Source Code Scanners

3,167 views
2,905 views

Published on

Overview of tools for static code security analysis, with special focus on Yasca. See http://ipsec.pl/ for more details.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,167
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
71
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Source Code Scanners

  1. 1. Source code analysis tools Paweł Krawczyk
  2. 2. „ Static analysis is great for catching common errors early ” Brian Chess (Fortify)
  3. 3. Source code analysis <ul><li>Why? </li></ul><ul><ul><li>Visibility limitations of blackbox testing </li></ul></ul><ul><ul><li>Insight not only into what is implemented but also how </li></ul></ul><ul><ul><li>Timing </li></ul></ul><ul><ul><ul><li>Blackbox needs working product </li></ul></ul></ul><ul><ul><ul><li>Code analysis can start with single line of code </li></ul></ul></ul><ul><li>Risks </li></ul><ul><ul><li>What you see is not always what ends up on the server </li></ul></ul>
  4. 4. Why find bugs early? Applied Software Measurement , Capers Jones, 1996 Building Security Into The Software Life Cycle , Marco M. Morana, 2006 Early code audit
  5. 5. Why find bugs early? Applied Software Measurement , Capers Jones, 1996 Building Security Into The Software Life Cycle , Marco M. Morana, 2006 Pentest Late code audit
  6. 6. Source code scanners <ul><li>Why? </li></ul><ul><ul><li>Manual testing is time consuming </li></ul></ul><ul><ul><li>Manual testing is not easily standardised </li></ul></ul><ul><ul><li>Human factor of manual testing </li></ul></ul><ul><li>Automated scanning </li></ul><ul><ul><li>Repeatable, standardised </li></ul></ul><ul><ul><li>Better automated than none </li></ul></ul>
  7. 7. SCA in ASVS <ul><li>OWASP Application Security Verification Standard (ASVS) </li></ul><ul><ul><li>Level 1B: Source code scan – partial automated verfication </li></ul></ul><ul><ul><li>Level 2B: Code review – partial manual verification </li></ul></ul>
  8. 8. Tested free tools <ul><li>Yasca </li></ul><ul><li>OWASP Code Crawler </li></ul><ul><li>FxCop </li></ul><ul><li>CAT.NET </li></ul><ul><li>Agnitio </li></ul>
  9. 9. Yasca requirements <ul><li>PHP </li></ul><ul><ul><li>http://www.php.net/ </li></ul></ul><ul><li>JRE </li></ul><ul><ul><li>1.6.x from SDS or http://java.sun.com/ </li></ul></ul>
  10. 10. Installation <ul><li>Download main Yasca package </li></ul><ul><ul><li>yasca-2.1.zip </li></ul></ul><ul><ul><li>http://sourceforge.net/projects/yasca/files/ </li></ul></ul><ul><li>Download plugins </li></ul><ul><ul><li>yasca-2.1-something.zip </li></ul></ul>
  11. 11. Installation #2 <ul><li>Unpack yasca-2.1.zip </li></ul><ul><ul><li>No installer </li></ul></ul><ul><ul><li>Any destination </li></ul></ul><ul><ul><li>Runs directly from that directory </li></ul></ul><ul><li>Unpack plugins to a dedicated directory </li></ul><ul><ul><li>c:static-analyzers </li></ul></ul><ul><li>Set environment variable SA_HOME </li></ul><ul><ul><li>SA_HOME=c:static-analyzers </li></ul></ul>
  12. 12. Running Yasca
  13. 13. Running Yasca
  14. 14. Yasca performance <ul><li>Real application </li></ul><ul><ul><li>Java and JSP source code </li></ul></ul><ul><ul><li>17 MB uncompressed </li></ul></ul><ul><ul><li>2500 files </li></ul></ul><ul><ul><li>200 subdirectories </li></ul></ul><ul><ul><li>Network share (LAN) </li></ul></ul><ul><li>Run time ~10 minutes </li></ul>
  15. 15. Yasca reporting
  16. 16. Troubleshooting <ul><li>Official manual </li></ul><ul><ul><li>http://www.yasca.org/h/documentation/ </li></ul></ul><ul><li>Issues noticed </li></ul><ul><ul><li>PMD crashing sometimes </li></ul></ul><ul><ul><li>How to limit large number of irrelevant issues? </li></ul></ul>
  17. 17. OWASP Code Crawler
  18. 18. Features <ul><li>Version 2.5.1 </li></ul><ul><li>Supports C# and Java </li></ul>
  19. 19. Requirements <ul><li>.NET Framework 3.5 </li></ul><ul><li>Visual Studio 2008 </li></ul><ul><ul><li>Works with VS 2010 Beta </li></ul></ul>
  20. 20. Results
  21. 21. Issues <ul><li>Trivial detection rules </li></ul><ul><ul><li>„ sha” in „shared” triggers „weak crypto” alert </li></ul></ul><ul><li>Work on one file at a time </li></ul>
  22. 22. Microsoft FxCop
  23. 23. Features <ul><li>.NET only </li></ul><ul><li>Works on .NET assemblies </li></ul><ul><ul><li>EXE, DLL </li></ul></ul><ul><li>Needs full project with debug binaries </li></ul><ul><li>Tested 1.36 </li></ul>
  24. 24. Results
  25. 25. Microsoft CAT.NET
  26. 26. Features <ul><li>.NET only </li></ul><ul><li>Requires .NET Framework 4.0 </li></ul><ul><li>Requires Visual Studio 2005 </li></ul><ul><ul><li>Works with VS 2010 Beta </li></ul></ul><ul><li>Tested version 2.0 </li></ul><ul><li>Requires unstripped PDB files </li></ul><ul><li>Requires experience with .NET </li></ul>
  27. 27. Running <ul><li>C:Program FilesMicrosoft Information SecurityMicrosoft Code Analysis for .NET </li></ul><ul><li>(CAT.NET) v2.0>CATNetCmd.exe /file:&quot;h:PentestingExample - Employee Managemet </li></ul><ul><li>SystemEmployee Managemet SystembinDebugEmployee Managemet System.exe&quot; /confi </li></ul><ul><li>gdir:&quot;h:PentestingExample - Employee Managemet SystemEmployee Managemet Syste </li></ul><ul><li>mProperties&quot; </li></ul>
  28. 28. Results
  29. 29. Agnitio <ul><li>Audit management & reporting tool </li></ul><ul><li>Record basic application information </li></ul><ul><li>Build your own checklist </li></ul><ul><ul><li>„ Has a centeralized whitelist approach to input validation been implemented?” </li></ul></ul><ul><ul><li>Find evidence in source code </li></ul></ul><ul><ul><li>Answer Yes/No </li></ul></ul><ul><li>Did not really work for me </li></ul><ul><ul><li>Issues with saving apps, validating fields </li></ul></ul>
  30. 31. Commercial <ul><li>Ounce </li></ul><ul><ul><li>now IBM Rational AppScan Source Edition </li></ul></ul><ul><li>Veracode </li></ul><ul><ul><li>SaaS model – upload your code, automated and manually assisted </li></ul></ul><ul><li>Fortify 360 Source Code Analyzer </li></ul><ul><li>Checkmarx CxAudit </li></ul><ul><li>Klocwork </li></ul>
  31. 32. Questions? <ul><li>http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis </li></ul><ul><li>IBM: „ 11 proven practices for more effective, efficient peer code review ” </li></ul><ul><ul><li>http ://ibm.co/eszW1V </li></ul></ul>

×