Is there any IDE Plugins available to scan while coding?

Question

There are tools like Fortify available which can be integrated with IDE to scan the source codes for security vulnerabilities. But what I expect is a plugin for IDE like eclipse, which should check for vulnerabilities while typing the code. (Probably, in case of a Java program, for every semi-colon(;) it should check for the vulnerability). It would be great if the tool recommends a fix on the go. So that the developer can fix the vulnerabilities as such fixing the compilation issues in eclipse. This would really reduce the developers' time a lot, when compared to running a full scan of the code, checking vulnerabilities, fixing those and scanning the entire code base again.

Is there any such product available in the market already? If not, is it a feasible one to develop such thing?

Answer 1

Use OWASP IDE VulScanner https://plugins.jetbrains.com/plugin/21353-owasp-ide-vulscanner, this does incremental scans on your code and generate vulnerability reports coming in due to third part dependencies. Saves a lot of effort and cost from security perspective.

Answer 2

Cigital.com They have a plugin that works in a 'spell checker' mode. As you type it will high light the vulnerability code. For example SQL injections, XSS and so in. It works very well and does not hog your machines resources like other plugins.

Answer 3

You can also check out Ounce Labs and Coverity...

Answer 4

FindBugs can be made to work in a similar manner perhaps, I have set it to run every time I compile a new file and it warns about some interesting potential bugs. The only plugin I know of that runs as you type is Checkstyle so maybe there's a similar plugin that checks for security vulnerabilities?