Difference between revisions of "Source Code Analysis Tools"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
Page dedicated to the analysis and comment of Source Code Audit tools:
 
Page dedicated to the analysis and comment of Source Code Audit tools:
  
 +
==Description==
  
== Current Tools ==
+
TBD
 +
 
 +
==Strengths and Weaknesses==
 +
 
 +
==Important Selection Criteria==
 +
 
 +
* Requirement: Must support your language, but not usually a key factor once it does.
 +
 
 +
* Types of Vulnerabilities it can detect (Out of the OWASP Top Ten?) (plus more?)
 +
* Does it require a fully buildable set of source?
 +
* Can it run against binaries instead of source?
 +
* Can it be integrated into the developer's IDE?
 +
 
 +
==OWASP Tools Of This Type==
  
 
* [http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project OWASP_LAPSE_Project]
 
* [http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project OWASP_LAPSE_Project]
* [http://www.securitycompass.com/swaat.html SWAAT]  
+
 
* [http://www.fortifysoftware.com/products/sca.jsp Fortify Source Code Analysis]
+
==Open Source or Free Tools Of This Type==
 +
 
 +
* [http://www.gotdotnet.com/Team/FxCop/ Microsoft - FxCop: Tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines]
 +
* Microsoft - PreFix
 +
* Microsoft - PreFast
 +
* [http://www.securitycompass.com/swaat.html SWAAT - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP]  
 +
* [http://www.securesoftware.com/resources/download_rats.html Secure Software - RATS - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions]
 +
 
 +
==Commercial Tools from OWASP Members Of This Type==
 +
 
 +
* [http://www.fortifysoftware.com/products/sca.jsp Fortify - Source Code Analysis]
 +
* [http://www.securesoftware.com/products/ Secure Software - CodeAssure]
 +
 
 +
==Other Well Known Commercial Tools Of This Type==
 +
 
 +
* [http://www.ouncelabs.com/ Ounce Labs - Ounce]
 +
* [http://www.coverity.com/products/prevent.html Coverity - Prevent]
 +
 
 +
==More Info==
 +
 
 
* add comments from: http://lists.owasp.org/pipermail/owasp-dotnet/2006-August/000002.html
 
* add comments from: http://lists.owasp.org/pipermail/owasp-dotnet/2006-August/000002.html
 
* http://www.owasp.org/index.php/Appendix_A:_Testing_Tools
 
* http://www.owasp.org/index.php/Appendix_A:_Testing_Tools
----
 
 
  
 
[[Category:OWASP .NET Project]]
 
[[Category:OWASP .NET Project]]
  
{{Template:Stub}}
+
[[Category:OWASP Tools Project]]
 +
 
 +
__NOTOC__

Revision as of 20:41, 27 October 2006

Page dedicated to the analysis and comment of Source Code Audit tools:

Description

TBD

Strengths and Weaknesses

Important Selection Criteria

  • Requirement: Must support your language, but not usually a key factor once it does.
  • Types of Vulnerabilities it can detect (Out of the OWASP Top Ten?) (plus more?)
  • Does it require a fully buildable set of source?
  • Can it run against binaries instead of source?
  • Can it be integrated into the developer's IDE?

OWASP Tools Of This Type

Open Source or Free Tools Of This Type

Commercial Tools from OWASP Members Of This Type

Other Well Known Commercial Tools Of This Type

More Info