From OWASP
Source Code Analysis tools are designed to analyze source code and/or compiled version of code in order to help find security flaws. Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.
Open Source or Free Tools Of This Type
- FindBugs - Find Bugs (including some security flaws) in Java Programs
- FxCop (Microsoft) - FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.
- PMD - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
- PreFast (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs
- RATS (Fortify) - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
- SWAAT - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
- Flawfinder Flawfinder - Scans C and C++
Commercial Tools from OWASP Members Of This Type
These vendors have decided to support OWASP by becoming
members. OWASP appreciates the support from these organizations, but cannot endorse any commercial products or services.
Posts
No comments:
Post a Comment