Secure Source Code Analysis tools :
are designed to analyze source code and/or
compiled version of code in order to help find security flaws. Ideally,
such tools would automatically find security flaws with a high degree of
confidence that what is found is indeed a flaw.
Throughout the SDLC there are points at which an application security
consultant should get involved. Performing security activities across
the lifecycle has proven to be far more cost-effective than either a
“big design up front” security effort or a single pre-production
security review. The reason for intervening at regular intervals is
that potential issues can be detected early on in the development life
cycle where they are less costly to address.
Integration of security code review into the System Development
Life Cycle (SDLC) can yield dramatic results to the overall quality of
the code developed. Security code review is not a silver bullet, but is
part of a healthy application development diet. Consider it as one of
the layers in a defense-in-depth approach to application security.
Security code review is also a cornerstone of the approach to developing
secure software. The idea of integrating a phase into your SLDC may
sound daunting, yet another layer of complexity or an additional cost,
but in the long term and in today's cyber landscape it is cost
effective, reputation building, and in the best interest of any business
to do so.
Waterfall SDLC Example
- Requirements definition
- Application Security Requirements
- Architecture and Design
- Application Security Architecture and/or Threat Model
- Development
- Secure Coding Practices
- Security Testing
- Security Code Review
- Test
- Penetration Testing
- Deployment
- Secure Configuration Management
- Secure Deployment
- Maintenance
Agile Security Methodology Example
- Planning
- Identify Security Stakeholder Stories
- Identify Security Controls
- Identify Security Test Cases
- Sprints
- Secure Coding
- Security Test Cases
- Peer Review with Security
- Deployment
- Security Verification (with Penetration Testing and Security Code Review).
LAPSE Project By OWASP :
is an initiative to make available to developers
and auditors a tool for detecting vulnerabilities in Java EE
Applications. The project aims to put at their disposal a tool based on the static analysis of code, due to the
importance and difficulty of this type of analysis to detect security
flaws in Java EE Applications.
LAPSE+ is a security scanner for detecting vulnerabilities of
untrusted data injection in Java EE Applications. It has been developed
as a plugin for Eclipse Java Development Environment, working
specifically with Eclipse Helios and Java 1.6 or higher
Vulnerabilities detected by LAPSE+ are related to the
injection of untrusted data to manipulate the behavior of the
application. This type of vulnerabilities are the most common in web
applications. The vulnerability categories detected by LAPSE+ are
enumerated below:
- Parameter Tampering.
- URL Tampering.
- Header Manipulation.
- Cookie Poisoning.
- SQL Injection.
- Cross-site Scripting (XSS).
- HTTP Response Splitting.
- Command Injection.
- Path Traversal.
- XPath Injection.
- XML Injection.
- LDAP Injection.
You can download LAPSE+ and its tutorial in the following links:
O2 platform Project By OWASP :
is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2
can also be a very powerful prototyping and fast-development tool for
.NET. Most O2 APIs are written using a Fluent API design, and its core
has been published as a separate project called FluentSharp (hosted at CodePlex).
Which looks like below Snapshot :
Install VisualStudio Extension
O2 Platform is also available as a VisualStudio Extension which you can download from VisualStudio Gallery (see
VisualStudio C# REPL - O2 Platform) or directly using VisualStudio's Extension Manager:
Download Stand-Alone Application
You can run all O2 Tools and Scripts using the stand-alone executable which you can download from:
O2 Platform - Main O2 Gui v5.3.exe
FxCop :
is an application that analyzes managed code assemblies (code that
targets the .NET Framework common language runtime) and reports
information about the assemblies, such as possible design, localization,
performance, and security improvements.
FxCop is a code analysis tool that checks .NET managed code assemblies
for conformance to the Microsoft .NET Framework Design Guidelines. It
uses MSIL parsing, and callgraph analysis to inspect assemblies for more
than 200 defects in the following areas:
- Library design
- Globalization
- Naming conventions
- Performance
- Interoperability and portability
- Security
- Usage
FxCop includes both GUI and command line versions of the tool and supports analyzing .NET 1.x, .NET 2.0 and .NET 3.x components.
FxCop is intended for class library developers. However, anyone
creating applications that should comply with the .NET Framework best
practices will benefit. FxCop is also useful as an educational tool for
people who are new to the .NET Framework or who are unfamiliar with the
.NET Framework Design Guidelines.
FxCop is designed to be fully
integrated into the software development cycle and is distributed as
both a fully featured application that has a graphical user interface
(FxCop.exe) for interactive work, and a command-line tool (FxCopCmd.exe)
suited for use as part of automated build processes or integrated with
Microsoft Visual Studio® .NET as an external tool.
Download Link :
http://archive.msdn.microsoft.com/codeanalysis/Release/ProjectReleases.aspx?ReleaseId=553
Rough Auditing Tool for Security (RATS) :
a rough auditing tool for security, originally developed by Secure
Software Inc. It is a tool for scanning C, C++, Perl, PHP, Python (and
soon Ruby) source code and flagging common security related programming
errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use)
race conditions.
As its name implies, the tool performs only a rough
analysis of source code. It will not find every error and will also
find things that are not errors. Manual inspection of your code is
still necessary, but greatly aided with this tool.
Download Link :
http://code.google.com/p/rough-auditing-tool-for-security/downloads/list
Splint :
is a tool for statically checking
C programs for security
vulnerabilities and coding mistakes. With minimal effort, Splint can be
used as a better lint. If additional effort is invested adding
annotations to programs, Splint can perform stronger checking than can
be done by any standard lint
Splint Manual
:
A comprehensive guide to using Splint. [
HTML] [
PS] [
PDF]
Download :
http://www.splint.org/download.html
Yasca:
is a source code analysis tool that I started writing in 2007. It could best be described as a
"glorified grep script" plus an aggregator of other open-source tools.
Yasca is an open source program which looks for security
vulnerabilities, code-quality, performance, and conformance to best
practices in program source code, integrating with other open-source
tools as needed.
Yasca can scan source code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET,
and other languages. Yasca can integrate easily with other tools, including:
- FindBugs
- PMD
- JLint
- JavaScript Lint
- PHPLint
- CppCheck
- ClamAV
- RATS
- Pixy
Yasca is designed to be very flexible and easy to extend. In fact, writing a new rule is as easy as
coming up with a regular expression, the file extensions it applies to, and the name of your new rule.
Place that information in a text file in the plugin directory, and run Yasca!
Yasca has been migrated to Github, and is available at
http://scovetta.github.com/yasca and
http://github.com/scovetta/yasca.
Download Link :
http://sourceforge.net/projects/yasca/
RIPS :
is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security.
- detect XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and more
- 5 verbosity levels for debugging your scan results
- mark vulnerable lines in source code viewer
- highlight variables in the code viewer
- user-defined function code by mouse-over on detected call
- active jumping between function declaration and calls
- list
of all user-defined functions (defines and calls), program entry points
(user input) and scanned files (with includes) connected to the source
code viewer
- graph visualization for files and includes as well as functions and calls
- create CURL exploits for detected vulnerabilties with few clicks
- visualization, description, example, PoC, patch and securing function list for every vulnerability
- 7 different syntax highlighting colour schemata
- display scan result in form of a top-down flow or bottom-up trace
- only minimal requirement is a local webserver with PHP and a browser (tested with Firefox)
- regex search function
Download Link :
http://sourceforge.net/projects/rips-scanner/files/latest/download
Agnitio :
A tool to help developers and security professionals conduct manual
security code reviews in a consistent and repeatable way. Agnitio aims
to replace the adhoc nature of manual security code review
documentation, create an audit trail and reporting.
- Security code reviews
- Security code review metrics and reporting
- Application security code review tool
- Static analysis security guidance and reporting
Download Link :
http://sourceforge.net/projects/agnitiotool/files/latest/download
Thanks,
RRN Technologies Team.
