Source Code Analysis Tools
Page dedicated to the analysis and comment of Source Code Audit tools:
Strengths and Weaknesses
Important Selection Criteria
- Requirement: Must support your language, but not usually a key factor once it does.
- Types of Vulnerabilities it can detect (Out of the OWASP Top Ten?) (plus more?)
- Does it require a fully buildable set of source?
- Can it run against binaries instead of source?
- Can it be integrated into the developer's IDE?
OWASP Tools Of This Type
Open Source or Free Tools Of This Type
- Microsoft - FxCop: Tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines
- Microsoft - PreFix
- Microsoft - PreFast
- SWAAT - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
- Secure Software - RATS - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
Commercial Tools from OWASP Members Of This Type
These vendors have decided to support OWASP by becoming members. OWASP appreciates the support from these organizations, but cannnot endorse any commercial products or services.