Secure Source Code Analysis tools :
are designed to analyze source code and/or compiled version of code in order to help find security flaws. Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw.
Throughout the SDLC there are points at which an application security
consultant should get involved. Performing security activities across
the lifecycle has proven to be far more cost-effective than either a
“big design up front” security effort or a single pre-production
security review. The reason for intervening at regular intervals is
that potential issues can be detected early on in the development life
cycle where they are less costly to address.
Waterfall SDLC Example
- Requirements definition
- Application Security Requirements
- Architecture and Design
- Application Security Architecture and/or Threat Model
- Development
- Secure Coding Practices
- Security Testing
- Security Code Review
- Test
- Penetration Testing
- Deployment
- Secure Configuration Management
- Secure Deployment
- Maintenance
Agile Security Methodology Example
- Planning
- Identify Security Stakeholder Stories
- Identify Security Controls
- Identify Security Test Cases
- Sprints
- Secure Coding
- Security Test Cases
- Peer Review with Security
- Deployment
- Security Verification (with Penetration Testing and Security Code Review).
is an initiative to make available to developers and auditors a tool for detecting vulnerabilities in Java EE Applications. The project aims to put at their disposal a tool based on the static analysis of code, due to the importance and difficulty of this type of analysis to detect security flaws in Java EE Applications.
LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher
Vulnerabilities detected by LAPSE+ are related to the injection of untrusted data to manipulate the behavior of the application. This type of vulnerabilities are the most common in web applications. The vulnerability categories detected by LAPSE+ are enumerated below:
- Parameter Tampering.
- URL Tampering.
- Header Manipulation.
- Cookie Poisoning.
- SQL Injection.
- Cross-site Scripting (XSS).
- HTTP Response Splitting.
- Command Injection.
- Path Traversal.
- XPath Injection.
- XML Injection.
- LDAP Injection.
You can download LAPSE+ and its tutorial in the following links:
- LapsePlus_2.8.1.jar - LAPSE+ 2.8.1 plugin for Eclipse Helios.
- LapsePlus_Tutorial.pdf - Tutorial for the installation and use of LAPSE+..
O2 platform Project By OWASP :
is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex).
- Security Verification (with Penetration Testing and Security Code Review).
Install VisualStudio Extension
O2 Platform is also available as a VisualStudio Extension which you can download from VisualStudio Gallery (see VisualStudio C# REPL - O2 Platform) or directly using VisualStudio's Extension Manager:Download Stand-Alone Application
O2 Platform - Main O2 Gui v5.3.exe
FxCop :
is an application that analyzes managed code assemblies (code that
targets the .NET Framework common language runtime) and reports
information about the assemblies, such as possible design, localization,
performance, and security improvements.
FxCop is a code analysis tool that checks .NET managed code assemblies
for conformance to the Microsoft .NET Framework Design Guidelines. It
uses MSIL parsing, and callgraph analysis to inspect assemblies for more
than 200 defects in the following areas:
- Library design
- Globalization
- Naming conventions
- Performance
- Interoperability and portability
- Security
- Usage
FxCop includes both GUI and command line versions of the tool and supports analyzing .NET 1.x, .NET 2.0 and .NET 3.x components.
FxCop is designed to be fully integrated into the software development cycle and is distributed as both a fully featured application that has a graphical user interface (FxCop.exe) for interactive work, and a command-line tool (FxCopCmd.exe) suited for use as part of automated build processes or integrated with Microsoft Visual Studio® .NET as an external tool.
Download Link : http://archive.msdn.microsoft.com/codeanalysis/Release/ProjectReleases.aspx?ReleaseId=553
Rough Auditing Tool for Security (RATS) :
a rough auditing tool for security, originally developed by Secure
Software Inc. It is a tool for scanning C, C++, Perl, PHP, Python (and
soon Ruby) source code and flagging common security related programming
errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use)
race conditions.
As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.
Download Link : http://code.google.com/p/rough-auditing-tool-for-security/downloads/list
Splint :
is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lintSplint Manual :
A comprehensive guide to using Splint. [HTML] [PS] [PDF]
Download :
http://www.splint.org/download.html
Yasca:
is a source code analysis tool that I started writing in 2007. It could best be described as a
"glorified grep script" plus an aggregator of other open-source tools.
Yasca is an open source program which looks for security
vulnerabilities, code-quality, performance, and conformance to best
practices in program source code, integrating with other open-source
tools as needed.
Yasca can scan source code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET,
and other languages. Yasca can integrate easily with other tools, including:
- FindBugs
- PMD
- JLint
- JavaScript Lint
- PHPLint
- CppCheck
- ClamAV
- RATS
- Pixy
Yasca has been migrated to Github, and is available at http://scovetta.github.com/yasca and http://github.com/scovetta/yasca.
Download Link : http://sourceforge.net/projects/yasca/
RIPS :
is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security.Features
- detect XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and more
- 5 verbosity levels for debugging your scan results
- mark vulnerable lines in source code viewer
- highlight variables in the code viewer
- user-defined function code by mouse-over on detected call
- active jumping between function declaration and calls
- list of all user-defined functions (defines and calls), program entry points (user input) and scanned files (with includes) connected to the source code viewer
- graph visualization for files and includes as well as functions and calls
- create CURL exploits for detected vulnerabilties with few clicks
- visualization, description, example, PoC, patch and securing function list for every vulnerability
- 7 different syntax highlighting colour schemata
- display scan result in form of a top-down flow or bottom-up trace
- only minimal requirement is a local webserver with PHP and a browser (tested with Firefox)
- regex search function
Agnitio :
A tool to help developers and security professionals conduct manual
security code reviews in a consistent and repeatable way. Agnitio aims
to replace the adhoc nature of manual security code review
documentation, create an audit trail and reporting.
Features
- Security code reviews
- Security code review metrics and reporting
- Application security code review tool
- Static analysis security guidance and reporting
Download Link : http://sourceforge.net/projects/agnitiotool/files/latest/download
Thanks,
RRN Technologies Team.