GrammaTech CodeSonar SAST to help customers ‘shift left’ and develop more secure software

GrammaTech announced a new version of its CodeSonar SAST (static application security testing) product that helps developers build safer and more secure code without disrupting workflows.

CodeSonar 6.0 features visualization and analysis enhancements, GitLab integration as well as additional language and compiler support requested by 500 plus GrammaTech customers to support their transition to DevSecOps practices.

“Fundamentally, development teams need to be onboard, trained, equipped and motivated to do secure development (sometimes referred to as DevSecOps).

“The design approach should include basic coding standards that help developers avoid building apps with exploitable bugs and operational vulnerabilities,” said Steve Lipner, executive director of SAFECode, a global nonprofit organization that brings business leaders and technical experts together to exchange insights and ideas on creating, improving and promoting scalable and effective software security programs.

New capabilities in CodeSonar 6.0 make it easier for developers to avoid security and safety defects by automating the detection of problems and identifying best practice violations within their development environments.

Providing SAST embedded in continuous integration/continuous delivery (CI/CD) pipelines is a critical component for shifting left and baking security into DevOps workflows.

Several key enhancements in CodeSonar

Visualization

• Integrated visual representation of selected code for improved remediation of defects, eliminating the need for a separate developer interface
• Built in detection, alerts and reporting of Top 10 OWASP risks

Analysis

• Increased granularity of CWE (Common Weakness Enumeration) vulnerabilities including format string type checking to facilitate communication on threats between developers and security team
• Code security and quality testing for both Android 11 based applications and the base operating environment which extends CodeSonar security to the Android platform

Languages

• Unification of Java, C and C++ testing in a single interface to eliminate workflow interruptions
• Support for 20 new C++ language features that enables customers to seamlessly extend security when new libraries and frameworks are adopted. These include spaceship operator, const init and concepts

Compiler Models

• Updated support for GCC, IAR and Clang 10 compliers, and new support for Arm Clang compiler

“Reflecting the market in general, our customers are moving from post-build testing to making security an integral part of their development processes,” said Vince Arneja, Chief Product Officer for GrammaTech.

“This latest release of CodeSonar builds on our powerful static analysis capabilities to detect potential vulnerabilities, while making it infinitely easier to integrate SAST within DevOps pipelines without interrupting or slowing down developers.”