Penetration Testing mailing list archives
RE: Fwd: Re: tools to scan source code
From: "ankur jindal" <ankurjn113 () hotmail com>
Date: Wed, 13 Sep 2006 00:03:49 +0000
HeyThere are many static and dynamic analyzers like PreFix (used in Microsoft) , Metal, ESCJava et al. which analyze the source code based on some given preconditions and postconditions. You can google for more. They may not serve your purpose completely but might be something you can use together with manual code reading for improved efficiency.
Ankur ----Original Message Follows---- From: "marco () cerbtech net" <marco () cerbtech net> Reply-To: marco () cerbtech net To: pen-test () securityfocus com Subject: Fwd: Re: tools to scan source code Date: Tue, 12 Sep 2006 08:52:03 -0500This article http://www.ouncelabs.com/secure_enterprise.html is a good start to evaluate which code scanning tool (also called static parsers) best suits your needs
for the supporting programming language of your choice. My experience on using code scanning tools is that only scrap the surface ofpotential security bugs in the code. They find the so called LHF (Low Hanging Fruits). Static parsers do not find security flaws (security defects in architecture and design) that can only be found with manual secure code reviews and secure architecture design review. The big value from automated code scanning is to use them as input for a deeper manual code review that also complement with findings of web application
pen tests. Marco On Mon Sep 11 5:30 , 'Wahyu Wijaya H.' sent: hi all, i got involved in some web application development using php and mysql. i got responsibility to check for vulnerability that may exist. is there any tool that can help me? i mean any tool that could scan the entire source code to find any vulnerability, because auditing all source code seems overwhelming to me :-) plus that i am no fluent in php language. thanks a lot, cheers... ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- RE: tools to scan source code, (continued)
- RE: tools to scan source code Benjamin Livshits (Sep 15)
- RE: tools to scan source code Nish Bhalla (Sep 11)
- Re: tools to scan source code Joachim Schipper (Sep 11)
- Re: tools to scan source code Hylton Conacher(ZR1HPC) (Sep 12)
- Re: tools to scan source code Benny Herlambang (Sep 12)
- RE: tools to scan source code Lisa Foster (Sep 13)
- RE: tools to scan source code andy cuff (Sep 14)
- RE: tools to scan source code Ric Messier (Sep 14)
- RE: tools to scan source code Clemens, Dan (Sep 14)
- RE: tools to scan source code Lisa Foster (Sep 13)
- Fwd: Re: tools to scan source code marco () cerbtech net (Sep 12)
- RE: Fwd: Re: tools to scan source code ankur jindal (Sep 13)
- Re: Fwd: Re: tools to scan source code Nicolas RUFF (Sep 14)
- RE: Fwd: Re: tools to scan source code ankur jindal (Sep 13)