Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Source Code:Find your bugs before someone else does!by Thomas Hofer<br />
About me…<br />Thomas Hofer<br />Consultant (blue-infinity, Geneva)<br />Skills:<br />Static analysis<br />Solution archit...
Outline<br />Simple means to improve your code quality!<br />Introduction<br />Motivation<br />Static Source Code Analyzer...
Reasons for this research<br />CERN is a prized target<br />Renowned<br />Internet Exchange Point<br />However: Any websit...
Security: when to care about it?<br />Creating / Managing<br />Documents<br />Web Pages<br />Hardware<br />Services<br />D...
Development and Security<br />Training (before)<br />Code review (right after)<br />Vulnerability scanning (after)<br />
Development and Security<br />Training (before)<br />Static source code analysis (during and after)<br />Code review (righ...
Development and Security<br />Training (before)<br />Code review (right after)<br />Vulnerability scanning (after)<br />
Security and me…<br />What can YOU do about it…<br />… without sacrificing your deadlines?<br />Static Analysis<br />The e...
Static source code analysis<br />A static source code analyzer:<br />Reads your source code but…<br />Won’t execute or com...
What can they do?<br />A static source code analyzer can:<br />Look for known and common errors<br />Sometimes suggest fix...
What can they not do?<br />A static source code analyzer cannot:<br />‘Automagically’ fix bugs<br />Find all bugs (i.e. fa...
Our criteria / requirements<br />Quick results<br />Very low ‘false alarms’ rate<br />Ease of use<br />At least some resul...
Overview of selected tools<br />Perl<br />Perl::Critic<br />RATS<br />Java<br />FindBugs<br />CodePro Analyser<br />PHP<br...
Flawfinder
RATS
Coverity
Python
RATS
pychecker
pylint</li></li></ul><li>Flawfinder<br />C / C++<br />Freeware / Unix<br />Calls to commonly misused functions…<br />http:...
FindBugs<br />Java<br />Freeware / Eclipse plugin<br />Very flexible, ability to define custom rules…<br />http://cern.ch/...
CodeProAnalytix<br />Java<br />Freeware / Google Web Toolkit<br />As flexible as FindBugs, also ability to define your own...
Perl::Critic<br />Perl<br />Freeware / Unix – Perl module<br />Best Practices: style and security<br />Demo<br />http://ce...
Upcoming SlideShare
Loading in …5
×

Static Code Analysis

4,239 views

Published on

Find your bugs before someone else does!

Published in: Technology
  • Be the first to comment

Static Code Analysis

  1. 1. Source Code:Find your bugs before someone else does!by Thomas Hofer<br />
  2. 2. About me…<br />Thomas Hofer<br />Consultant (blue-infinity, Geneva)<br />Skills:<br />Static analysis<br />Solution architecture<br />Software Engineering (Java – Rails – PHP)<br />
  3. 3. Outline<br />Simple means to improve your code quality!<br />Introduction<br />Motivation<br />Static Source Code Analyzers<br />Recommendations<br />Our criteria<br />Selected tools<br />Additional Information<br />
  4. 4. Reasons for this research<br />CERN is a prized target<br />Renowned<br />Internet Exchange Point<br />However: Any website could be targeted!<br />Potentially undesirable consequences of an attack:<br />Loss of confidentiality<br />Damaged reputation<br />Loss of data<br />
  5. 5. Security: when to care about it?<br />Creating / Managing<br />Documents<br />Web Pages<br />Hardware<br />Services<br />Development<br />Software<br />Web Applications<br />
  6. 6. Development and Security<br />Training (before)<br />Code review (right after)<br />Vulnerability scanning (after)<br />
  7. 7. Development and Security<br />Training (before)<br />Static source code analysis (during and after)<br />Code review (right after)<br />Vulnerability scanning (after)<br />
  8. 8. Development and Security<br />Training (before)<br />Code review (right after)<br />Vulnerability scanning (after)<br />
  9. 9. Security and me…<br />What can YOU do about it…<br />… without sacrificing your deadlines?<br />Static Analysis<br />The earlier a bug is caught, the cheaper it is to fix!<br />
  10. 10. Static source code analysis<br />A static source code analyzer:<br />Reads your source code but…<br />Won’t execute or compile it (usually)!<br />Looks for possible errors regarding<br />Security<br />Reliability<br />Functionality<br />
  11. 11. What can they do?<br />A static source code analyzer can:<br />Look for known and common errors<br />Sometimes suggest fixes or improvements<br />Offer help in findingbugs<br />Find many kinds of bugs, not only security related<br />
  12. 12. What can they not do?<br />A static source code analyzer cannot:<br />‘Automagically’ fix bugs<br />Find all bugs (i.e. false negatives)<br />Find only bugs (i.e. false positives)<br />
  13. 13. Our criteria / requirements<br />Quick results<br />Very low ‘false alarms’ rate<br />Ease of use<br />At least some results…<br />
  14. 14. Overview of selected tools<br />Perl<br />Perl::Critic<br />RATS<br />Java<br />FindBugs<br />CodePro Analyser<br />PHP<br />Pixy<br />RATS<br /><ul><li>C / C++
  15. 15. Flawfinder
  16. 16. RATS
  17. 17. Coverity
  18. 18. Python
  19. 19. RATS
  20. 20. pychecker
  21. 21. pylint</li></li></ul><li>Flawfinder<br />C / C++<br />Freeware / Unix<br />Calls to commonly misused functions…<br />http://cern.ch/security/recommendations/en/codetools/flawfinder.shtml<br />
  22. 22. FindBugs<br />Java<br />Freeware / Eclipse plugin<br />Very flexible, ability to define custom rules…<br />http://cern.ch/security/recommendations/en/codetools/findbugs.shtml<br />
  23. 23.
  24. 24. CodeProAnalytix<br />Java<br />Freeware / Google Web Toolkit<br />As flexible as FindBugs, also ability to define your own rules<br />http://code.google.com/javadevtools/codepro/doc/index.html<br />
  25. 25. Perl::Critic<br />Perl<br />Freeware / Unix – Perl module<br />Best Practices: style and security<br />Demo<br />http://cern.ch/security/recommendations/en/codetools/perl_critic.shtml<br />
  26. 26. Pixy<br />PHP<br />Freeware / Unix<br />XSS & SQLi<br />http://cern.ch/security/recommendations/en/codetools/pixy.shtml<br />
  27. 27. RATS<br />C / C++ / Perl, (and, partially) Python, PHP<br />Freeware<br />Calls to commonly misused functions<br />http://cern.ch/security/recommendations/en/codetools/rats.shtml<br />
  28. 28. What else?<br />‘Ok, now that I have used this tool, I should be safe…’<br />Tools are not enough!<br />Even the best tool will miss the most sophisticated errors<br />Sensitive projects should be reviewed ‘manually’ by experts<br />
  29. 29. A Fool with a Tool is still a Fool!<br />‘A fool with a tool is still a fool!’, D. Wheeler<br />The code excerpt below was found in RealPlayer, in 2005. (CVE-2005-0455)<br />char tmp [256]; /* Flawfinder : ignore */<br />strcpy (tmp , pScreenSize ); /* Flawfinder : ignore */<br />
  30. 30. Further information<br />http://cern.ch/security/recommendations/en/code_tools.shtml<br />Presentation of the tools<br />Installation, configuration and usage advice<br />Explanation of some common errors<br />Advice for developing securer software<br />
  31. 31. Thank you!<br />To contact me:<br />thomas.hofer@b-i.com<br />

×