Source Code Scanners
Upcoming SlideShare
Loading in...5
×
 

Source Code Scanners

on

  • 2,838 views

Overview of tools for static code security analysis, with special focus on Yasca. See http://ipsec.pl/ for more details.

Overview of tools for static code security analysis, with special focus on Yasca. See http://ipsec.pl/ for more details.

Statistics

Views

Total Views
2,838
Views on SlideShare
2,834
Embed Views
4

Actions

Likes
1
Downloads
43
Comments
0

2 Embeds 4

https://twitter.com 3
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Source Code Scanners Source Code Scanners Presentation Transcript

  • Source code analysis tools Paweł Krawczyk
  • „ Static analysis is great for catching common errors early ” Brian Chess (Fortify)
  • Source code analysis
    • Why?
      • Visibility limitations of blackbox testing
      • Insight not only into what is implemented but also how
      • Timing
        • Blackbox needs working product
        • Code analysis can start with single line of code
    • Risks
      • What you see is not always what ends up on the server
    View slide
  • Why find bugs early? Applied Software Measurement , Capers Jones, 1996 Building Security Into The Software Life Cycle , Marco M. Morana, 2006 Early code audit View slide
  • Why find bugs early? Applied Software Measurement , Capers Jones, 1996 Building Security Into The Software Life Cycle , Marco M. Morana, 2006 Pentest Late code audit
  • Source code scanners
    • Why?
      • Manual testing is time consuming
      • Manual testing is not easily standardised
      • Human factor of manual testing
    • Automated scanning
      • Repeatable, standardised
      • Better automated than none
  • SCA in ASVS
    • OWASP Application Security Verification Standard (ASVS)
      • Level 1B: Source code scan – partial automated verfication
      • Level 2B: Code review – partial manual verification
  • Tested free tools
    • Yasca
    • OWASP Code Crawler
    • FxCop
    • CAT.NET
    • Agnitio
  • Yasca requirements
    • PHP
      • http://www.php.net/
    • JRE
      • 1.6.x from SDS or http://java.sun.com/
  • Installation
    • Download main Yasca package
      • yasca-2.1.zip
      • http://sourceforge.net/projects/yasca/files/
    • Download plugins
      • yasca-2.1-something.zip
  • Installation #2
    • Unpack yasca-2.1.zip
      • No installer
      • Any destination
      • Runs directly from that directory
    • Unpack plugins to a dedicated directory
      • c:static-analyzers
    • Set environment variable SA_HOME
      • SA_HOME=c:static-analyzers
  • Running Yasca
  • Running Yasca
  • Yasca performance
    • Real application
      • Java and JSP source code
      • 17 MB uncompressed
      • 2500 files
      • 200 subdirectories
      • Network share (LAN)
    • Run time ~10 minutes
  • Yasca reporting
  • Troubleshooting
    • Official manual
      • http://www.yasca.org/h/documentation/
    • Issues noticed
      • PMD crashing sometimes
      • How to limit large number of irrelevant issues?
  • OWASP Code Crawler
  • Features
    • Version 2.5.1
    • Supports C# and Java
  • Requirements
    • .NET Framework 3.5
    • Visual Studio 2008
      • Works with VS 2010 Beta
  • Results
  • Issues
    • Trivial detection rules
      • „ sha” in „shared” triggers „weak crypto” alert
    • Work on one file at a time
  • Microsoft FxCop
  • Features
    • .NET only
    • Works on .NET assemblies
      • EXE, DLL
    • Needs full project with debug binaries
    • Tested 1.36
  • Results
  • Microsoft CAT.NET
  • Features
    • .NET only
    • Requires .NET Framework 4.0
    • Requires Visual Studio 2005
      • Works with VS 2010 Beta
    • Tested version 2.0
    • Requires unstripped PDB files
    • Requires experience with .NET
  • Running
    • C:Program FilesMicrosoft Information SecurityMicrosoft Code Analysis for .NET
    • (CAT.NET) v2.0>CATNetCmd.exe /file:"h:PentestingExample - Employee Managemet
    • SystemEmployee Managemet SystembinDebugEmployee Managemet System.exe" /confi
    • gdir:"h:PentestingExample - Employee Managemet SystemEmployee Managemet Syste
    • mProperties"
  • Results
  • Agnitio
    • Audit management & reporting tool
    • Record basic application information
    • Build your own checklist
      • „ Has a centeralized whitelist approach to input validation been implemented?”
      • Find evidence in source code
      • Answer Yes/No
    • Did not really work for me
      • Issues with saving apps, validating fields
  •  
  • Commercial
    • Ounce
      • now IBM Rational AppScan Source Edition
    • Veracode
      • SaaS model – upload your code, automated and manually assisted
    • Fortify 360 Source Code Analyzer
    • Checkmarx CxAudit
    • Klocwork
  • Questions?
    • http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
    • IBM: „ 11 proven practices for more effective, efficient peer code review ”
      • http ://ibm.co/eszW1V