Source Code Scanners

  • 2,301 views
Uploaded on

Overview of tools for static code security analysis, with special focus on Yasca. See http://ipsec.pl/ for more details.

Overview of tools for static code security analysis, with special focus on Yasca. See http://ipsec.pl/ for more details.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,301
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
45
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Source code analysis tools Paweł Krawczyk
  • 2. „ Static analysis is great for catching common errors early ” Brian Chess (Fortify)
  • 3. Source code analysis
    • Why?
      • Visibility limitations of blackbox testing
      • Insight not only into what is implemented but also how
      • Timing
        • Blackbox needs working product
        • Code analysis can start with single line of code
    • Risks
      • What you see is not always what ends up on the server
  • 4. Why find bugs early? Applied Software Measurement , Capers Jones, 1996 Building Security Into The Software Life Cycle , Marco M. Morana, 2006 Early code audit
  • 5. Why find bugs early? Applied Software Measurement , Capers Jones, 1996 Building Security Into The Software Life Cycle , Marco M. Morana, 2006 Pentest Late code audit
  • 6. Source code scanners
    • Why?
      • Manual testing is time consuming
      • Manual testing is not easily standardised
      • Human factor of manual testing
    • Automated scanning
      • Repeatable, standardised
      • Better automated than none
  • 7. SCA in ASVS
    • OWASP Application Security Verification Standard (ASVS)
      • Level 1B: Source code scan – partial automated verfication
      • Level 2B: Code review – partial manual verification
  • 8. Tested free tools
    • Yasca
    • OWASP Code Crawler
    • FxCop
    • CAT.NET
    • Agnitio
  • 9. Yasca requirements
    • PHP
      • http://www.php.net/
    • JRE
      • 1.6.x from SDS or http://java.sun.com/
  • 10. Installation
    • Download main Yasca package
      • yasca-2.1.zip
      • http://sourceforge.net/projects/yasca/files/
    • Download plugins
      • yasca-2.1-something.zip
  • 11. Installation #2
    • Unpack yasca-2.1.zip
      • No installer
      • Any destination
      • Runs directly from that directory
    • Unpack plugins to a dedicated directory
      • c:static-analyzers
    • Set environment variable SA_HOME
      • SA_HOME=c:static-analyzers
  • 12. Running Yasca
  • 13. Running Yasca
  • 14. Yasca performance
    • Real application
      • Java and JSP source code
      • 17 MB uncompressed
      • 2500 files
      • 200 subdirectories
      • Network share (LAN)
    • Run time ~10 minutes
  • 15. Yasca reporting
  • 16. Troubleshooting
    • Official manual
      • http://www.yasca.org/h/documentation/
    • Issues noticed
      • PMD crashing sometimes
      • How to limit large number of irrelevant issues?
  • 17. OWASP Code Crawler
  • 18. Features
    • Version 2.5.1
    • Supports C# and Java
  • 19. Requirements
    • .NET Framework 3.5
    • Visual Studio 2008
      • Works with VS 2010 Beta
  • 20. Results
  • 21. Issues
    • Trivial detection rules
      • „ sha” in „shared” triggers „weak crypto” alert
    • Work on one file at a time
  • 22. Microsoft FxCop
  • 23. Features
    • .NET only
    • Works on .NET assemblies
      • EXE, DLL
    • Needs full project with debug binaries
    • Tested 1.36
  • 24. Results
  • 25. Microsoft CAT.NET
  • 26. Features
    • .NET only
    • Requires .NET Framework 4.0
    • Requires Visual Studio 2005
      • Works with VS 2010 Beta
    • Tested version 2.0
    • Requires unstripped PDB files
    • Requires experience with .NET
  • 27. Running
    • C:Program FilesMicrosoft Information SecurityMicrosoft Code Analysis for .NET
    • (CAT.NET) v2.0>CATNetCmd.exe /file:"h:PentestingExample - Employee Managemet
    • SystemEmployee Managemet SystembinDebugEmployee Managemet System.exe" /confi
    • gdir:"h:PentestingExample - Employee Managemet SystemEmployee Managemet Syste
    • mProperties"
  • 28. Results
  • 29. Agnitio
    • Audit management & reporting tool
    • Record basic application information
    • Build your own checklist
      • „ Has a centeralized whitelist approach to input validation been implemented?”
      • Find evidence in source code
      • Answer Yes/No
    • Did not really work for me
      • Issues with saving apps, validating fields
  • 30.  
  • 31. Commercial
    • Ounce
      • now IBM Rational AppScan Source Edition
    • Veracode
      • SaaS model – upload your code, automated and manually assisted
    • Fortify 360 Source Code Analyzer
    • Checkmarx CxAudit
    • Klocwork
  • 32. Questions?
    • http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
    • IBM: „ 11 proven practices for more effective, efficient peer code review ”
      • http ://ibm.co/eszW1V