Source Code Analysis Tools
Revision as of 19:41, 27 October 2006 by Wichers
Page dedicated to the analysis and comment of Source Code Audit tools:
Strengths and Weaknesses
Important Selection Criteria
- Requirement: Must support your language, but not usually a key factor once it does.
- Types of Vulnerabilities it can detect (Out of the OWASP Top Ten?) (plus more?)
- Does it require a fully buildable set of source?
- Can it run against binaries instead of source?
- Can it be integrated into the developer's IDE?
OWASP Tools Of This Type
Open Source or Free Tools Of This Type
- Microsoft - FxCop: Tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines
- Microsoft - PreFix
- Microsoft - PreFast
- SWAAT - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
- Secure Software - RATS - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions