Thursday, September 26, 2013

Best Secure Source Code Analysis Tools

Secure Source Code Analysis tools :

                                                are designed to analyze source code and/or compiled version of code in order to help find security flaws. Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw.

                                             Throughout the SDLC there are points at which an application security consultant should get involved. Performing security activities across the lifecycle has proven to be  far more cost-effective than either a “big design up front” security effort or a single pre-production security review. The reason for intervening at regular intervals is that potential issues can be   detected early on in the development life cycle where they are less costly to address. 

                                               Integration of security code review into the System Development Life Cycle (SDLC) can yield dramatic results to the overall quality of the code developed. Security code review is not a silver bullet, but is part of a healthy application development diet. Consider it as one of the layers in a defense-in-depth approach to application security. Security code review is also a cornerstone of the approach to developing secure software. The idea of integrating a phase into your SLDC may sound daunting, yet another layer of complexity or an additional cost, but in the long term and in today's cyber landscape it is cost effective, reputation building, and in the best interest of any business to do so.

Waterfall SDLC Example
  1. Requirements definition
    1. Application Security Requirements
  2. Architecture and Design
    1. Application Security Architecture and/or Threat Model
  3. Development
    1. Secure Coding Practices
    2. Security Testing
    3. Security Code Review
  4. Test
    1. Penetration Testing
  5. Deployment
    1. Secure Configuration Management
    2. Secure Deployment
  6. Maintenance

Agile Security Methodology Example
  1. Planning
    1. Identify Security Stakeholder Stories
    2. Identify Security Controls
    3. Identify Security Test Cases
  2. Sprints
    1. Secure Coding
    2. Security Test Cases
    3. Peer Review with Security
  3. Deployment
    1. Security Verification (with Penetration Testing and Security Code Review).
    LAPSE Project By OWASP :
                                  is an initiative to make available to developers and auditors a tool for detecting vulnerabilities in Java EE Applications. The project aims to put at their disposal a tool based on the static analysis of code, due to the importance and difficulty of this type of analysis to detect security flaws in Java EE Applications.

                                     LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher

                                       Vulnerabilities detected by LAPSE+ are related to the injection of untrusted data to manipulate the behavior of the application. This type of vulnerabilities are the most common in web applications. The vulnerability categories detected by LAPSE+ are enumerated below:


    • Parameter Tampering.
    • URL Tampering.
    • Header Manipulation.
    • Cookie Poisoning.
    • SQL Injection.
    • Cross-site Scripting (XSS).
    • HTTP Response Splitting.
    • Command Injection.
    • Path Traversal.
    • XPath Injection.
    • XML Injection.
    • LDAP Injection.

    You can download LAPSE+ and its tutorial in the following links:



    O2 platform Project By OWASP :
                      
                                is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.

                                O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex).


Which looks like below Snapshot :


Install VisualStudio Extension

                          O2 Platform is also available as a VisualStudio Extension which you can download from VisualStudio Gallery (see VisualStudio C# REPL - O2 Platform) or directly using VisualStudio's Extension Manager:

Download Stand-Alone Application

You can run all O2 Tools and Scripts using the stand-alone executable which you can download from:

O2 Platform - Main O2 Gui v5.3.exe

FxCop :

           is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.

            FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It uses MSIL parsing, and callgraph analysis to inspect assemblies for more than 200 defects in the following areas:
  • Library design
  • Globalization
  • Naming conventions
  • Performance
  • Interoperability and portability
  • Security
  • Usage

                          FxCop includes both GUI and command line versions of the tool and supports analyzing .NET 1.x, .NET 2.0 and .NET 3.x components.


            
          FxCop is intended for class library developers. However, anyone creating applications that should comply with the .NET Framework best practices will benefit. FxCop is also useful as an educational tool for people who are new to the .NET Framework or who are unfamiliar with the .NET Framework Design Guidelines.

          FxCop is designed to be fully integrated into the software development cycle and is distributed as both a fully featured application that has a graphical user interface (FxCop.exe) for interactive work, and a command-line tool (FxCopCmd.exe) suited for use as part of automated build processes or integrated with Microsoft Visual Studio® .NET as an external tool.

Download Link : http://archive.msdn.microsoft.com/codeanalysis/Release/ProjectReleases.aspx?ReleaseId=553

Rough Auditing Tool for Security (RATS)  :

                         a rough auditing tool for security, originally developed by Secure Software Inc. It is a tool for scanning C, C++, Perl, PHP, Python (and soon Ruby) source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. 


As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.

Download Link : http://code.google.com/p/rough-auditing-tool-for-security/downloads/list

Splint :

            is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint
Splint Manual :
              A comprehensive guide to using Splint. [HTML] [PS] [PDF]

Download :
              http://www.splint.org/download.html

Yasca:

           is a source code analysis tool that I started writing in 2007. It could best be described as a "glorified grep script" plus an aggregator of other open-source tools. 

           Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code, integrating with other open-source tools as needed.

          Yasca can scan source code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, and other languages. Yasca can integrate easily with other tools, including:
  • FindBugs
  • PMD
  • JLint
  • JavaScript Lint
  • PHPLint
  • CppCheck
  • ClamAV
  • RATS
  • Pixy
            Yasca is designed to be very flexible and easy to extend. In fact, writing a new rule is as easy as coming up with a regular expression, the file extensions it applies to, and the name of your new rule. Place that information in a text file in the plugin directory, and run Yasca!

            Yasca has been migrated to Github, and is available at http://scovetta.github.com/yasca and http://github.com/scovetta/yasca.

Download Link : http://sourceforge.net/projects/yasca/

RIPS :

        is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security.


Features

  • detect XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and more
  • 5 verbosity levels for debugging your scan results
  • mark vulnerable lines in source code viewer
  • highlight variables in the code viewer
  • user-defined function code by mouse-over on detected call
  • active jumping between function declaration and calls
  • list of all user-defined functions (defines and calls), program entry points (user input) and scanned files (with includes) connected to the source code viewer
  • graph visualization for files and includes as well as functions and calls
  • create CURL exploits for detected vulnerabilties with few clicks
  • visualization, description, example, PoC, patch and securing function list for every vulnerability
  • 7 different syntax highlighting colour schemata
  • display scan result in form of a top-down flow or bottom-up trace
  • only minimal requirement is a local webserver with PHP and a browser (tested with Firefox)
  • regex search function
 Download Link : http://sourceforge.net/projects/rips-scanner/files/latest/download

Agnitio :

             A tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting.




Features

  • Security code reviews
  • Security code review metrics and reporting
  • Application security code review tool
  • Static analysis security guidance and reporting




Download Link : http://sourceforge.net/projects/agnitiotool/files/latest/download

Thanks,

RRN Technologies Team.