Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Source Code Scanners


Published on

Overview of tools for static code security analysis, with special focus on Yasca. See for more details.

Published in: Technology
  • Be the first to comment

Source Code Scanners

  1. 1. Source code analysis tools Paweł Krawczyk
  2. 2. „ Static analysis is great for catching common errors early ” Brian Chess (Fortify)
  3. 3. Source code analysis <ul><li>Why? </li></ul><ul><ul><li>Visibility limitations of blackbox testing </li></ul></ul><ul><ul><li>Insight not only into what is implemented but also how </li></ul></ul><ul><ul><li>Timing </li></ul></ul><ul><ul><ul><li>Blackbox needs working product </li></ul></ul></ul><ul><ul><ul><li>Code analysis can start with single line of code </li></ul></ul></ul><ul><li>Risks </li></ul><ul><ul><li>What you see is not always what ends up on the server </li></ul></ul>
  4. 4. Why find bugs early? Applied Software Measurement , Capers Jones, 1996 Building Security Into The Software Life Cycle , Marco M. Morana, 2006 Early code audit
  5. 5. Why find bugs early? Applied Software Measurement , Capers Jones, 1996 Building Security Into The Software Life Cycle , Marco M. Morana, 2006 Pentest Late code audit
  6. 6. Source code scanners <ul><li>Why? </li></ul><ul><ul><li>Manual testing is time consuming </li></ul></ul><ul><ul><li>Manual testing is not easily standardised </li></ul></ul><ul><ul><li>Human factor of manual testing </li></ul></ul><ul><li>Automated scanning </li></ul><ul><ul><li>Repeatable, standardised </li></ul></ul><ul><ul><li>Better automated than none </li></ul></ul>
  7. 7. SCA in ASVS <ul><li>OWASP Application Security Verification Standard (ASVS) </li></ul><ul><ul><li>Level 1B: Source code scan – partial automated verfication </li></ul></ul><ul><ul><li>Level 2B: Code review – partial manual verification </li></ul></ul>
  8. 8. Tested free tools <ul><li>Yasca </li></ul><ul><li>OWASP Code Crawler </li></ul><ul><li>FxCop </li></ul><ul><li>CAT.NET </li></ul><ul><li>Agnitio </li></ul>
  9. 9. Yasca requirements <ul><li>PHP </li></ul><ul><ul><li> </li></ul></ul><ul><li>JRE </li></ul><ul><ul><li>1.6.x from SDS or </li></ul></ul>
  10. 10. Installation <ul><li>Download main Yasca package </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>Download plugins </li></ul><ul><ul><li> </li></ul></ul>
  11. 11. Installation #2 <ul><li>Unpack </li></ul><ul><ul><li>No installer </li></ul></ul><ul><ul><li>Any destination </li></ul></ul><ul><ul><li>Runs directly from that directory </li></ul></ul><ul><li>Unpack plugins to a dedicated directory </li></ul><ul><ul><li>c:static-analyzers </li></ul></ul><ul><li>Set environment variable SA_HOME </li></ul><ul><ul><li>SA_HOME=c:static-analyzers </li></ul></ul>
  12. 12. Running Yasca
  13. 13. Running Yasca
  14. 14. Yasca performance <ul><li>Real application </li></ul><ul><ul><li>Java and JSP source code </li></ul></ul><ul><ul><li>17 MB uncompressed </li></ul></ul><ul><ul><li>2500 files </li></ul></ul><ul><ul><li>200 subdirectories </li></ul></ul><ul><ul><li>Network share (LAN) </li></ul></ul><ul><li>Run time ~10 minutes </li></ul>
  15. 15. Yasca reporting
  16. 16. Troubleshooting <ul><li>Official manual </li></ul><ul><ul><li> </li></ul></ul><ul><li>Issues noticed </li></ul><ul><ul><li>PMD crashing sometimes </li></ul></ul><ul><ul><li>How to limit large number of irrelevant issues? </li></ul></ul>
  17. 17. OWASP Code Crawler
  18. 18. Features <ul><li>Version 2.5.1 </li></ul><ul><li>Supports C# and Java </li></ul>
  19. 19. Requirements <ul><li>.NET Framework 3.5 </li></ul><ul><li>Visual Studio 2008 </li></ul><ul><ul><li>Works with VS 2010 Beta </li></ul></ul>
  20. 20. Results
  21. 21. Issues <ul><li>Trivial detection rules </li></ul><ul><ul><li>„ sha” in „shared” triggers „weak crypto” alert </li></ul></ul><ul><li>Work on one file at a time </li></ul>
  22. 22. Microsoft FxCop
  23. 23. Features <ul><li>.NET only </li></ul><ul><li>Works on .NET assemblies </li></ul><ul><ul><li>EXE, DLL </li></ul></ul><ul><li>Needs full project with debug binaries </li></ul><ul><li>Tested 1.36 </li></ul>
  24. 24. Results
  25. 25. Microsoft CAT.NET
  26. 26. Features <ul><li>.NET only </li></ul><ul><li>Requires .NET Framework 4.0 </li></ul><ul><li>Requires Visual Studio 2005 </li></ul><ul><ul><li>Works with VS 2010 Beta </li></ul></ul><ul><li>Tested version 2.0 </li></ul><ul><li>Requires unstripped PDB files </li></ul><ul><li>Requires experience with .NET </li></ul>
  27. 27. Running <ul><li>C:Program FilesMicrosoft Information SecurityMicrosoft Code Analysis for .NET </li></ul><ul><li>(CAT.NET) v2.0>CATNetCmd.exe /file:&quot;h:PentestingExample - Employee Managemet </li></ul><ul><li>SystemEmployee Managemet SystembinDebugEmployee Managemet System.exe&quot; /confi </li></ul><ul><li>gdir:&quot;h:PentestingExample - Employee Managemet SystemEmployee Managemet Syste </li></ul><ul><li>mProperties&quot; </li></ul>
  28. 28. Results
  29. 29. Agnitio <ul><li>Audit management & reporting tool </li></ul><ul><li>Record basic application information </li></ul><ul><li>Build your own checklist </li></ul><ul><ul><li>„ Has a centeralized whitelist approach to input validation been implemented?” </li></ul></ul><ul><ul><li>Find evidence in source code </li></ul></ul><ul><ul><li>Answer Yes/No </li></ul></ul><ul><li>Did not really work for me </li></ul><ul><ul><li>Issues with saving apps, validating fields </li></ul></ul>
  30. 31. Commercial <ul><li>Ounce </li></ul><ul><ul><li>now IBM Rational AppScan Source Edition </li></ul></ul><ul><li>Veracode </li></ul><ul><ul><li>SaaS model – upload your code, automated and manually assisted </li></ul></ul><ul><li>Fortify 360 Source Code Analyzer </li></ul><ul><li>Checkmarx CxAudit </li></ul><ul><li>Klocwork </li></ul>
  31. 32. Questions? <ul><li> </li></ul><ul><li>IBM: „ 11 proven practices for more effective, efficient peer code review ” </li></ul><ul><ul><li>http :// </li></ul></ul>