Static Code Analysis


Published on

Find your bugs before someone else does!

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Static Code Analysis

  1. 1. Source Code:Find your bugs before someone else does!by Thomas Hofer<br />
  2. 2. About me…<br />Thomas Hofer<br />Consultant (blue-infinity, Geneva)<br />Skills:<br />Static analysis<br />Solution architecture<br />Software Engineering (Java – Rails – PHP)<br />
  3. 3. Outline<br />Simple means to improve your code quality!<br />Introduction<br />Motivation<br />Static Source Code Analyzers<br />Recommendations<br />Our criteria<br />Selected tools<br />Additional Information<br />
  4. 4. Reasons for this research<br />CERN is a prized target<br />Renowned<br />Internet Exchange Point<br />However: Any website could be targeted!<br />Potentially undesirable consequences of an attack:<br />Loss of confidentiality<br />Damaged reputation<br />Loss of data<br />
  5. 5. Security: when to care about it?<br />Creating / Managing<br />Documents<br />Web Pages<br />Hardware<br />Services<br />Development<br />Software<br />Web Applications<br />
  6. 6. Development and Security<br />Training (before)<br />Code review (right after)<br />Vulnerability scanning (after)<br />
  7. 7. Development and Security<br />Training (before)<br />Static source code analysis (during and after)<br />Code review (right after)<br />Vulnerability scanning (after)<br />
  8. 8. Development and Security<br />Training (before)<br />Code review (right after)<br />Vulnerability scanning (after)<br />
  9. 9. Security and me…<br />What can YOU do about it…<br />… without sacrificing your deadlines?<br />Static Analysis<br />The earlier a bug is caught, the cheaper it is to fix!<br />
  10. 10. Static source code analysis<br />A static source code analyzer:<br />Reads your source code but…<br />Won’t execute or compile it (usually)!<br />Looks for possible errors regarding<br />Security<br />Reliability<br />Functionality<br />
  11. 11. What can they do?<br />A static source code analyzer can:<br />Look for known and common errors<br />Sometimes suggest fixes or improvements<br />Offer help in findingbugs<br />Find many kinds of bugs, not only security related<br />
  12. 12. What can they not do?<br />A static source code analyzer cannot:<br />‘Automagically’ fix bugs<br />Find all bugs (i.e. false negatives)<br />Find only bugs (i.e. false positives)<br />
  13. 13. Our criteria / requirements<br />Quick results<br />Very low ‘false alarms’ rate<br />Ease of use<br />At least some results…<br />
  14. 14. Overview of selected tools<br />Perl<br />Perl::Critic<br />RATS<br />Java<br />FindBugs<br />CodePro Analyser<br />PHP<br />Pixy<br />RATS<br /><ul><li>C / C++
  15. 15. Flawfinder
  16. 16. RATS
  17. 17. Coverity
  18. 18. Python
  19. 19. RATS
  20. 20. pychecker
  21. 21. pylint</li></li></ul><li>Flawfinder<br />C / C++<br />Freeware / Unix<br />Calls to commonly misused functions…<br /><br />
  22. 22. FindBugs<br />Java<br />Freeware / Eclipse plugin<br />Very flexible, ability to define custom rules…<br /><br />
  23. 23.
  24. 24. CodeProAnalytix<br />Java<br />Freeware / Google Web Toolkit<br />As flexible as FindBugs, also ability to define your own rules<br /><br />
  25. 25. Perl::Critic<br />Perl<br />Freeware / Unix – Perl module<br />Best Practices: style and security<br />Demo<br /><br />
  26. 26. Pixy<br />PHP<br />Freeware / Unix<br />XSS & SQLi<br /><br />
  27. 27. RATS<br />C / C++ / Perl, (and, partially) Python, PHP<br />Freeware<br />Calls to commonly misused functions<br /><br />
  28. 28. What else?<br />‘Ok, now that I have used this tool, I should be safe…’<br />Tools are not enough!<br />Even the best tool will miss the most sophisticated errors<br />Sensitive projects should be reviewed ‘manually’ by experts<br />
  29. 29. A Fool with a Tool is still a Fool!<br />‘A fool with a tool is still a fool!’, D. Wheeler<br />The code excerpt below was found in RealPlayer, in 2005. (CVE-2005-0455)<br />char tmp [256]; /* Flawfinder : ignore */<br />strcpy (tmp , pScreenSize ); /* Flawfinder : ignore */<br />
  30. 30. Further information<br /><br />Presentation of the tools<br />Installation, configuration and usage advice<br />Explanation of some common errors<br />Advice for developing securer software<br />
  31. 31. Thank you!<br />To contact me:<br /><br />