Sparrow is a static code analysis tool that is performed without actually executing programs, detecting critical software vulnerabilities at the early stages of software development.
Sparrow analyzes source code with a robust static analysis engine that uses a deep semantic method to find vulnerabilities that other tools can’t. It detects security vulnerabilities such as buffer overruns, SQL injection, cross-site scripting, information leakage, TOCTOU race condition and hardcoded password. It also detects run-time errors such as memory/resource leaks, null dereference, uninitialized variables, division by zero, use after free and integer overflow. People choose Sparrow because it uncovers critical and relevant vulnerabilities during the early stages of the Software Development Life Cycle (SDLC).
Sparrow is popular with government agencies, corporations and anyone developing embedded software that requires a very high level of software quality. The Static Application Security Testing (SAST) version of Sparrow is also used by the government and financial industries which aim to eliminate all security weaknesses from their source code.
Static Application Security Testing (SAST) tool with...
Sparrow can be deployed on both the development and testing phases in the SDLC. As an SAST tool, Sparrow provides developers and security/quality managers with the ability to accurately identify software vulnerabilities, remediate code using ACTIVE SUGGESTION, enforce project based rules for developers and customize policies according to project requirements. Currently no other solution has a similar feature as ACTIVE SUGGESTION, where you are provided code suggestions to easily fix the vulnerabilities in your software.
Intelligent Alarm Clustering
Sparrow's Intelligent Alarm Clustering groups related vulnerabilities in the source code with a unique ID. A developer can review results and address vulnerabilities faster and easier throughout the SDLC. Intelligent Alarm Clustering reduces review time because it reduces the number of alarms to review and also reduces fix time since these vulnerabilities are in clustered groups and can be remediated in order instead of going back and forth.
Advanced Issue Filtering
Sparrow provides Advanced Issue Filtering which analyzes the characteristics of issues and eliminates errors with have to analyze them over and over again, each time.
It is the semantic approach that allows Sparrow to follow all possible execution scenarios, to be more exhaustive than other tools, rather than focusing on discovering particular patterns. In addition to the semantic tools, Sparrow also utilizes syntactic tools to quickly find shallow bugs based on fixed patterns. Sparrow balances the depth of its bug detection coverage with a reasonable analysis cost.
Development process linked to the highest academic research
Sparrow is similar to other analysis tools which derived their research and product toolsets from prestigious universities like Stanford University and the University of Wisconsin. These tools have gained great respect and success in the marketplace for their technological research. Sparrow's semantic based static analysis tool was developed based on a joint research program with the prestigious Seoul National University. With six years in research and another five years for commercialization, Sparrow has been proven not only technically but also on its marketability. Fasoo continues to work with Seoul National University to improve Sparrow and develop new programs to strengthen the overall source code analysis market.
Active support for correcting flaws in source code
Sparrow offers a web based user interface that links between source pages, helping the user quickly navigate source code to verify alarms. Prompt correction of the detected bug can be made through an error analysis report and detailed analysis guide. Related examples and information about each defect can be confirmed and explained through CWE, CERT, OWASP, HIS, HICPP, MISRA and more.
- CWE: A Community-Developed Dictionary of Software Weakness Types
- CERT: Computer Emergency Response Team for Internet Security Incidents
- OWASP: Open Web Application Security Project
Flexible deployment and operation
All on-going projects are managed on the server through the web-based integrated management system which provides helpful resources to configure a safe collaborative system and to operate efficiently for large-scale projects. No matter the development environment, organizations can use Sparrow without restriction on where the analysis engine is installed, whether on a server or on a user’s PC.
[Award] Gold Winner in the Vulnerability Assessment, Remediation and Management category at the 2014 Info Security Products Guide's Global Excellence Awards
[Certification] SGS TUV SAAR - Certified for products in accordance with ISO 26262
[Korean Patent] Memory Leak Detecting Apparatus and Method thereof (Patent No. 100965426)