Re: tools to scan source code

From: Wahyu Wijaya H. (wahyu.w.h@gmail.com)
Date: Wed Sep 13 2006 - 09:33:47 EDT


I've been evaluate SWAAT and it is adequately meet my needs. It
suggest 1 high severity, 324 medium severity, and 5 low severity from
the web-app. :)

It still telling me to audit manually... but at least I know where to
start and it really safe my time... so, seems like I have to stay out
of bed to enter the php world :) --just kidding--

I haven't try RATS, but I will try it soon.

"automated tools don't substitute humans anytime of the day".. Kish
you're absolutely right.. but to gather a pen-test team is quite hard
for our condition now, the project owner is little strict on budget...
that's why I have to take all the responsibility for security by
myself.. *sigh* it's tiresome but it's part of the job :)

thanks to all for helping,

cheers. :)

On 9/13/06, Kish Pent <kish_pent@yahoo.com> wrote:
> Hello Wahyu,
>
> I think a doctor should do surgery because he knows
> how to do it, same way an application's source code
> should be reviewed by penetration-test team to comply
> with some methodology like owasp, not by the developer
> because they learn to build software and pen-testers
> know how to break software.
>
> Second point is RATS - Rough Auditing tool for
> Security by Secure Software
> (http://www.securesw.com/rats) can audit PHP code too
> (but it's not dependable it just analyzes source code
> roughly)
>
> Stefano :), you must see Security Forest's page which
> says RATS can audit C,C++,Perl,PHP & Python source
> code.(http://www.securityforest.com/wiki/index.php/Category:Source_Code_Scanners)
>
> I haven't tried SWAAT from Security compass though,
> it's safe to bet on pen-test,because automated tools
> don't substitute humans anytime of the day.
>
> Cheers :)
>
> --- Stefano Zanero <zanero@elet.polimi.it> wrote:
>
> > Ric Messier wrote:
> >
> > > PHP is fairly C-like. If you know C, it's pretty
> > easy to read PHP. However,
> > > try RATS.
> > http://www.securesoftware.com/download_rats.htm
> >
> > Are you suggesting that RATS (a source code scanner
> > for C) would be able
> > to detect security vulnerabilities in PHP ?
> >
> > That's a challenging proposition :)
> >
> > As far as I know, very little exist in the area of
> > "source code
> > auditing" for web application. Developing one is not
> > easy (it's one of
> > our research tasks at the moment)
> >
> > From what I've seen, the SWAAT tool mentioned
> > elsewhere is little more
> > than what you can obtain through grep...
> >
> > Best,
> > Stefano
>
> --- Stefano Zanero <zanero@elet.polimi.it> wrote:
>
> > Ric Messier wrote:
> >
> > > PHP is fairly C-like. If you know C, it's pretty
> > easy to read PHP. However,
> > > try RATS.
> > http://www.securesoftware.com/download_rats.htm
> >
> > Are you suggesting that RATS (a source code scanner
> > for C) would be able
> > to detect security vulnerabilities in PHP ?
> >
> > That's a challenging proposition :)
> >
> > As far as I know, very little exist in the area of
> > "source code
> > auditing" for web application. Developing one is not
> > easy (it's one of
> > our research tasks at the moment)
> >
> > From what I've seen, the SWAAT tool mentioned
> > elsewhere is little more
> > than what you can obtain through grep...
> >
> > Best,
> > Stefano
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:56 EDT