes checks for • use of outdated libraries (e.g., JQuery) • RegExp injection / RegExp DoS • X includes checking of J2EE configurations • Y mainly reports OWASP Top Ten © 2014 SAP AG. All Rights Reserved. Page 6 of 8
Conclusion and Outlook “ • There is no good static analysis tool for JavaScript (applied) security available • Static analyzers should be understood as frameworks (instead of off-the shelf tools) • Frameworks and lack of modules creates as hard challenges as core JavaScript • Good benchmark/evaluation libraries (similar to SAMATE) are needed Response from tool vendors: • Unsatisfactory results confirmed • Fourth tool currently under development And finally • if you have questions (or want to discuss example libraries), please approach me • want to see code examples, see my talk on Wednesday © 2014 SAP AG. All Rights Reserved. Page 7 of 8
Bibliography Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of Lecture Notes in Informatics, pages 91–101. GI, March 2014. © 2014 SAP AG. All Rights Reserved. Page 8 of 8
© 2014 SAP AG. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. © 2014 SAP AG. All Rights Reserved. Page 9 of 8

Recomendados

Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Virtual Forge
 
CloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurityCloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurityZero Science Lab
 
Rethinking IT service delivery
Rethinking IT service deliveryRethinking IT service delivery
Rethinking IT service deliveryLean Enterprise Academy
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...Jaime Marchant Benavides
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"Kevin Cox
 
Adobe Flex Development and Backend Integration With BlazeDS
Adobe Flex Development and Backend Integration With BlazeDSAdobe Flex Development and Backend Integration With BlazeDS
Adobe Flex Development and Backend Integration With BlazeDSAbdulbasit Gulsen
 
Ac409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faAc409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faNagendra Babu
 
Testing SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPTesting SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPSAP Solution Extensions
 

Recomendados

Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Virtual Forge
 
CloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurityCloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurityZero Science Lab
 
Rethinking IT service delivery
Rethinking IT service deliveryRethinking IT service delivery
Rethinking IT service deliveryLean Enterprise Academy
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...Jaime Marchant Benavides
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"Kevin Cox
 
Adobe Flex Development and Backend Integration With BlazeDS
Adobe Flex Development and Backend Integration With BlazeDSAdobe Flex Development and Backend Integration With BlazeDS
Adobe Flex Development and Backend Integration With BlazeDSAbdulbasit Gulsen
 
Ac409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faAc409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faNagendra Babu
 
Testing SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPTesting SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPSAP Solution Extensions
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
SAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsSAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsJuan Frias
 
Accessibility guideline web_dynpro_external_version
Accessibility guideline web_dynpro_external_versionAccessibility guideline web_dynpro_external_version
Accessibility guideline web_dynpro_external_versionadatta12
 
Unit Tests and Test Seams for abap Hamburg June 2017 presented
Unit Tests and Test Seams for abap Hamburg June 2017 presentedUnit Tests and Test Seams for abap Hamburg June 2017 presented
Unit Tests and Test Seams for abap Hamburg June 2017 presentedRainer Winkler
 
2011 BtoB Magazine Net Marketer Seminar "Marketing innovation"
2011 BtoB Magazine Net Marketer Seminar "Marketing innovation"2011 BtoB Magazine Net Marketer Seminar "Marketing innovation"
2011 BtoB Magazine Net Marketer Seminar "Marketing innovation"Kevin Cox
 
Storing the mental Model
Storing the mental ModelStoring the mental Model
Storing the mental ModelRainer Winkler
 
Sap hana interactive_education_shine_en (1)
Sap hana interactive_education_shine_en (1)Sap hana interactive_education_shine_en (1)
Sap hana interactive_education_shine_en (1)Tariq Aziz
 
Workplace Charging at SAP Labs - July 31, 2012
Workplace Charging at SAP Labs - July 31, 2012Workplace Charging at SAP Labs - July 31, 2012
Workplace Charging at SAP Labs - July 31, 2012CALSTART
 
How to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwHow to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwLuc Vanrobays
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...Ganesh Kumar
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP Technology
 
Design evolution of SAP Business ByDesign - Document Editor
Design evolution of SAP Business ByDesign - Document EditorDesign evolution of SAP Business ByDesign - Document Editor
Design evolution of SAP Business ByDesign - Document EditorChristian Happel
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchGanesh Kumar
 
Design evolution SAP Business ByDesign - Work Center Overview
Design evolution SAP Business ByDesign - Work Center OverviewDesign evolution SAP Business ByDesign - Work Center Overview
Design evolution SAP Business ByDesign - Work Center OverviewChristian Happel
 
Capture Accurate Solution Requirements with Exploratory Modeling at SAP
Capture Accurate Solution Requirements with Exploratory Modeling at SAPCapture Accurate Solution Requirements with Exploratory Modeling at SAP
Capture Accurate Solution Requirements with Exploratory Modeling at SAPESUG
 
Effective load testing_&_monitoring
Effective load testing_&_monitoringEffective load testing_&_monitoring
Effective load testing_&_monitoringganesh_barcamp
 
SAP HANA
SAP HANASAP HANA
SAP HANASAP Latinoamérica
 
101 erp605 process_overview_en_in
101 erp605 process_overview_en_in101 erp605 process_overview_en_in
101 erp605 process_overview_en_insatishkr14
 
101 erp605 process_overview_en_in
101 erp605 process_overview_en_in101 erp605 process_overview_en_in
101 erp605 process_overview_en_inSergio Bobadilha
 
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)Twan van den Broek
 
Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareAchim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofAchim D. Brucker
 

Mais conteúdo relacionado

Semelhante a SAST for JavaScript: A Brief Overview of Commercial Tools

Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
SAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsSAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsJuan Frias
 
Accessibility guideline web_dynpro_external_version
Accessibility guideline web_dynpro_external_versionAccessibility guideline web_dynpro_external_version
Accessibility guideline web_dynpro_external_versionadatta12
 
Unit Tests and Test Seams for abap Hamburg June 2017 presented
Unit Tests and Test Seams for abap Hamburg June 2017 presentedUnit Tests and Test Seams for abap Hamburg June 2017 presented
Unit Tests and Test Seams for abap Hamburg June 2017 presentedRainer Winkler
 
2011 BtoB Magazine Net Marketer Seminar "Marketing innovation"
2011 BtoB Magazine Net Marketer Seminar "Marketing innovation"2011 BtoB Magazine Net Marketer Seminar "Marketing innovation"
2011 BtoB Magazine Net Marketer Seminar "Marketing innovation"Kevin Cox
 
Storing the mental Model
Storing the mental ModelStoring the mental Model
Storing the mental ModelRainer Winkler
 
Sap hana interactive_education_shine_en (1)
Sap hana interactive_education_shine_en (1)Sap hana interactive_education_shine_en (1)
Sap hana interactive_education_shine_en (1)Tariq Aziz
 
Workplace Charging at SAP Labs - July 31, 2012
Workplace Charging at SAP Labs - July 31, 2012Workplace Charging at SAP Labs - July 31, 2012
Workplace Charging at SAP Labs - July 31, 2012CALSTART
 
How to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwHow to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwLuc Vanrobays
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...Ganesh Kumar
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP Technology
 
Design evolution of SAP Business ByDesign - Document Editor
Design evolution of SAP Business ByDesign - Document EditorDesign evolution of SAP Business ByDesign - Document Editor
Design evolution of SAP Business ByDesign - Document EditorChristian Happel
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchGanesh Kumar
 
Design evolution SAP Business ByDesign - Work Center Overview
Design evolution SAP Business ByDesign - Work Center OverviewDesign evolution SAP Business ByDesign - Work Center Overview
Design evolution SAP Business ByDesign - Work Center OverviewChristian Happel
 
Capture Accurate Solution Requirements with Exploratory Modeling at SAP
Capture Accurate Solution Requirements with Exploratory Modeling at SAPCapture Accurate Solution Requirements with Exploratory Modeling at SAP
Capture Accurate Solution Requirements with Exploratory Modeling at SAPESUG
 
Effective load testing_&_monitoring
Effective load testing_&_monitoringEffective load testing_&_monitoring
Effective load testing_&_monitoringganesh_barcamp
 
101 erp605 process_overview_en_in
101 erp605 process_overview_en_in101 erp605 process_overview_en_in
101 erp605 process_overview_en_insatishkr14
 
101 erp605 process_overview_en_in
101 erp605 process_overview_en_in101 erp605 process_overview_en_in
101 erp605 process_overview_en_inSergio Bobadilha
 
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)Twan van den Broek
 

Semelhante a SAST for JavaScript: A Brief Overview of Commercial Tools (20)

Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
SAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsSAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editions
 
Accessibility guideline web_dynpro_external_version
Accessibility guideline web_dynpro_external_versionAccessibility guideline web_dynpro_external_version
Accessibility guideline web_dynpro_external_version
 
Unit Tests and Test Seams for abap Hamburg June 2017 presented
Unit Tests and Test Seams for abap Hamburg June 2017 presentedUnit Tests and Test Seams for abap Hamburg June 2017 presented
Unit Tests and Test Seams for abap Hamburg June 2017 presented
 
2011 BtoB Magazine Net Marketer Seminar "Marketing innovation"
2011 BtoB Magazine Net Marketer Seminar "Marketing innovation"2011 BtoB Magazine Net Marketer Seminar "Marketing innovation"
2011 BtoB Magazine Net Marketer Seminar "Marketing innovation"
 
Storing the mental Model
Storing the mental ModelStoring the mental Model
Storing the mental Model
 
Sap hana interactive_education_shine_en (1)
Sap hana interactive_education_shine_en (1)Sap hana interactive_education_shine_en (1)
Sap hana interactive_education_shine_en (1)
 
Workplace Charging at SAP Labs - July 31, 2012
Workplace Charging at SAP Labs - July 31, 2012Workplace Charging at SAP Labs - July 31, 2012
Workplace Charging at SAP Labs - July 31, 2012
 
How to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwHow to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bw
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 
Design evolution of SAP Business ByDesign - Document Editor
Design evolution of SAP Business ByDesign - Document EditorDesign evolution of SAP Business ByDesign - Document Editor
Design evolution of SAP Business ByDesign - Document Editor
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratch
 
Design evolution SAP Business ByDesign - Work Center Overview
Design evolution SAP Business ByDesign - Work Center OverviewDesign evolution SAP Business ByDesign - Work Center Overview
Design evolution SAP Business ByDesign - Work Center Overview
 
Capture Accurate Solution Requirements with Exploratory Modeling at SAP
Capture Accurate Solution Requirements with Exploratory Modeling at SAPCapture Accurate Solution Requirements with Exploratory Modeling at SAP
Capture Accurate Solution Requirements with Exploratory Modeling at SAP
 
Effective load testing_&_monitoring
Effective load testing_&_monitoringEffective load testing_&_monitoring
Effective load testing_&_monitoring
 
SAP HANA
SAP HANASAP HANA
SAP HANA
 
101 erp605 process_overview_en_in
101 erp605 process_overview_en_in101 erp605 process_overview_en_in
101 erp605 process_overview_en_in
 
101 erp605 process_overview_en_in
101 erp605 process_overview_en_in101 erp605 process_overview_en_in
101 erp605 process_overview_en_in
 
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
 

Mais de Achim D. Brucker

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareAchim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofAchim D. Brucker
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetAchim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsAchim D. Brucker
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your BrowserAchim D. Brucker
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeAchim D. Brucker
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorAchim D. Brucker
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantAchim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...Achim D. Brucker
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesAchim D. Brucker
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Achim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedAchim D. Brucker
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service CompositionAchim D. Brucker
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glassAchim D. Brucker
 

Mais de Achim D. Brucker (20)

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the Internet
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof Assistant
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security Properties
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
 

Último

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Último (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

SAST for JavaScript: A Brief Overview of Commercial Tools

  • 1. SAST for JavaScript A Brief Overview of Commercial Tools Achim D. Brucker achim.brucker@sap.com SAP AG, Central Code Analysis Team June 30, 2014
  • 2. SAST for JavaScript: A Brief Overview of Commercial Tools Abstract Static application security testing (SAST) is a widely used technique that helps to find security vulnerabilities in program code at an early stage in the software development life-cycle. Since a few years, JavaScript is gaining more and more popularity as an implementation language for large applications. Consequently, there is a demand for SAST tools that support JavaScript. We report briefly on our method for evaluating SAST tools for JavaScript as well as summarize the results of our analysis. © 2014 SAP AG. All Rights Reserved. Page 2 of 8
  • 3. Static Code Analysis at SAP ABAP 42% C/C++ 13% Java 30% JavaScript 7% Others 8% Analyzed Languages (LoC) in 12/2013 • Since 2010, mandatory for all products • Multiple billions lines analyzed (several thousands of products/projects) • JavaScript: • Will overtake C/C++ in 2014 • Average size ca. 200 kLoC (up to several mLoC) • Also important: SQLScript, Python, Ruby We also use: Perl, TCL, R, . . . • Mainly used tools: Language Tool Vendor ABAP CVA (SLIN_SEC) SAP C/C++ Coverity Coverity Others Fortify HP © 2014 SAP AG. All Rights Reserved. Page 3 of 8
  • 4. Initial Observation and Assessment of Situation Initial Situation: • Increasing adoption of scripting languages (client-side and server-side, large frameworks, etc.) • High false negative rate (in contrast to most other languages) Market Analysis: • Only three tools • commercially supported • with broad security scope • Many other tools • specialized (e.g., only DOM-based XSS) • failed already on parsing our code © 2014 SAP AG. All Rights Reserved. Page 4 of 8
  • 5. Evaluation and Assessment Approach Evaluation: • We used most sensitive “default” configuration (no SAP specific template/filters) • We used the same evaluation targets • library of JavaScript “challenges” (own examples, test cases from IBM Research) • three SAP applications of different size (including one with server-side JavaScript using the XS Engine) Assessment: • Overall analysis: • how many findings in total • reported categories • Detailed comparison for • XSS-variants • All findings of the two topmost priorities (high) © 2014 SAP AG. All Rights Reserved. Page 5 of 8
  • 6. Result Overview (Test Library) X Z Y Scan duration (in s) 246 246 1147 Findings (all) 111 118 242 Findings (high) 52 80 119 True positive + +++ ++ False negatives - + + We also tested three SAP applications • Rather small (less than 100kLoC) • Scalability is not a (big) problem (nightly scans are acceptable) • Identified many aspects currently missing in test library Observations: • Only Z allows for • modifying existing checks • write own checks • Y and Z have a better understanding of core JavaScript (they are very close) • X and Z each have one check that reports most of the findings (false positives) • Z includes checks for • use of outdated libraries (e.g., JQuery) • RegExp injection / RegExp DoS • X includes checking of J2EE configurations • Y mainly reports OWASP Top Ten © 2014 SAP AG. All Rights Reserved. Page 6 of 8
  • 7. Conclusion and Outlook “ • There is no good static analysis tool for JavaScript (applied) security available • Static analyzers should be understood as frameworks (instead of off-the shelf tools) • Frameworks and lack of modules creates as hard challenges as core JavaScript • Good benchmark/evaluation libraries (similar to SAMATE) are needed Response from tool vendors: • Unsatisfactory results confirmed • Fourth tool currently under development And finally • if you have questions (or want to discuss example libraries), please approach me • want to see code examples, see my talk on Wednesday © 2014 SAP AG. All Rights Reserved. Page 7 of 8
  • 8. Bibliography Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of Lecture Notes in Informatics, pages 91–101. GI, March 2014. © 2014 SAP AG. All Rights Reserved. Page 8 of 8
  • 9. © 2014 SAP AG. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. © 2014 SAP AG. All Rights Reserved. Page 9 of 8