AUSTIN, TX – August 18, 2021 Praetorian announces the availability of open source SAST product GoKart, available now on Github.
Nathan Sportsman, CEO at Praetorian, points to the problem of noise in many of today’s security scanning software alternatives. “Software Engineers are under pressure to deliver innovation at unprecedented speed, so engineers can’t afford to be slowed down,” says Sportsman. “With GoKart, Go developers will see significantly fewer false positives and false negatives, which means less time worrying about security and more time shipping code.”
GoKart puts Go code into single static assignment (SSA) form, structuring every value computed by the program as an assignment to a unique variable. SSA is used in compilers for optimization, and in a security context it helps trace the source of data used as input. Being able to follow data as it flows through a program, weaving in and out of objects and modules, is one of GoKart’s primary features, and what makes GoKart so powerful.
One of the major benefits the SSA format brings is the ability to perform taint tracking. Taint tracking is the process of determining input sources that could be controlled by an outside source, and controlled by an outside source by tracing how input data is handled. GoKart uses taint tracking by finding function calls that generally should not be fed user-controllable data and then backtracks to find where its arguments come from. It reports security issues if it finds that a malicious user could potentially cause a vulnerability.
GoKart contains a customizable list of input sources and vulnerable sinks, and because it does taint tracking, it can show exactly where in code a vulnerable input source is being fed into the application. Taint tracking not only greatly reduces the false positive rate of static analysis but also makes remediation much easier as developers are able to quickly see the path the tainted data passed along.
As open source code, Praetorian welcomes anyone who wishes to be involved in the project. “Open source has been a boon for modern computing, but has not fulfilled its promise with respect to security solutions,” said Dr. Richard Ford, Praetorian’s Chief Technology Officer. “Praetorian wants to help address that, and GoKart represents another step toward our goal of making highly-competitive security solutions available freely. It’s part of the thinking behind our Chariot product, which provides free integrations for companies looking to engage with the best open source SAST tools available.”
GoKart can be found on GitHub, where pull requests and new ideas are always welcome. In addition, Praetorian is hiring open source and other developer positions. Visit praetorian.com for more information.