Your SlideShare is downloading. ×
0
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Static Code Analysis
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Static Code Analysis

1,696

Published on

Find your bugs before someone else does!

Find your bugs before someone else does!

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,696
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
39
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Source Code:Find your bugs before someone else does!by Thomas Hofer
  • 2. About me…
    Thomas Hofer
    Consultant (blue-infinity, Geneva)
    Skills:
    Static analysis
    Solution architecture
    Software Engineering (Java – Rails – PHP)
  • 3. Outline
    Simple means to improve your code quality!
    Introduction
    Motivation
    Static Source Code Analyzers
    Recommendations
    Our criteria
    Selected tools
    Additional Information
  • 4. Reasons for this research
    CERN is a prized target
    Renowned
    Internet Exchange Point
    However: Any website could be targeted!
    Potentially undesirable consequences of an attack:
    Loss of confidentiality
    Damaged reputation
    Loss of data
  • 5. Security: when to care about it?
    Creating / Managing
    Documents
    Web Pages
    Hardware
    Services
    Development
    Software
    Web Applications
  • 6. Development and Security
    Training (before)
    Code review (right after)
    Vulnerability scanning (after)
  • 7. Development and Security
    Training (before)
    Static source code analysis (during and after)
    Code review (right after)
    Vulnerability scanning (after)
  • 8. Development and Security
    Training (before)
    Code review (right after)
    Vulnerability scanning (after)
  • 9. Security and me…
    What can YOU do about it…
    … without sacrificing your deadlines?
    Static Analysis
    The earlier a bug is caught, the cheaper it is to fix!
  • 10. Static source code analysis
    A static source code analyzer:
    Reads your source code but…
    Won’t execute or compile it (usually)!
    Looks for possible errors regarding
    Security
    Reliability
    Functionality
  • 11. What can they do?
    A static source code analyzer can:
    Look for known and common errors
    Sometimes suggest fixes or improvements
    Offer help in findingbugs
    Find many kinds of bugs, not only security related
  • 12. What can they not do?
    A static source code analyzer cannot:
    ‘Automagically’ fix bugs
    Find all bugs (i.e. false negatives)
    Find only bugs (i.e. false positives)
  • 13. Our criteria / requirements
    Quick results
    Very low ‘false alarms’ rate
    Ease of use
    At least some results…
  • 14. Overview of selected tools
    Perl
    Perl::Critic
    RATS
    Java
    FindBugs
    CodePro Analyser
    PHP
    Pixy
    RATS
  • Flawfinder
    C / C++
    Freeware / Unix
    Calls to commonly misused functions…
    http://cern.ch/security/recommendations/en/codetools/flawfinder.shtml
  • 22. FindBugs
    Java
    Freeware / Eclipse plugin
    Very flexible, ability to define custom rules…
    http://cern.ch/security/recommendations/en/codetools/findbugs.shtml
  • 23.
  • 24. CodeProAnalytix
    Java
    Freeware / Google Web Toolkit
    As flexible as FindBugs, also ability to define your own rules
    http://code.google.com/javadevtools/codepro/doc/index.html
  • 25. Perl::Critic
    Perl
    Freeware / Unix – Perl module
    Best Practices: style and security
    Demo
    http://cern.ch/security/recommendations/en/codetools/perl_critic.shtml
  • 26. Pixy
    PHP
    Freeware / Unix
    XSS & SQLi
    http://cern.ch/security/recommendations/en/codetools/pixy.shtml
  • 27. RATS
    C / C++ / Perl, (and, partially) Python, PHP
    Freeware
    Calls to commonly misused functions
    http://cern.ch/security/recommendations/en/codetools/rats.shtml
  • 28. What else?
    ‘Ok, now that I have used this tool, I should be safe…’
    Tools are not enough!
    Even the best tool will miss the most sophisticated errors
    Sensitive projects should be reviewed ‘manually’ by experts
  • 29. A Fool with a Tool is still a Fool!
    ‘A fool with a tool is still a fool!’, D. Wheeler
    The code excerpt below was found in RealPlayer, in 2005. (CVE-2005-0455)
    char tmp [256]; /* Flawfinder : ignore */
    strcpy (tmp , pScreenSize ); /* Flawfinder : ignore */
  • 30. Further information
    http://cern.ch/security/recommendations/en/code_tools.shtml
    Presentation of the tools
    Installation, configuration and usage advice
    Explanation of some common errors
    Advice for developing securer software
  • 31. Thank you!
    To contact me:
    thomas.hofer@b-i.com

×