RE: Fwd: Re: tools to scan source code

From: ankur jindal (ankurjn113@hotmail.com)
Date: Tue Sep 12 2006 - 20:03:49 EDT


Hey
There are many static and dynamic analyzers like PreFix (used in Microsoft)
, Metal, ESCJava et al. which analyze the source code based on some given
preconditions and postconditions.
You can google for more. They may not serve your purpose completely but
might be something you can use together with manual code reading for
improved efficiency.

Ankur

----Original Message Follows----
From: "marco@cerbtech.net" <marco@cerbtech.net>
Reply-To: marco@cerbtech.net
To: pen-test@securityfocus.com
Subject: Fwd: Re: tools to scan source code
Date: Tue, 12 Sep 2006 08:52:03 -0500

This article http://www.ouncelabs.com/secure_enterprise.html is a good start
to
evaluate which code scanning tool (also called static parsers) best suits
your needs
for the supporting programming language of your choice.
My experience on using code scanning tools is that only scrap the surface of
potential security bugs in the code. They find the so called LHF (Low
Hanging Fruits).
Static parsers do not find security flaws (security defects in architecture
and
design) that can only be found with manual secure code reviews and secure
architecture
design review. The big value from automated code scanning is to use them as
input
for a deeper manual code review that also complement with findings of web
application
pen tests.
Marco

On Mon Sep 11 5:30 , 'Wahyu Wijaya H.' sent:

hi all,

i got involved in some web application development using php and
mysql. i got responsibility to check for vulnerability that may exist.
is there any tool that can help me? i mean any tool that could scan
the entire source code to find any vulnerability, because auditing all
source code seems overwhelming to me :-) plus that i am no fluent in
php language.

thanks a lot,

cheers...

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:56 EDT