Thursday, September 26, 2013

Best Secure Source Code Analysis Tools

Secure Source Code Analysis tools :

                                                are designed to analyze source code and/or compiled version of code in order to help find security flaws. Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw.

                                             Throughout the SDLC there are points at which an application security consultant should get involved. Performing security activities across the lifecycle has proven to be  far more cost-effective than either a “big design up front” security effort or a single pre-production security review. The reason for intervening at regular intervals is that potential issues can be   detected early on in the development life cycle where they are less costly to address. 

                                               Integration of security code review into the System Development Life Cycle (SDLC) can yield dramatic results to the overall quality of the code developed. Security code review is not a silver bullet, but is part of a healthy application development diet. Consider it as one of the layers in a defense-in-depth approach to application security. Security code review is also a cornerstone of the approach to developing secure software. The idea of integrating a phase into your SLDC may sound daunting, yet another layer of complexity or an additional cost, but in the long term and in today's cyber landscape it is cost effective, reputation building, and in the best interest of any business to do so.

Waterfall SDLC Example
  1. Requirements definition
    1. Application Security Requirements
  2. Architecture and Design
    1. Application Security Architecture and/or Threat Model
  3. Development
    1. Secure Coding Practices
    2. Security Testing
    3. Security Code Review
  4. Test
    1. Penetration Testing
  5. Deployment
    1. Secure Configuration Management
    2. Secure Deployment
  6. Maintenance

Agile Security Methodology Example
  1. Planning
    1. Identify Security Stakeholder Stories
    2. Identify Security Controls
    3. Identify Security Test Cases
  2. Sprints
    1. Secure Coding
    2. Security Test Cases
    3. Peer Review with Security
  3. Deployment
    1. Security Verification (with Penetration Testing and Security Code Review).
    LAPSE Project By OWASP :
                                  is an initiative to make available to developers and auditors a tool for detecting vulnerabilities in Java EE Applications. The project aims to put at their disposal a tool based on the static analysis of code, due to the importance and difficulty of this type of analysis to detect security flaws in Java EE Applications.

                                     LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher

                                       Vulnerabilities detected by LAPSE+ are related to the injection of untrusted data to manipulate the behavior of the application. This type of vulnerabilities are the most common in web applications. The vulnerability categories detected by LAPSE+ are enumerated below:


    • Parameter Tampering.
    • URL Tampering.
    • Header Manipulation.
    • Cookie Poisoning.
    • SQL Injection.
    • Cross-site Scripting (XSS).
    • HTTP Response Splitting.
    • Command Injection.
    • Path Traversal.
    • XPath Injection.
    • XML Injection.
    • LDAP Injection.

    You can download LAPSE+ and its tutorial in the following links:



    O2 platform Project By OWASP :
                      
                                is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.

                                O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex).


Which looks like below Snapshot :


Install VisualStudio Extension

                          O2 Platform is also available as a VisualStudio Extension which you can download from VisualStudio Gallery (see VisualStudio C# REPL - O2 Platform) or directly using VisualStudio's Extension Manager:

Download Stand-Alone Application

You can run all O2 Tools and Scripts using the stand-alone executable which you can download from:

O2 Platform - Main O2 Gui v5.3.exe

FxCop :

           is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.

            FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It uses MSIL parsing, and callgraph analysis to inspect assemblies for more than 200 defects in the following areas:
  • Library design
  • Globalization
  • Naming conventions
  • Performance
  • Interoperability and portability
  • Security
  • Usage

                          FxCop includes both GUI and command line versions of the tool and supports analyzing .NET 1.x, .NET 2.0 and .NET 3.x components.


            
          FxCop is intended for class library developers. However, anyone creating applications that should comply with the .NET Framework best practices will benefit. FxCop is also useful as an educational tool for people who are new to the .NET Framework or who are unfamiliar with the .NET Framework Design Guidelines.

          FxCop is designed to be fully integrated into the software development cycle and is distributed as both a fully featured application that has a graphical user interface (FxCop.exe) for interactive work, and a command-line tool (FxCopCmd.exe) suited for use as part of automated build processes or integrated with Microsoft Visual Studio® .NET as an external tool.

Download Link : http://archive.msdn.microsoft.com/codeanalysis/Release/ProjectReleases.aspx?ReleaseId=553

Rough Auditing Tool for Security (RATS)  :

                         a rough auditing tool for security, originally developed by Secure Software Inc. It is a tool for scanning C, C++, Perl, PHP, Python (and soon Ruby) source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. 


As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.

Download Link : http://code.google.com/p/rough-auditing-tool-for-security/downloads/list

Splint :

            is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint
Splint Manual :
              A comprehensive guide to using Splint. [HTML] [PS] [PDF]

Download :
              http://www.splint.org/download.html

Yasca:

           is a source code analysis tool that I started writing in 2007. It could best be described as a "glorified grep script" plus an aggregator of other open-source tools. 

           Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code, integrating with other open-source tools as needed.

          Yasca can scan source code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, and other languages. Yasca can integrate easily with other tools, including:
  • FindBugs
  • PMD
  • JLint
  • JavaScript Lint
  • PHPLint
  • CppCheck
  • ClamAV
  • RATS
  • Pixy
            Yasca is designed to be very flexible and easy to extend. In fact, writing a new rule is as easy as coming up with a regular expression, the file extensions it applies to, and the name of your new rule. Place that information in a text file in the plugin directory, and run Yasca!

            Yasca has been migrated to Github, and is available at http://scovetta.github.com/yasca and http://github.com/scovetta/yasca.

Download Link : http://sourceforge.net/projects/yasca/

RIPS :

        is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security.


Features

  • detect XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and more
  • 5 verbosity levels for debugging your scan results
  • mark vulnerable lines in source code viewer
  • highlight variables in the code viewer
  • user-defined function code by mouse-over on detected call
  • active jumping between function declaration and calls
  • list of all user-defined functions (defines and calls), program entry points (user input) and scanned files (with includes) connected to the source code viewer
  • graph visualization for files and includes as well as functions and calls
  • create CURL exploits for detected vulnerabilties with few clicks
  • visualization, description, example, PoC, patch and securing function list for every vulnerability
  • 7 different syntax highlighting colour schemata
  • display scan result in form of a top-down flow or bottom-up trace
  • only minimal requirement is a local webserver with PHP and a browser (tested with Firefox)
  • regex search function
 Download Link : http://sourceforge.net/projects/rips-scanner/files/latest/download

Agnitio :

             A tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting.




Features

  • Security code reviews
  • Security code review metrics and reporting
  • Application security code review tool
  • Static analysis security guidance and reporting




Download Link : http://sourceforge.net/projects/agnitiotool/files/latest/download

Thanks,

RRN Technologies Team.




4 comments:

  1. Too Stressed ??
    Money can bring the "Peace" in your "soul"!!
    Your life can 'Recover'!!
    Get this 100% free method, Which will earn money for you by using PayPal Hack tool and earn UP TO 500$ ADDING EVERY 5 HOURS.TOTALLY UNTRACEABLE!!!!!!!!!!!!!!!!!!!!!!
    So Download the Tool......
    Paypal Account Hack
    Paypal Money Adder
    Paypal Money Generate
    Paypal Money Hack

    ReplyDelete
  2. It has a very well defined objective and a tight set of constraints. Building something new starting with a blank page has neither of those and thus a much larger space to explore. Note that this is not meant as a value statement but rather to point out that these are IMHO fundamentally different activities that require a different mindset.
    secure code analysis

    ReplyDelete
  3. New Diet Taps into Pioneering Plan to Help Dieters LOSE 15 Pounds within Only 21 Days!

    ReplyDelete
  4. hmmm, it quite impressive description thanks for sharing the information.

    ISO certification companies in india

    ReplyDelete

Open source Tools for Live Meeting(Web Conferencing)

posts. Guys the most of you find these posts a valuable resource for the e-Learning community. As a result, the following post is Free and Open Source Web Conferencing (Online Meetings, Webinars) Tools for e-Learning.




The following list contains free and open source Web Conferencing tools that are n't in particular order.



Also, you should be sure that the e-Learning community will highly appreciate:

  1. if you post a comment with your experience with these tools and/or,

  2. if you post a comment with a link to any other free and open source Web Conferencing tool.

We support Free eLearning! Do you?



I support Free eLearning




BigBluebutton* is built for Higher Education. It enables universities and colleges to deliver a high-quality learning experience to remote students. BigBlueButton is an active open source project that focuses on usability, modularity, and clean design -- both for the user and the developer. The project is hosted at Google Code. BigBlueButton is built by combining over fourteen open source components.



*note: Epignosis has created a module that provides integration of BigBlueButton conferencing in eFront Open Source Learning Management System. BigBlueButton is a free web-conferencing tool with text chat, audio and video capabilites, a virtual whiteboard and many more presentation and conferencing features.




OpenMeetings is a free browser-based software that allows you to set up instantly a conference in the Web. You can use your microphone or webcam, share documents on a white board, share your screen or record meetings. It is available as hosted service or you download and install a package on your server with no limitations in usage or users.



OpenMeetings Key Features Mini Demo





Mikogo is a free desktop sharing tool full of features to assist you in conducting the perfect online meeting or web conference. Take advantage of the opportunity to share any screen content or application over the Internet in true color quality with up to 10 participants simultaneously, while still sitting at your desk.












Yugma free web conferencing allows anyone, anywhere to instantly share their desktop and ideas online with others. To start hosting your own meetings you have to sign up for FREE. Your Yugma Free web conferencing account allows you to invite up to 20 attendees







Using WebHuddle, you have options and flexibility. Meetings can be conducted either in conjunction with an enterprise’s existing teleconferencing service, or utilizing WebHuddle’s optional voice over IP. WebHuddle also offers recording capabilities -- presentations can easily be recorded for playback over any web browser for those who missed the live meeting.










With Vyew you can give a presentation to a hundred people online or post a document you've been working on for review by your colleagues at the convenience. Vyew is extremely flexible alloying you to bring online collaboration and conferencing into your workflow on your terms.









Dimdim delivers synchronized live presentations, whiteboards and web pages while sharing your voice and video over the Internet - with no download. With the Free edition you can get 10 person meetings, 1 way video, standard support, Dimdim branded rooms, and public meetings.



*note: Epignosis has created a module that provides integration of Dimdim conferencing in eFront  Open Source Learning Management System.




Adobe® ConnectNow is a great way to share ideas, discuss details, and complete work with others all online. Reduce travel costs, save time, and increase productivity with a web conferencing solution that's easy to access and simple to use. ConnectNow operates inside a web browser. There's no installation required, so getting started is easy and Free