Re: Web Application Analysis Tools?

["Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>]

Flawfinder (http://www.dwheeler.com/flawfinder/), RATS, and ITS4 are all
nicely discussed in this article
http://www.linuxjournal.com//article.php?sid=5673. Mainly they focus on
"generic" problems like buffer overflows and TOCTOU.

My guess is that you would be far better off taking a good hard look at
the OWASP guide and/or some of the web application security books out
there, and doing a code review yourself.  You'll want to focus on the
problems that are most likely to present serious risks to your site, like
SQL injection, XSS, error handling, crypto problems, etc...  Check the
recent "top ten" thread for more.

--Jeff

Jeff Williams
jeff.williams () aspectsecurity com
Aspect Security, Inc.
www.aspectsecurity.com



----- Original Message -----
From: Kevin Spett
To: David Simcik ; Webappsec
Sent: Thursday, December 12, 2002 1:47 PM
Subject: Re: Web Application Analysis Tools?


RATS audits PHP, Perl, Python and C/C++.  I haven't used it, so I can't
attest to how valuable the results are.  In any case, there's a cool image
on the RATS site: http://www.securesoftware.com/



Kevin Spett
SPI Labs
http://www.spidynamics.com/


----- Original Message -----
From: "David Simcik" <dave () simcik com>
To: "Webappsec" <webappsec () securityfocus com>
Sent: Thursday, December 12, 2002 12:50 PM
Subject: Web Application Analysis Tools?


> Where I work, we've (read: I) have spent a considerable amount of time
> focusing in on locking-down our sites/servers on the system level, from
say,
> IIS down, through a variety of ways. I should point out that we're a
small
> web development shop in academia. I'd now like to focus on our web
> application source now as well. Are there any analysis/auditing tools
out
> there (especially free/inexpensive ones) that will help with this? I
suspect
> there aren't any "one size fits all" type solutions out there for this,
but
> I have to try.
>
> Thanks!
> David