Pawel Krawczyk, profile picture
Uploaded byPawel Krawczyk
PPT, PDF2,817 views

Source Code Scanners

The document discusses the importance of source code analysis tools for early bug detection in software development, emphasizing that automated scanning can improve the efficiency and standardization of testing compared to manual methods. It reviews different tools such as Yasca, Owasp Code Crawler, Microsoft FxCop, and Agnitio, along with their functionality, requirements, and performance issues. Additionally, it includes insights on security integration in the software life cycle and highlights the limitations of black-box testing.

Embed presentation

Downloaded 88 times
Source code analysis tools Paweł Krawczyk
„ Static analysis is great for catching common errors early ” Brian Chess (Fortify)
Source code analysis Why? Visibility limitations of blackbox testing Insight not only into what is implemented but also how Timing Blackbox needs working product Code analysis can start with single line of code Risks What you see is not always what ends up on the server
Why find bugs early? Applied Software Measurement , Capers Jones, 1996 Building Security Into The Software Life Cycle , Marco M. Morana, 2006 Early code audit
Why find bugs early? Applied Software Measurement , Capers Jones, 1996 Building Security Into The Software Life Cycle , Marco M. Morana, 2006 Pentest Late code audit
Source code scanners Why? Manual testing is time consuming Manual testing is not easily standardised Human factor of manual testing Automated scanning Repeatable, standardised Better automated than none
SCA in ASVS OWASP Application Security Verification Standard (ASVS) Level 1B: Source code scan – partial automated verfication Level 2B: Code review – partial manual verification
Tested free tools Yasca OWASP Code Crawler FxCop CAT.NET Agnitio
Yasca requirements PHP http://www.php.net/ JRE 1.6.x from SDS or http://java.sun.com/
Installation Download main Yasca package yasca-2.1.zip http://sourceforge.net/projects/yasca/files/ Download plugins yasca-2.1-something.zip
Installation #2 Unpack yasca-2.1.zip No installer Any destination Runs directly from that directory Unpack plugins to a dedicated directory c:\static-analyzers Set environment variable SA_HOME SA_HOME=c:\static-analyzers\
Running Yasca
Running Yasca
Yasca performance Real application Java and JSP source code 17 MB uncompressed 2500 files 200 subdirectories Network share (LAN) Run time ~10 minutes
Yasca reporting
Troubleshooting Official manual http://www.yasca.org/h/documentation/ Issues noticed PMD crashing sometimes How to limit large number of irrelevant issues?
OWASP Code Crawler
Features Version 2.5.1 Supports C# and Java
Requirements .NET Framework 3.5 Visual Studio 2008 Works with VS 2010 Beta
Results
Issues Trivial detection rules „ sha” in „shared” triggers „weak crypto” alert Work on one file at a time
Microsoft FxCop
Features .NET only Works on .NET assemblies EXE, DLL Needs full project with debug binaries Tested 1.36
Results
Microsoft CAT.NET
Features .NET only Requires .NET Framework 4.0 Requires Visual Studio 2005 Works with VS 2010 Beta Tested version 2.0 Requires unstripped PDB files Requires experience with .NET
Running C:\Program Files\Microsoft Information Security\Microsoft Code Analysis for .NET (CAT.NET) v2.0>CATNetCmd.exe /file:"h:\Pentesting\Example - Employee Managemet System\Employee Managemet System\bin\Debug\Employee Managemet System.exe" /confi gdir:"h:\Pentesting\Example - Employee Managemet System\Employee Managemet Syste m\Properties"
Results
Agnitio Audit management & reporting tool Record basic application information Build your own checklist „ Has a centeralized whitelist approach to input validation been implemented?” Find evidence in source code Answer Yes/No Did not really work for me Issues with saving apps, validating fields
 
Commercial Ounce now IBM Rational AppScan Source Edition Veracode SaaS model – upload your code, automated and manually assisted Fortify 360 Source Code Analyzer Checkmarx CxAudit Klocwork
Questions? http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis IBM: „ 11 proven practices for more effective, efficient peer code review ” http ://ibm.co/eszW1V

More Related Content

DOC
Đồ án Nghiên cứu về hệ thống giám sát mạng sử dụng phần mềm nguồn mở Zabbix
bylamluanvan.net Hỗ trợ viết luận văn
 
PDF
Hệ thống quản lý và phân tích log tập trung elk stack
bylaonap166
 
PDF
Phân tích mã độc cơ bản - báo cáo thực tập
byPhạm Trung Đức
 
PDF
Bài giảng an toàn ứng dụng web và csdl PTIT
byNguynMinh294
 
PPTX
Slide An toàn mạng nâng cao PTIT
byNguynMinh294
 
PDF
ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...
bynataliej4
 
PPTX
Introduction to path traversal attack
byPrashant Hegde
 
PDF
Node.js căn bản
byTechMaster Vietnam
 
Đồ án Nghiên cứu về hệ thống giám sát mạng sử dụng phần mềm nguồn mở Zabbix
bylamluanvan.net Hỗ trợ viết luận văn
 
Hệ thống quản lý và phân tích log tập trung elk stack
bylaonap166
 
Phân tích mã độc cơ bản - báo cáo thực tập
byPhạm Trung Đức
 
Bài giảng an toàn ứng dụng web và csdl PTIT
byNguynMinh294
 
Slide An toàn mạng nâng cao PTIT
byNguynMinh294
 
ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...
bynataliej4
 
Introduction to path traversal attack
byPrashant Hegde
 
Node.js căn bản
byTechMaster Vietnam
 

What's hot

PDF
1.mysql disk io 모니터링 및 분석사례
byI Goo Lee
 
PDF
Amazon Inspector v2で脆弱性管理を始めてみた
bycluclu_land
 
PDF
Super Easy Memory Forensics
byIIJ
 
DOC
Đề tài: Nghiên cứu Hệ thống Honeypots và Honeynet nhằm nghiên cứu một số kỹ t...
byViết thuê trọn gói ZALO 0934573149
 
PPT
Alfresco hệ quản lý nội dung doanh nghiệp nguồn mở
byHọc Huỳnh Bá
 
PDF
Open vSwitch 패킷 처리 구조
bySeung-Hoon Baek
 
PDF
DevSecOps
bySpv Reddy
 
PDF
Zabbix Performance Tuning
byRicardo Santos
 
PDF
RocksDB Performance and Reliability Practices
byYoshinori Matsunobu
 
PDF
NGINX ADC: Basics and Best Practices
byNGINX, Inc.
 
DOC
Nghiên cứu một số hình thức tấn công website phổ biến và các giải pháp phòng ...
byThịt Xốt Cà Chua
 
PDF
Automating Network Infrastructure : Ansible
byBangladesh Network Operators Group
 
PPTX
Intro to Pentesting Jenkins
byBrian Hysell
 
PPTX
Slide Báo Cáo Đồ Án Tốt Nghiệp CNTT
byHiệu Nguyễn
 
PDF
Room 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsi
byVietnam Open Infrastructure User Group
 
PDF
Đề tài: Xây dựng phần mềm quản lý nhà hàng ăn uống
byDịch Vụ Viết Thuê Khóa Luận Zalo/Telegram 0917193864
 
PDF
MindMap - Forensics Windows Registry Cheat Sheet
byJuan F. Padilla
 
DOCX
Đồ án kiểm thử phần mềm
byNguyễn Anh
 
PDF
Apache NiFi Record Processing
byBryan Bende
 
PDF
Bài gảng cơ sở an toàn thông tin PTIT
byNguynMinh294
 
1.mysql disk io 모니터링 및 분석사례
byI Goo Lee
 
Amazon Inspector v2で脆弱性管理を始めてみた
bycluclu_land
 
Super Easy Memory Forensics
byIIJ
 
Đề tài: Nghiên cứu Hệ thống Honeypots và Honeynet nhằm nghiên cứu một số kỹ t...
byViết thuê trọn gói ZALO 0934573149
 
Alfresco hệ quản lý nội dung doanh nghiệp nguồn mở
byHọc Huỳnh Bá
 
Open vSwitch 패킷 처리 구조
bySeung-Hoon Baek
 
DevSecOps
bySpv Reddy
 
Zabbix Performance Tuning
byRicardo Santos
 
RocksDB Performance and Reliability Practices
byYoshinori Matsunobu
 
NGINX ADC: Basics and Best Practices
byNGINX, Inc.
 
Nghiên cứu một số hình thức tấn công website phổ biến và các giải pháp phòng ...
byThịt Xốt Cà Chua
 
Automating Network Infrastructure : Ansible
byBangladesh Network Operators Group
 
Intro to Pentesting Jenkins
byBrian Hysell
 
Slide Báo Cáo Đồ Án Tốt Nghiệp CNTT
byHiệu Nguyễn
 
Room 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsi
byVietnam Open Infrastructure User Group
 
Đề tài: Xây dựng phần mềm quản lý nhà hàng ăn uống
byDịch Vụ Viết Thuê Khóa Luận Zalo/Telegram 0917193864
 
MindMap - Forensics Windows Registry Cheat Sheet
byJuan F. Padilla
 
Đồ án kiểm thử phần mềm
byNguyễn Anh
 
Apache NiFi Record Processing
byBryan Bende
 
Bài gảng cơ sở an toàn thông tin PTIT
byNguynMinh294
 

Viewers also liked

PPT
use case point estimation
byعبدالغني الهجار
 
PPTX
Fortify dev ops (002)
byMadhavan Marimuthu
 
PPTX
Hp Fortify Pillar
byEd Wong
 
PDF
[아꿈사/110514] 멀티코어cpu이야기 시작발표
bysung ki choi
 
PPTX
프로그래머가 몰랐던 멀티코어 CPU 이야기 13, 14장
bySukYun Yoon
 
PPTX
Poster Analysis Source Code
bykirstysals
 
PPTX
Hp Fortify Cloud Application Security
byEd Wong
 
PPTX
Hp fortify source code analyzer(sca)
byNagaraju Repala
 
PPTX
Fortify - Source Code Analyzer
byn|u - The Open Security Community
 
PPTX
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
byAhmed Al Enizi
 
PPTX
Ensure Software Security already during development
byIT Weekend
 
PDF
시즌 2: 멀티쓰레드 프로그래밍이 왜이리 힘드나요?
by내훈 정
 
use case point estimation
byعبدالغني الهجار
 
Fortify dev ops (002)
byMadhavan Marimuthu
 
Hp Fortify Pillar
byEd Wong
 
[아꿈사/110514] 멀티코어cpu이야기 시작발표
bysung ki choi
 
프로그래머가 몰랐던 멀티코어 CPU 이야기 13, 14장
bySukYun Yoon
 
Poster Analysis Source Code
bykirstysals
 
Hp Fortify Cloud Application Security
byEd Wong
 
Hp fortify source code analyzer(sca)
byNagaraju Repala
 
Fortify - Source Code Analyzer
byn|u - The Open Security Community
 
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
byAhmed Al Enizi
 
Ensure Software Security already during development
byIT Weekend
 
시즌 2: 멀티쓰레드 프로그래밍이 왜이리 힘드나요?
by내훈 정
 

Similar to Source Code Scanners

PPTX
Static Code Analysis
byGeneva, Switzerland
 
PPTX
Static Code Analysis
byObika Gellineau
 
PPTX
Top 10 static code analysis tool
byscmGalaxy Inc
 
PPTX
Static code analysis
bymashaathukorala
 
PPTX
Static code analysis
byRushana Bandara
 
PDF
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
byIJNSA Journal
 
PDF
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
byDenim Group
 
PDF
Implementing Secure DevOps on Public Cloud Platforms
byGaurav "GP" Pal
 
PDF
Standardizing Source Code Security Audits
byijseajournal
 
PDF
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
byIJNSA Journal
 
PPTX
Software engineering practices and software quality empirical research results
byNikolai Avteniev
 
PDF
Code Forensics
byDiego Pacheco
 
PPTX
Static Analysis Primer
byCoverity
 
PDF
Secure Programming With Static Analysis
byConSanFrancisco123
 
PDF
[Europe merge world tour] Coverity Development Testing
byPerforce
 
PDF
Videos about static code analysis
byPVS-Studio
 
PPT
Good Security Starts with Software Assurance - Software Assurance Market Plac...
byPhil Agcaoili
 
PPT
4.Security Assessment And Testing
byphanleson
 
PPT
Improving Development Productivity: Static Analysis and Continuous Integration
byKlocwork
 
PPTX
Secure Code review - Veracode SaaS Platform - Saudi Green Method
bySalil Kumar Subramony
 
Static Code Analysis
byGeneva, Switzerland
 
Static Code Analysis
byObika Gellineau
 
Top 10 static code analysis tool
byscmGalaxy Inc
 
Static code analysis
bymashaathukorala
 
Static code analysis
byRushana Bandara
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
byIJNSA Journal
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
byDenim Group
 
Implementing Secure DevOps on Public Cloud Platforms
byGaurav "GP" Pal
 
Standardizing Source Code Security Audits
byijseajournal
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
byIJNSA Journal
 
Software engineering practices and software quality empirical research results
byNikolai Avteniev
 
Code Forensics
byDiego Pacheco
 
Static Analysis Primer
byCoverity
 
Secure Programming With Static Analysis
byConSanFrancisco123
 
[Europe merge world tour] Coverity Development Testing
byPerforce
 
Videos about static code analysis
byPVS-Studio
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
byPhil Agcaoili
 
4.Security Assessment And Testing
byphanleson
 
Improving Development Productivity: Static Analysis and Continuous Integration
byKlocwork
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
bySalil Kumar Subramony
 

More from Pawel Krawczyk

PPTX
Top DevOps Security Failures
byPawel Krawczyk
 
PPTX
Authenticity and usability
byPawel Krawczyk
 
ODP
Reading Geek Night 2019
byPawel Krawczyk
 
ODP
Effective DevSecOps
byPawel Krawczyk
 
PPTX
Unicode the hero or villain
byPawel Krawczyk
 
ODP
Get rid of TLS certificates - using IPSec for large scale cloud protection
byPawel Krawczyk
 
PPTX
Presentation from CyberGov.pl 2015
byPawel Krawczyk
 
PDF
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
byPawel Krawczyk
 
PDF
Leszek Miś "Czy twoj WAF to potrafi"
byPawel Krawczyk
 
PPTX
Paweł Krawczyk - Ekonomia bezpieczeństwa
byPawel Krawczyk
 
PPTX
Are electronic signature assumptions realistic
byPawel Krawczyk
 
PPTX
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
byPawel Krawczyk
 
PPTX
Filtrowanie sieci - Panoptykon
byPawel Krawczyk
 
PPTX
Pragmatic view on Electronic Signature directive 1999 93
byPawel Krawczyk
 
PPTX
Why care about application security
byPawel Krawczyk
 
PDF
Krawczyk Ekonomia Bezpieczenstwa 2
byPawel Krawczyk
 
PDF
Audyt Wewnetrzny W Zakresie Bezpieczenstwa
byPawel Krawczyk
 
ODP
Kryptografia i mechanizmy bezpieczenstwa
byPawel Krawczyk
 
ODP
Zaufanie W Systemach Informatycznych
byPawel Krawczyk
 
PPT
Real Life Information Security
byPawel Krawczyk
 
Top DevOps Security Failures
byPawel Krawczyk
 
Authenticity and usability
byPawel Krawczyk
 
Reading Geek Night 2019
byPawel Krawczyk
 
Effective DevSecOps
byPawel Krawczyk
 
Unicode the hero or villain
byPawel Krawczyk
 
Get rid of TLS certificates - using IPSec for large scale cloud protection
byPawel Krawczyk
 
Presentation from CyberGov.pl 2015
byPawel Krawczyk
 
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
byPawel Krawczyk
 
Leszek Miś "Czy twoj WAF to potrafi"
byPawel Krawczyk
 
Paweł Krawczyk - Ekonomia bezpieczeństwa
byPawel Krawczyk
 
Are electronic signature assumptions realistic
byPawel Krawczyk
 
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
byPawel Krawczyk
 
Filtrowanie sieci - Panoptykon
byPawel Krawczyk
 
Pragmatic view on Electronic Signature directive 1999 93
byPawel Krawczyk
 
Why care about application security
byPawel Krawczyk
 
Krawczyk Ekonomia Bezpieczenstwa 2
byPawel Krawczyk
 
Audyt Wewnetrzny W Zakresie Bezpieczenstwa
byPawel Krawczyk
 
Kryptografia i mechanizmy bezpieczenstwa
byPawel Krawczyk
 
Zaufanie W Systemach Informatycznych
byPawel Krawczyk
 
Real Life Information Security
byPawel Krawczyk
 

Recently uploaded

PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 

Source Code Scanners

  • 1.
    Source code analysistools Paweł Krawczyk
  • 2.
    „ Static analysisis great for catching common errors early ” Brian Chess (Fortify)
  • 3.
    Source code analysisWhy? Visibility limitations of blackbox testing Insight not only into what is implemented but also how Timing Blackbox needs working product Code analysis can start with single line of code Risks What you see is not always what ends up on the server
  • 4.
    Why find bugsearly? Applied Software Measurement , Capers Jones, 1996 Building Security Into The Software Life Cycle , Marco M. Morana, 2006 Early code audit
  • 5.
    Why find bugsearly? Applied Software Measurement , Capers Jones, 1996 Building Security Into The Software Life Cycle , Marco M. Morana, 2006 Pentest Late code audit
  • 6.
    Source code scannersWhy? Manual testing is time consuming Manual testing is not easily standardised Human factor of manual testing Automated scanning Repeatable, standardised Better automated than none
  • 7.
    SCA in ASVSOWASP Application Security Verification Standard (ASVS) Level 1B: Source code scan – partial automated verfication Level 2B: Code review – partial manual verification
  • 8.
    Tested free toolsYasca OWASP Code Crawler FxCop CAT.NET Agnitio
  • 9.
    Yasca requirements PHPhttp://www.php.net/ JRE 1.6.x from SDS or http://java.sun.com/
  • 10.
    Installation Download mainYasca package yasca-2.1.zip http://sourceforge.net/projects/yasca/files/ Download plugins yasca-2.1-something.zip
  • 11.
    Installation #2 Unpackyasca-2.1.zip No installer Any destination Runs directly from that directory Unpack plugins to a dedicated directory c:\static-analyzers Set environment variable SA_HOME SA_HOME=c:\static-analyzers\
  • 12.
  • 13.
  • 14.
    Yasca performance Realapplication Java and JSP source code 17 MB uncompressed 2500 files 200 subdirectories Network share (LAN) Run time ~10 minutes
  • 15.
  • 16.
    Troubleshooting Official manualhttp://www.yasca.org/h/documentation/ Issues noticed PMD crashing sometimes How to limit large number of irrelevant issues?
  • 17.
  • 18.
    Features Version 2.5.1Supports C# and Java
  • 19.
    Requirements .NET Framework3.5 Visual Studio 2008 Works with VS 2010 Beta
  • 20.
  • 21.
    Issues Trivial detectionrules „ sha” in „shared” triggers „weak crypto” alert Work on one file at a time
  • 22.
  • 23.
    Features .NET onlyWorks on .NET assemblies EXE, DLL Needs full project with debug binaries Tested 1.36
  • 24.
  • 25.
  • 26.
    Features .NET onlyRequires .NET Framework 4.0 Requires Visual Studio 2005 Works with VS 2010 Beta Tested version 2.0 Requires unstripped PDB files Requires experience with .NET
  • 27.
    Running C:\Program Files\MicrosoftInformation Security\Microsoft Code Analysis for .NET (CAT.NET) v2.0>CATNetCmd.exe /file:"h:\Pentesting\Example - Employee Managemet System\Employee Managemet System\bin\Debug\Employee Managemet System.exe" /confi gdir:"h:\Pentesting\Example - Employee Managemet System\Employee Managemet Syste m\Properties"
  • 28.
  • 29.
    Agnitio Audit management& reporting tool Record basic application information Build your own checklist „ Has a centeralized whitelist approach to input validation been implemented?” Find evidence in source code Answer Yes/No Did not really work for me Issues with saving apps, validating fields
  • 30.
  • 31.
    Commercial Ounce nowIBM Rational AppScan Source Edition Veracode SaaS model – upload your code, automated and manually assisted Fortify 360 Source Code Analyzer Checkmarx CxAudit Klocwork
  • 32.
    Questions? http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis IBM:„ 11 proven practices for more effective, efficient peer code review ” http ://ibm.co/eszW1V