Security Compass web application auditing tool (SWAAT) is a free static web application source code analysis tool, primly designed to help developers diagnose and locate potentially dangerous portions of source code that could be exploited by attackers and lead to security breaches in your application.
Unlike run-time analysis tools that attempt to identify security vulnerabilities from the hacker’s perspective, the aim of SWAAT is to assist in the process of code review. SWAAT helps identify potential security risk by pointing out malicious code and explaining the risk behind it. This approach in conjunction with training can help developers code more securely.
SWAAT searches through source code and analyzes against the database of potentially dangerous strings given in the XML files. It identifies the usage of functions, strings or SQL that could lead to potential security vulnerabilities. All potentially dangerous code references are included in the output report.
Although SWAAT comes with an extensive database of security signatures, it provides you with an option to add your own signatures. This extremely useful feature allows you to fit SWAAT to your security needs and work smoothly with your development environment.
SWAAT works on Java, JSP, ASP .Net, and PHP. It also searches for generic indicators such as “SQL” and “Password”, so it may provide some value on other platforms.