From: Benjamin Livshits (livshits@cs.stanford.edu)
Date: Wed Sep 13 2006 - 18:02:48 EDT
We have contemplated augmenting LAPSE with .NET support. LAPSE, an
open-source Java source code auditing tool, is now housed at OWASP:
http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project
Let me know if you are interested.
-Ben
> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of Ben Hall
> Sent: Wednesday, September 13, 2006 2:35 AM
> To: Stefano Zanero
> Cc: kish_pent@yahoo.com; Ric Messier; Wahyu Wijaya H.;
> pen-test@securityfocus.com
> Subject: Re: tools to scan source code
>
> Hello all,
>
> been watching this conversation closely as it is hugely
> relevant to me at the moment.
>
> I am just about to enter my final year of University, and I
> was hoping to create a static source code analyser for
> ASP.net applications......I thought it was a good idea,
> however after reading this I am starting to think otherwise,
> and maybe there could be better uses of the opportunity to
> complete a large project.
>
> Does anyone have any advice? I want to do a project involving
> security and .net. I've been recommend to do a application to edit
> the http request - like WebScarab however this has been done
> many times, and doesn't represent anything 'new' and while
> source code auditors aren't new, they are less readily
> available as open source software. This still is an option I
> might look into, and taking it off on a tangent some how, and
> doing more of a full pen-test application.
>
> I welcome anyones advice.
>
> Thank you
>
> Ben
>
>
> On 13/09/06, Stefano Zanero <zanero@elet.polimi.it> wrote:
> > Hi Kish,
> >
> > I realize I've been a bit too cryptic in my answer:
> >
> > > Stefano :), you must see Security Forest's page which
> says RATS can
> > > audit C,C++,Perl,PHP & Python source
> > >
> code.(http://www.securityforest.com/wiki/index.php/Category:Source_C
> > > ode_Scanners)
> >
> > Yes, RATS _can_ audit PHP source. What I was referring to
> is that web
> > app vulnerabilities have a different structure than the
> > vulnerabilities you commonly audit C source code for.
> >
> > For instance, you can detect candidates for buffer overflow (along
> > with a bunch of false positives) through simple regexp pattern
> > matching. It's way more difficult to detect with few false
> positives
> > candidates for SQL injection.
> >
> > The fact that RATS is able to handle PHP code is not a
> synonym to the
> > fact that it can handle web-app vulnerabilities.
> >
> > Stefano
> >
> >
> ----------------------------------------------------------------------
> > --
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> > http://www.cenzic.com/products_services/download_hailstorm.php
> >
> ----------------------------------------------------------------------
> > --
> >
> >
>
> --------------------------------------------------------------
> ----------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> --------------------------------------------------------------
> ----------
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:56 EDT