Re: tools to scan source code

From: Kish Pent (kish_pent@yahoo.com)
Date: Wed Sep 13 2006 - 00:08:13 EDT

• Next message: Ben Hall: "Re: tools to scan source code"
• Previous message: ankur jindal: "RE: Fwd: Re: tools to scan source code"
• In reply to: Stefano Zanero: "Re: tools to scan source code"
• Next in thread: Stefano Zanero: "Re: tools to scan source code"
• Reply: Stefano Zanero: "Re: tools to scan source code"
• Reply: Wahyu Wijaya H.: "Re: tools to scan source code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Wahyu,

I think a doctor should do surgery because he knows
how to do it, same way an application's source code
should be reviewed by penetration-test team to comply
with some methodology like owasp, not by the developer
because they learn to build software and pen-testers
know how to break software.

Second point is RATS - Rough Auditing tool for
Security by Secure Software
(http://www.securesw.com/rats) can audit PHP code too
(but it's not dependable it just analyzes source code
roughly)

Stefano :), you must see Security Forest's page which
says RATS can audit C,C++,Perl,PHP & Python source
code.(http://www.securityforest.com/wiki/index.php/Category:Source_Code_Scanners)

I haven't tried SWAAT from Security compass though,
it's safe to bet on pen-test,because automated tools
don't substitute humans anytime of the day.

Cheers :)

--- Stefano Zanero <zanero@elet.polimi.it> wrote:

> Ric Messier wrote:
>
> > PHP is fairly C-like. If you know C, it's pretty
> easy to read PHP. However,
> > try RATS.
> http://www.securesoftware.com/download_rats.htm
>
> Are you suggesting that RATS (a source code scanner
> for C) would be able
> to detect security vulnerabilities in PHP ?
>
> That's a challenging proposition :)
>
> As far as I know, very little exist in the area of
> "source code
> auditing" for web application. Developing one is not
> easy (it's one of
> our research tasks at the moment)
>
> From what I've seen, the SWAAT tool mentioned
> elsewhere is little more
> than what you can obtain through grep...
>
> Best,
> Stefano

--- Stefano Zanero <zanero@elet.polimi.it> wrote:

> Ric Messier wrote:
>
> > PHP is fairly C-like. If you know C, it's pretty
> easy to read PHP. However,
> > try RATS.
> http://www.securesoftware.com/download_rats.htm
>
> Are you suggesting that RATS (a source code scanner
> for C) would be able
> to detect security vulnerabilities in PHP ?
>
> That's a challenging proposition :)
>
> As far as I know, very little exist in the area of
> "source code
> auditing" for web application. Developing one is not
> easy (it's one of
> our research tasks at the moment)
>
> From what I've seen, the SWAAT tool mentioned
> elsewhere is little more
> than what you can obtain through grep...
>
> Best,
> Stefano

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Ben Hall: "Re: tools to scan source code"
• Previous message: ankur jindal: "RE: Fwd: Re: tools to scan source code"
• In reply to: Stefano Zanero: "Re: tools to scan source code"
• Next in thread: Stefano Zanero: "Re: tools to scan source code"
• Reply: Stefano Zanero: "Re: tools to scan source code"
• Reply: Wahyu Wijaya H.: "Re: tools to scan source code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:56 EDT