Penetration Testing mailing list archives
RE: Source code review/scanner
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Tue, 21 Aug 2007 13:59:35 -0700
This isn't necessarily a pen-test subject but I let it through since the majority of problems or holes I've encountered when doing pen-testing could have been mitigated to a large extent using this type of internal testing. Is there a quatifiable value-add, how do tools like this affect your approach to testing, etc. Plus, I want to see what the rest of the list has to say about it :) Products I would recommend are from SPI Dynamics (now HP since they were recently bought); DevInspect and QAInspect. These tools integrate fairly seamlessly with existing Dev and QA platforms (Visual Studio, Eclipse, Rational, HP Quality Center, etc) and can automate a large portion of source and QA security VA without requiring your devs to be security experts. Pretty much click an added button in your current framework, it analyzes for common issues (unsanitized inputs, undeclared values, BO's et al) and flags them for the devs or QA teams to address. I'd be interested to hear what other products are in the same space. I'm not affiliated with SPI (just a satisfied customer) and have seen how these products can minimize the game of security whack-a-mole at the production level. Some of the more secure sites I've tested in the past have had some or all of these processes and tools in place to some extent. -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball"
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of xelerated Sent: Tuesday, August 21, 2007 6:10 AM To: pen-test () securityfocus com Subject: Source code review/scanner All, Im looking for something for another dept. to help them review both source code and web app code created by our developers. The main types being VB and ASP. Standard manual testing will still take place, but id like to get something to check the obvious things before it goes into testing. Can anyone recommend some tools for both aspects? Due to separation of duties neither I or the others in network security nor the developers will be doing the source code testing. So im trying to find something that works for those with less than optimal security or coding knowledge. Thanks for your input -------------------------------------------------------------- ---------- This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads -------------------------------------------------------------- ----------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Source code review/scanner xelerated (Aug 21)
- RE: Source code review/scanner Shenk, Jerry A (Aug 21)
- RE: Source code review/scanner Erin Carroll (Aug 21)
- Re: Source code review/scanner Nikhil Wagholikar (Aug 25)
- <Possible follow-ups>
- Re: Source code review/scanner eladexposed (Aug 28)