OWASP - User contributions [en]

Source Code Analysis Tools

2019-01-03T19:59:48Z

Ejohn20: /* Commercial Tools Of This Type */ Minor updates to Puma Scan Professional description.

Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.

== Strengths and Weaknesses ==

=== Strengths ===

* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected

=== Weaknesses ===

* Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Important Selection Criteria==

* Requirement: Must support your programming language, but not usually a key factor once it does.
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)
* How accurate is it? False Positive/False Negative rates?
** Does the tool have an OWASP [[Benchmark]] score?
* Does it understand the libraries/frameworks you use?
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* How hard is it to setup/use?
* Can it be run continuously and automatically?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

==OWASP Tools Of This Type==

* [[OWASP SonarQube Project]]
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]]

==Disclaimer==

Disclaimer: The tools listed in the tables below are presented in alphabetical order. OWASP does not endorse any of the vendors or tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.

==Open Source or Free Tools Of This Type==

* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

==Commercial Tools Of This Type==
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service.
* [http://www-01.ibm.com/software/rational/products/appscan/source/ AppScan Source] (IBM)
* [http://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.
* [https://buguroo.com/products/bugblast-next-gen-appsec-platform/bugscout-sca bugScout] (Buguroo Offensive Security)
* [http://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages.
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)
* [https://www.grammatech.com/products/codesonar CodeSonar] tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.
* [http://www.contrastsecurity.com/ Contrast] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (Micro Focus, Formally HP)
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)
* [https://www.ptsecurity.com/ww-en/products/ai/ PT Application Inspector] combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation for high accuracy rate with minimum false positives; has a unique capability to generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis; integrates with CI/CD, VCS, etc. PT AI helps to easily understand, verify, and fix flaws; has a simple UI; is highly automated and easy to use. Supported languages are Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#
* [https://www.softwaresecured.com/reshift reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and use machine learning to give a prediction on false positives.
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for PHP that detects unknown security vulnerabilities and code quality issues.
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).

==More info==

* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools

[[Category:OWASP .NET Project]]
[[Category:SAMM-CR-2]]
__NOTOC__

Static Code Analysis

2019-01-03T19:55:21Z

Ejohn20: /* Commercial */ Minor language update to Puma Scan.

Every '''[[control]]''' should follow this template.

{{Template:Control}}
 
[[Category:OWASP ASDR Project]]

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.

Some tools are starting to move into the Integrated Development Environment (IDE). For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.

The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'.[0]

==Techniques==
There are various techniques to analyze static source code for potential vulnerabilities that maybe combined into one solution. These techniques are often derived from compiler technologies.

===Data Flow Analysis===
Data flow analysis is used to collect run-time (dynamic) information about data in software while it is in a static state (Wögerer, 2005).

There are three common terms used in data flow analysis, basic block (the code), Control Flow Analysis (the flow of data) and Control Flow Path (the path the data takes):

Basic block: A sequence of consecutive instructions where control enters at the beginning of a block, control leaves at the end of a block and the block cannot halt or branch out except at its end (Wögerer, 2005).

Example PHP basic block:

<pre>
1. $a = 0;
2. $b = 1;
3.
4. if ($a == $b)
5. { # start of block
6. echo “a and b are the same”;
7. } # end of block
8. else
9. { # start of block
10. echo “a and b are different”;
11.} # end of block
</pre>

=== Control Flow Graph (CFG) ===
An abstract graph representation of software by use of nodes that represent basic blocks. A node in a graph represents a block; directed edges are used to represent jumps (paths) from one block to another. If a node only has an exit edge, this is known as an ‘entry’ block, if a node only has a entry edge, this is know as an ‘exit’ block (Wögerer, 2005).

Example Control Flow Graph; ‘node 1’ represents the entry block and ‘node 6’ represents the exit block.

[[File:Control_flow_graph.png|400x200px]]

===Taint Analysis===
Taint Analysis attempts to identify variables that have been 'tainted' with user controllable input and traces them to possible vulnerable functions also known as a 'sink'. If the tainted variable gets passed to a sink without first being sanitized it is flagged as a vulnerability.

Some programming languages such as Perl and Ruby have Taint Checking built into them and enabled in certain situations such as accepting data via CGI.

===Lexical Analysis===
Lexical Analysis converts source code syntax into ‘tokens’ of information in an attempt to abstract the source code and make it easier to manipulate (Sotirov, 2005).

Pre tokenised PHP source code:

<pre>
<?php $name = "Ryan"; ?>
</pre>

Post tokenised PHP source code:

<pre>
T_OPEN_TAG
T_VARIABLE
=
T_CONSTANT_ENCAPSED_STRING
;
T_CLOSE_TAG
</pre>

==Strengths and Weaknesses==

=== Strengths ===
* Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
* For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.

=== Weaknesses ===
* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Limitations==

===False Positives===
A static code analysis tool will often produce false positive results where the tool reports a possible vulnerability that in fact is not. This often occurs because the tool cannot be sure of the integrity and security of data as it flows through the application from input to output.

False positive results might be reported when analysing an application that interacts with closed source components or external systems because without the source code it is impossible to trace the flow of data in the external system and hence ensure the integrity and security of the data.

===False Negatives===
The use of static code analysis tools can also result in false negative results where vulnerabilities result but the tool does not report them. This might occur if a new vulnerability is discovered in an external component or if the analysis tool has no knowledge of the runtime environment and whether it is configured securely.

==Important Selection Criteria==

* Requirement: Must support your language, but not usually a key factor once it does.
* Types of Vulnerabilities it can detect (The OWASP Top Ten?) (more?)
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)
* Does it support Object-oriented programming (OOP)?

==Examples==

===RIPS PHP Static Code Analysis Tool===
[[File:Rips.jpg|400px|thum|]]

===OWASP LAPSE+ Static Code Analysis Tool===
[[File:LapsePlusScreenshot.png|400px|thum|]]

== Tools ==

===OWASP Tools===

{| class="wikitable"
! Software
! Language(s)
|-
| [[:Category:OWASP_Code_Crawler|OWASP Code Crawler]]
| .NET, Java
|-
| [[:Category:OWASP_Orizon_Project|OWASP Orizon Project]]
| Java
|-
| [[OWASP LAPSE Project]]
| Java
|-
| [[OWASP O2 Platform]]
|
|-
| [[OWASP WAP-Web Application Protection]]
| PHP
|}

=== Open Source/Free ===

{| class="wikitable"
! Software
! Language(s)
! OS(es)
|-
| [https://sourceforge.net/projects/agnitiotool/ Agnitio]
| ASP, ASP.NET, C#, Java, Javascript, Perl, PHP, Python, Ruby, VB.NET, XML
| Windows
|-
| [https://brakemanscanner.org/ Brakeman]
| Ruby, Rails
|
|-
| [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity]
| Multiple
|
|-
| [http://www.devbug.co.uk DevBug]
| PHP
| web-based
|-
| [http://findbugs.sourceforge.net/ FindBugs]
| Java
|
|-
| [https://find-sec-bugs.github.io/ Find Security Bugs]
| Java, Scala, Groovy
|
|-
| [https://dwheeler.com/flawfinder/ FlawFinder]
| C, C++
|
|-
| [https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-3.0/bb429476(v=vs.80) Microsoft FxCop]
| .NET
|
|-
| [https://security-code-scan.github.io/ .NET Security Guard]
| .NET, C#, VB.net
|
|-
| [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit]
| PHP
| Windows, Unix
|-
| [https://pmd.github.io/ PMD]
| Java, JavaScript, Salesforce.com Apex and Visualforce, PLSQL, Apache Velocity, XML, XSL
|
|-
| [https://www.pumascan.com/ Puma Scan]
| .NET, C#
|
|-
| [https://docs.microsoft.com/en-us/previous-versions/windows/embedded/ms933794(v=msdn.10) Microsoft PREFast]
| C, C++
|
|-
| [http://rips-scanner.sourceforge.net/ RIPS]
| PHP
| any
|-
| [https://sonarcloud.io/about SonarCloud]
| ABAP, C, C++, Objective-C, COBOL, C#, CSS, Flex, Go, HTML, Java, Javascript, Kotlin, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Swift, T-SQL, TypeScript, VB6, VB, XML
|
|-
| [https://www.splint.org/ Splint]
| C
|
|-
| [https://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper]
| C/C++, C#, VB, PHP, Java, PL/SQL
| Windows
|}

=== Commercial ===

{| class="wikitable"
! Software
! Language(s)
! Notes
|-
| [https://www.microfocus.com/en-us/products/static-code-analysis-sast/overview Fortify]
| ABAP/BSP, ActionScript/MXML (Flex), ASP.NET, VB.NET, C# (.NET), C/C++, Classic ASP (w/VBScript), COBOL, ColdFusion CFML, HTML, Java (including Android), JavaScript/AJAX, JSP, Objective-C, PHP, PL/SQL, Python, T-SQL, Ruby, Swift, Visual Basic, VBScript, XML
| OWASP Member
|-
| [https://www.veracode.com/ Veracode]
| Android, ASP.NET, C#, C, C++, Classic ASP, COBOL, ColdFusion/Java, Go, Groovy, iOS, Java, JavaScript, Perl, PhoneGap/Cordova, PHP, Python, React Native, RPG, Ruby on Rails, Scala, Titanium, TypeScript, VB.NET, Visual Basic 6, Xamarin
| OWASP Member
|-
| [https://www.grammatech.com/ CodeSonar]
| C, C++, Java
|
|-
| [https://www.parasoft.com/ ParaSoft]
| C, C++, Java, .NET
|
|-
| <s>[http://www.armorize.com/codesecure/ Armorize CodeSecure]</s>
|
| OWASP Member; acquired by Proofpoint in 2013
|-
| [https://www.checkmarx.com/ Checkmarx Static Code Analysis]
| Android, Apex, ASP.NET, C#, C++, Go, Groovy, HTML5, Java, JavaScript, JSP, .NET, Objective-C, Perl, PHP, PL/SQL, Python, Ruby, Scala, Swift, TypeScript, VB.NET, Visual Basic 6, Windows Phone
| OWASP Member
|-
| [https://www.ibm.com/us-en/marketplace/ibm-appscan-source IBM AppScan Source]
|
|
|-
| [https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html Coverity]
| Android, C#, C, C++, Java, JavaScript, Node.js, Objective-C, PHP, Python, Ruby, Scala, Swift, VB.NET
|
|-
| [https://www.viva64.com/en/pvs-studio/ PVS-Studio]
| C, C++, C#
|
|-
| [https://pumascan.com/pricing/ Puma Scan Professional]
| .NET, C#
|
|-
| [https://www.roguewave.com/products-services/klocwork/static-code-analysis Klocwork]
| C, C++, C#, Javaa
|
|-
| [https://www.mathworks.com/products/polyspace.html Polyspace Static Analysis]
| C, C++, Ada
|
|-
| [https://www.ripstech.com/ RIPS NextGen]
| PHP
|
|}

===Other Tool Lists===

* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST - Source Code Security Analyzers]
* [http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis Wikipedia - List of tools for static code analysis]

==References==
[0] {{cite web |url=http://www.software-supportability.org/Docs/00-55_Part_2.pdf |title=Requirements for Safety Related Software in Defence Equipment |date=August 1, 1997 |format=pdf |publisher=Ministry of Defence |access-date=December 17, 2018}}

== Further Reading ==

* [https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf OWASP Code Review Guide v1.1]
* http://www.crosstalkonline.org/storage/issue-archives/2003/200311/200311-German.pdf
* http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf
* http://www.php-security.org/downloads/rips.pdf
* http://www.seclab.tuwien.ac.at/papers/pixy.pdf

[[Category:FIXME|
In addition, one should classify control based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Control]]</nowiki>

Availability Control
Authorization Control
Authentication Control
Concurrency Control
Configuration Control
Cryptographic Control
Encoding Control
Error Handling Control
Input Validation Control
Logging and Auditing Control
Session Management Control
]]
__FORCETOC__

[[Category:Control]]

Appendix A: Testing Tools

2017-09-29T18:07:59Z

Ejohn20: /* Open Source / Freeware */ Added puma scan (open source) and puma scan pro

{{Template:OWASP Testing Guide v4}}

==Open Source Black Box Testing tools==

=== General Testing ===
* '''[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP ZAP]'''
**The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
**ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
** WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is portable to many platforms. WebScarab has several modes of operation that are implemented by a number of plugins.
* '''[[OWASP_CAL9000_Project|OWASP CAL9000]]'''
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
** Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
* '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
** Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.
* '''[[:OWASP Mantra - Security Framework]]'''
**Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh. In addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish.
* '''SPIKE''' - http://www.immunitysec.com/resources-freesoftware.shtml
** SPIKE designed to analyze new network protocols for buffer overflows or similar weaknesses. It requires a strong knowledge of C to use and only available for the Linux platform.
* '''Burp Proxy''' - http://www.portswigger.net/Burp/
** Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
* '''Odysseus Proxy''' - http://www.wastelands.gen.nz/odysseus/
** Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. It will intercept an HTTP session's data in either direction.
* '''Webstretch Proxy''' - http://sourceforge.net/projects/webstretch
** Webstretch Proxy enable users to view and alter all aspects of communications with a web site via a proxy. It can also be used for debugging during development.
* '''WATOBO''' - http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page
** WATOBO works like a local proxy, similar to Webscarab, ZAP or BurpSuite and it supports passive and active checks.
* '''Firefox LiveHTTPHeaders''' - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
** View HTTP headers of a page and while browsing.
* '''Firefox Tamper Data''' - https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
** Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
* '''Firefox Web Developer Tools''' - https://addons.mozilla.org/en-US/firefox/addon/web-developer/
** The Web Developer extension adds various web developer tools to the browser.
* '''DOM Inspector''' - https://developer.mozilla.org/en/docs/DOM_Inspector
** DOM Inspector is a developer tool used to inspect, browse, and edit the Document Object Model (DOM)
* '''Firefox Firebug''' - http://getfirebug.com/
** Firebug integrates with Firefox to edit, debug, and monitor CSS, HTML, and JavaScript.
* '''Grendel-Scan''' - http://securitytube-tools.net/index.php?title=Grendel_Scan
** Grendel-Scan is an automated security scanning of web applications and also supports manual penetration testing.
* '''OWASP SWFIntruder''' - http://www.mindedsecurity.com/swfintruder.html
** SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.
* '''SWFScan''' - http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/ba-p/5440167
** Flash decompiler
* '''Wikto''' - http://www.sensepost.com/labs/tools/pentest/wikto
** Wikto features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.
* '''w3af''' - http://w3af.org
** w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
* '''skipfish''' - http://code.google.com/p/skipfish/
** Skipfish is an active web application security reconnaissance tool.
* '''Web Developer toolbar''' - https://chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm
** The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.
* '''HTTP Request Maker''' - https://chrome.google.com/webstore/detail/kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US
** Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
* '''Cookie Editor''' - https://chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US
** Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
* '''Cookie swap''' - https://chrome.google.com/webstore/detail/dffhipnliikkblkhpjapbecpmoilcama?hl=en-US
** Swap My Cookies is a session manager, it manages cookies, letting you login on any website with several different accounts.
* '''Firebug lite for Chrome"" - https://chrome.google.com/webstore/detail/bmagokdooijbeehmkpknfglimnifench'''
**Firebug Lite is not a substitute for Firebug, or Chrome Developer Tools. It is a tool to be used in conjunction with these tools. Firebug Lite provides the rich visual representation we are used to see in Firebug when it comes to HTML elements, DOM elements, and Box Model shading. It provides also some cool features like inspecting HTML elements with your mouse, and live editing CSS properties
* '''Session Manager"" - https://chrome.google.com/webstore/detail/bbcnbpafconjjigibnhbfmmgdbbkcjfi'''
**With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.
* '''Subgraph Vega''' - http://www.subgraph.com/products.html
**Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

=== Testing for specific vulnerabilities ===

==== Testing for JavaScript Security, DOM XSS ====
* BlueClosure BC Detect - http://www.blueclosure.com

==== Testing AJAX ====
* '''[[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]'''

==== Testing for SQL Injection ====
* '''[[:Category:OWASP_SQLiX_Project|OWASP SQLiX]]'''
* Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.org/
* Absinthe 1.1 (formerly SQLSqueal) - http://sourceforge.net/projects/absinthe/
* SQLInjector - Uses inference techniques to extract data and determine the backend database server. http://www.databasesecurity.com/sql-injector.htm
* Bsqlbf-v2: A perl script allows extraction of data from Blind SQL Injections - http://code.google.com/p/bsqlbf-v2/
* Pangolin: An automatic SQL injection penetration testing tool - http://www.darknet.org.uk/2009/05/pangolin-automatic-sql-injection-tool/
* Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper - http://www.ruizata.com/
* Multiple DBMS Sql Injection tool - SQL Power Injector - http://www.sqlpowerinjector.com/
* MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools - http://packetstormsecurity.org/files/43795/sqlbftools-1.2.tar.gz.html

==== Testing Oracle ====
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
* Toad for Oracle - http://www.quest.com/toad

==== Testing SSL ====
* Foundstone SSL Digger - http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx
* O-Saft - https://www.owasp.org/index.php/O-Saft
* sslyze - https://github.com/iSECPartners/sslyze
* TestSSLServer - http://www.bolet.org/TestSSLServer/
* SSLScan - http://sourceforge.net/projects/sslscan/
* SSLScan windows - https://github.com/rbsec/sslscan/releases
* SSLLabs - https://www.ssllabs.com/ssltest/

==== Testing for Brute Force Password ====
* THC Hydra - http://www.thc.org/thc-hydra/
* John the Ripper - http://www.openwall.com/john/
* Brutus - http://www.hoobie.net/brutus/
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html
* Ncat - http://nmap.org/ncat/
* HashCat - http://hashcat.net/hashcat/#features-algos
* fgdump - http://foofus.net/goons/fizzgig/fgdump/
* Password Dictionary - https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

==== Testing Buffer Overflow ====
* OllyDbg - http://www.ollydbg.de
** "A windows based debugger used for analyzing buffer overflow vulnerabilities"
* Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
** A fuzzer framework that can be used to explore vulnerabilities and perform length testing
* Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net
** A proactive binary checker
* Metasploit - http://www.metasploit.com/
** A rapid exploit development and Testing frame work

==== Fuzzer ====
* '''[[:Category:OWASP_WSFuzzer_Project|OWASP WSFuzzer]]'''
* Wfuzz - http://www.darknet.org.uk/2007/07/wfuzz-a-tool-for-bruteforcingfuzzing-web-applications/

==== Googling ====
* Bishop Fox's Google Hacking Diggity Project - http://www.bishopfox.com/resources/tools/google-hacking-diggity/
* Foundstone Sitedigger (Google cached fault-finding) - http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx
* Google Hacking database - https://www.exploit-db.com/google-hacking-database/

==== Slow HTTP ====
* Slowloris http://ckers.org/slowloris
* slowhttptest https://github.com/shekyan/slowhttptest

==Commercial Black Box Testing tools==
* NGS Typhon III - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-typhon-iii/
* NGSSQuirreL - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-squirrel-vulnerability-scanners/
* IBM AppScan - http://www-01.ibm.com/software/awdtools/appscan/
* Trustwave App Scanner (Formerly Cenzic Hailstorm) - https://www.trustwave.com/Products/Application-Security/App-Scanner-Family/App-Scanner-Enterprise/
* Burp Intruder - http://www.portswigger.net/burp/intruder.html
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com
* Sleuth - http://www.sandsprite.com
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
* MaxPatrol Security Scanner - http://www.maxpatrol.com
* Ecyware GreenBlue Inspector - http://www.ecyware.com
* Parasoft SOAtest (more QA-type tool)- http://www.parasoft.com/jsp/products/soatest.jsp?itemId=101
* MatriXay - http://www.dbappsecurity.com/webscan.html
* N-Stalker Web Application Security Scanner - http://www.nstalker.com
* HP WebInspect - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-webinspect
* SoapUI (Web Service security testing) - http://www.soapui.org/Security/getting-started.html
* Netsparker - http://www.mavitunasecurity.com/netsparker/
* SAINT - http://www.saintcorporation.com/
* QualysGuard WAS - http://www.qualys.com/enterprises/qualysguard/web-application-scanning/
* Indusface WAS- https://www.indusface.com/products/application-security/web-application-scanning
* Retina Web - http://www.eeye.com/Products/Retina/Web-Security-Scanner.aspx

==Linux Distrubtion==
* PenTestBox https://tools.pentestbox.com/
* Samurai https://sourceforge.net/p/samurai/wiki/Home/
* Santoku https://sourceforge.net/projects/santoku/
* ParrotSecurity https://sourceforge.net/projects/parrotsecurity/?source=navbar
* Kali https://www.kali.org/
* Matriux https://sourceforge.net/projects/matriux/?source=navbar
* BlackArch http://www.blackarch.org/downloads.html
* Cyborg Hawk Linux http://cyborg.ztrela.com/tools/
* PenToo http://www.pentoo.ch/download/
* bugtraq http://bugtraq-team.com/

==Source Code Analyzers==
===Open Source / Freeware===
* [[:Category:OWASP_Orizon_Project|Owasp Orizon]]
* '''[[:Category:OWASP_LAPSE_Project|OWASP LAPSE]]'''
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]]
* Boon - http://www.cs.berkeley.edu/~daw/boon
* FindBugs - http://findbugs.sourceforge.net
* Find Security Bugs - https://find-sec-bugs.github.io/
* FlawFinder - http://www.dwheeler.com/flawfinder
* Google CodeSearchDiggity - http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/
* phpcs-security-audit - https://github.com/FloeDesignTechnologies/phpcs-security-audit
* PMD - http://pmd.sourceforge.net/
* Microsoft’s [[FxCop]]
* .NET Security Guard - https://dotnet-security-guard.github.io/
* Oedipus - http://www.darknet.org.uk/2006/06/oedipus-open-source-web-application-security-analysis/
* Puma Scan - https://pumascan.com
* Splint - http://splint.org
* SonarQube - http://sonarqube.org
* W3af - http://w3af.sourceforge.net/

===Commercial ===

* Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
* Parasoft C/C++ test - http://www.parasoft.com/jsp/products/cpptest.jsp/index.htm
* Checkmarx CxSuite - http://www.checkmarx.com
* HP Fortify - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer
* GrammaTech - http://www.grammatech.com
* ITS4 - http://seclab.cs.ucdavis.edu/projects/testing/tools/its4.html
* Appscan - http://www-01.ibm.com/software/rational/products/appscan/source/
* ParaSoft - http://www.parasoft.com
* Puma Scan Professional - https://pumascanpro.com
* Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
* Veracode - http://www.veracode.com
* Armorize CodeSecure - http://www.armorize.com/codesecure/
* Peach Fuzzer - http://www.peachfuzzer.com/
* Burp Suite - https://portswigger.net/burp/

==Acceptance Testing Tools==
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.
* BDD Security - https://github.com/continuumsecurity/bdd-security

===Open Source Tools===

* WATIR - http://wtr.rubyforge.org
** A Ruby based web testing framework that provides an interface into Internet Explorer.
** Windows only.
* HtmlUnit - http://htmlunit.sourceforge.net
** A Java and JUnit based framework that uses the Apache HttpClient as the transport.
** Very robust and configurable and is used as the engine for a number of other testing tools.
* jWebUnit - http://jwebunit.sourceforge.net
** A Java based meta-framework that uses htmlunit or selenium as the testing engine.
* Canoo Webtest - http://webtest.canoo.com
** An XML based testing tool that provides a facade on top of htmlunit.
** No coding is necessary as the tests are completely specified in XML.
** There is the option of scripting some elements in Groovy if XML does not suffice.
** Very actively maintained.
* HttpUnit - http://httpunit.sourceforge.net
** One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
* Watij - http://watij.com
** A Java implementation of WATIR.
** Windows only because it uses IE for its tests (Mozilla integration is in the works).
* Solex - http://solex.sourceforge.net
** An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
* Selenium - http://seleniumhq.org/
** JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
** Mature and popular tool, but the use of JavaScript could hamper certain security tests.

==Other Tools==

===Runtime Analysis===

* Rational PurifyPlus - http://www-01.ibm.com/software/awdtools/purify/
* Seeker by Quotium - http://www.quotium.com/prod/security.php

===Binary Analysis===

* BugScam IDC Package - http://sourceforge.net/projects/bugscam
* Veracode - http://www.veracode.com

===Requirements Management===

* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

===Site Mirroring===
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
* curl - http://curl.haxx.se
* Sam Spade - http://www.samspade.org
* Xenu's Link Sleuth - http://home.snafu.de/tilman/xenulink.html

[[Category:SAMM-CR-2]]

Static Code Analysis

2017-09-29T18:05:40Z

Ejohn20: Added puma scan professional to the commercial tools list.

Every '''[[Control]]''' should follow this template.

{{Template:Control}}
 
[[Category:OWASP ASDR Project]]

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.

Some tools are starting to move into the Integrated Development Environment (IDE). For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.

The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]

==Techniques==
There are various techniques to analyze static source code for potential vulnerabilities that maybe combined into one solution. These techniques are often derived from compiler technologies.

===Data Flow Analysis===
Data flow analysis is used to collect run-time (dynamic) information about data in software while it is in a static state (Wögerer, 2005).

There are three common terms used in data flow analysis, basic block (the code), Control Flow Analysis (the flow of data) and Control Flow Path (the path the data takes):

Basic block: A sequence of consecutive instructions where control enters at the beginning of a block, control leaves at the end of a block and the block cannot halt or branch out except at its end (Wögerer, 2005).

Example PHP basic block:

<pre>
1. $a = 0;
2. $b = 1;
3.
4. if ($a == $b)
5. { # start of block
6. echo “a and b are the same”;
7. } # end of block
8. else
9. { # start of block
10. echo “a and b are different”;
11.} # end of block
</pre>

=== Control Flow Graph (CFG) ===
An abstract graph representation of software by use of nodes that represent basic blocks. A node in a graph represents a block; directed edges are used to represent jumps (paths) from one block to another. If a node only has an exit edge, this is known as an ‘entry’ block, if a node only has a entry edge, this is know as an ‘exit’ block (Wögerer, 2005).

Example Control Flow Graph; ‘node 1’ represents the entry block and ‘node 6’ represents the exit block.

[[File:Control_flow_graph.png|400x200px]]

===Taint Analysis===
Taint Analysis attempts to identify variables that have been 'tainted' with user controllable input and traces them to possible vulnerable functions also known as a 'sink'. If the tainted variable gets passed to a sink without first being sanitized it is flagged as a vulnerability.

Some programming languages such as Perl and Ruby have Taint Checking built into them and enabled in certain situations such as accepting data via CGI.

===Lexical Analysis===
Lexical Analysis converts source code syntax into ‘tokens’ of information in an attempt to abstract the source code and make it easier to manipulate (Sotirov, 2005).

Pre tokenised PHP source code:

<pre>
<?php $name = "Ryan"; ?>
</pre>

Post tokenised PHP source code:

<pre>
T_OPEN_TAG
T_VARIABLE
=
T_CONSTANT_ENCAPSED_STRING
;
T_CLOSE_TAG
</pre>

==Strengths and Weaknesses==

=== Strengths ===
* Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
* For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.

=== Weaknesses ===
* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Limitations==

===False Positives===
A static code analysis tool will often produce false positive results where the tool reports a possible vulnerability that in fact is not. This often occurs because the tool cannot be sure of the integrity and security of data as it flows through the application from input to output.

False positive results might be reported when analysing an application that interacts with closed source components or external systems because without the source code it is impossible to trace the flow of data in the external system and hence ensure the integrity and security of the data.

===False Negatives===
The use of static code analysis tools can also result in false negative results where vulnerabilities result but the tool does not report them. This might occur if a new vulnerability is discovered in an external component or if the analysis tool has no knowledge of the runtime environment and whether it is configured securely.

==Important Selection Criteria==

* Requirement: Must support your language, but not usually a key factor once it does.
* Types of Vulnerabilities it can detect (The OWASP Top Ten?) (more?)
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)
* Does it support Object-oriented programming (OOP)?

==Examples==

===RIPS PHP Static Code Analysis Tool===
[[File:Rips.jpg|400px|thum|]]

===OWASP LAPSE+ Static Code Analysis Tool===
[[File:LapsePlusScreenshot.png|400px|thum|]]

== Tools ==

===OWASP Tools===
* [https://www.owasp.org/index.php/Category:OWASP_Code_Crawler OWASP Code Crawler] (.NET & Java)
* [https://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] (Java,PHP,C & JSP)
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]] (Java)
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]] (PHP)

=== Open Source/Free ===

* [http://sourceforge.net/projects/agnitiotool/ Agnitio] (Objective-C, C#, Java & Android)
* [http://brakemanscanner.org/ Brakeman] (Rails)
* [http://www.devbug.co.uk DevBug] (PHP)
* [http://findbugs.sourceforge.net/ FindBugs] (Java)
* [https://find-sec-bugs.github.io/ Find Security Bugs] (Java, Scala, Groovy)
* [http://www.dwheeler.com/flawfinder/ FlawFinder] (C/C++)
* [http://msdn.microsoft.com/en-us/library/bb429476(v=vs.80).aspx Microsoft FxCop] (.NET)
* [https://dotnet-security-guard.github.io/ .NET Security Guard] (C# and VB.net)
* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/ Google CodeSearchDiggity] (Multiple)
* [http://pmd.sourceforge.net/ PMD] (Java)
* [https://www.pumascan.com Puma Scan] (.NET)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx Microsoft PreFast] (C/C++)
* [http://sonarqube.com SonarQube] (20+ languages including Java, C#, and JavaScript)
* [http://www.splint.org Splint] (C)
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper] (C/C++, C#, VB, PHP, Java & PL/SQL)
* [http://rips-scanner.sourceforge.net/ RIPS] (PHP)
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] (PHP)

=== Commercial ===

* [https://www.fortify.com/ Fortify] (OWASP Member)
* [https://www.veracode.com/ Veracode] (OWASP Member)
* [http://www.grammatech.com/ GrammaTech]
* [http://www.parasoft.com/jsp/home.jsp ParaSoft]
* [http://www.armorize.com/codesecure/ Armorize CodeSecure] (OWASP Member)
* [http://www.checkmarx.com/ Checkmarx Static Code Analysis] (OWASP Member)
* [http://www-01.ibm.com/software/rational/products/appscan/source/ Rational AppScan Source Edition]
* [http://www.coverity.com/products/static-analysis.html Coverity]
* [http://www.viva64.com/en/ PVS-Studio]
* [https://pumascanpro.com Puma Scan Professional] (.NET)
* [http://www.klocwork.com/products/insight.asp Insight]
* [http://www.mathworks.com/products/polyspace/ Polyspace Static Analysis]
* [https://www.ripstech.com/ RIPS NextGen] (PHP)

===Other Tool Lists===

* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST - Source Code Security Analyzers]
* [http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis Wikipedia - List of tools for static code analysis]

==References==

[0] Ministry of Defence (MoD). (1997) ''SAFETY RELATED SOFTWARE IN DEFENSE EQUIPMENT'' [Online]. Available at: http://www.software-supportability.org/Docs/00-55_Part_2.pdf (Accessed: 5 January 2012).

== Further Reading ==

* [https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf OWASP Code Review Guide v1.1]
* http://www.crosstalkonline.org/storage/issue-archives/2003/200311/200311-German.pdf
* http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf
* http://www.php-security.org/downloads/rips.pdf
* http://www.seclab.tuwien.ac.at/papers/pixy.pdf

[[Category:FIXME|
In addition, one should classify control based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Control]]</nowiki>

Availability Control
Authorization Control
Authentication Control
Concurrency Control
Configuration Control
Cryptographic Control
Encoding Control
Error Handling Control
Input Validation Control
Logging and Auditing Control
Session Management Control
]]
__FORCETOC__

[[Category:Control]]

Source Code Analysis Tools

2017-09-29T18:03:57Z

Ejohn20: Added puma scan professional edition to the commercial tools list.

Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. Ideally, such tools would automatically find security flaws with such a high degree of confidence that what's found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that just automatically finds flaws. If you are interested in the effectiveness of SAST tools, check out the OWASP [[Benchmark]] project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including SAST.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.

== Strengths and Weaknesses ==

=== Strengths ===

* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected

=== Weaknesses ===

* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Important Selection Criteria==

* Requirement: Must support your programming language, but not usually a key factor once it does.
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)
* How accurate is it? False Positive/False Negative rates?
** Does the tool have an OWASP [[Benchmark]] score?
* Does it understand the libraries/frameworks you use?
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* How hard is it to setup/use?
* Can it be run continuously and automatically?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

==OWASP Tools Of This Type==

* [[OWASP SonarQube Project]]
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]]

==Disclaimer==

Disclaimer: The tools listed in the tables below are presented in alphabetical order. OWASP does not endorse any of the vendors or tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.

==Open Source or Free Tools Of This Type==

* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby
* [http://findbugs.sourceforge.net/ FindBugs] - Find Bugs (including a few security flaws) in Java programs
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for FingBugs that significantly improves FindBug's ability to find security vulnerabilities in Java programs
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.
* [http://sourceforge.net/projects/rips-scanner/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. The tool comes with a number of predefined vulnerability detectors which can additionally be extended by the user.

==Commercial Tools Of This Type==

* [http://www-01.ibm.com/software/rational/products/appscan/source/ AppScan Source] (IBM)
* [http://www.blueclosure.com BlueClosure BC Detect] (BlueClosure)
* [https://buguroo.com/products/bugblast-next-gen-appsec-platform/bugscout-sca bugScout] (Buguroo Offensive Security) Latest generation source code analysis tool bugScout detects source code vulnerabilities and makes possible an accurate management of the life cycles due to its easy use.
* [http://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards CAST AIP] (CAST) Performs static and architectural analysis to check for: SQL Injection, Cross Site Scripting (XSS), Input Validation, Insecure Cryptographic Storage, Information Leakage and Improper Error Handling, Data Access, API Abuse, Encapsulation on over 30 languages.
* [https://www.codacy.com/ Codacy] is free for open source projects, and integrates with tools such as Brakeman, Bandit, FindBugs, and a number of others. It offers security patterns for languages such as Python, Ruby, Scala, Java, Javascript and more.
* [http://www.contrastsecurity.com/ Contrast from Contrast Security] Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (HP)
* [http://www.juliasoft.com/solutions Julia] - SaaS Java static analysis (JuliaSoft)
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)
* [https://www.kiuwan.com/code-analysis/ Kiuwan] - SaaS Software Quality & Security Analysis (an [http://www.optimyth.com Optimyth] company)
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) For C/C++, C#
* [https://pumascanpro.com/ Puma Scan Professional] - Puma Scan Professional is a .NET C# static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)

==More info==

* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools

[[Category:OWASP .NET Project]]
[[Category:SAMM-CR-2]]
__NOTOC__

Static Code Analysis

2017-08-07T14:29:05Z

Ejohn20: Added an open source scanning tool.

Every '''[[Control]]''' should follow this template.

{{Template:Control}}
 
[[Category:OWASP ASDR Project]]

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.

Some tools are starting to move into the Integrated Development Environment (IDE). For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.

The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]

==Techniques==
There are various techniques to analyze static source code for potential vulnerabilities that maybe combined into one solution. These techniques are often derived from compiler technologies.

===Data Flow Analysis===
Data flow analysis is used to collect run-time (dynamic) information about data in software while it is in a static state (Wögerer, 2005).

There are three common terms used in data flow analysis, basic block (the code), Control Flow Analysis (the flow of data) and Control Flow Path (the path the data takes):

Basic block: A sequence of consecutive instructions where control enters at the beginning of a block, control leaves at the end of a block and the block cannot halt or branch out except at its end (Wögerer, 2005).

Example PHP basic block:

<pre>
1. $a = 0;
2. $b = 1;
3.
4. if ($a == $b)
5. { # start of block
6. echo “a and b are the same”;
7. } # end of block
8. else
9. { # start of block
10. echo “a and b are different”;
11.} # end of block
</pre>

=== Control Flow Graph (CFG) ===
An abstract graph representation of software by use of nodes that represent basic blocks. A node in a graph represents a block; directed edges are used to represent jumps (paths) from one block to another. If a node only has an exit edge, this is known as an ‘entry’ block, if a node only has a entry edge, this is know as an ‘exit’ block (Wögerer, 2005).

Example Control Flow Graph; ‘node 1’ represents the entry block and ‘node 6’ represents the exit block.

[[File:Control_flow_graph.png|400x200px]]

===Taint Analysis===
Taint Analysis attempts to identify variables that have been 'tainted' with user controllable input and traces them to possible vulnerable functions also known as a 'sink'. If the tainted variable gets passed to a sink without first being sanitized it is flagged as a vulnerability.

Some programming languages such as Perl and Ruby have Taint Checking built into them and enabled in certain situations such as accepting data via CGI.

===Lexical Analysis===
Lexical Analysis converts source code syntax into ‘tokens’ of information in an attempt to abstract the source code and make it easier to manipulate (Sotirov, 2005).

Pre tokenised PHP source code:

<pre>
<?php $name = "Ryan"; ?>
</pre>

Post tokenised PHP source code:

<pre>
T_OPEN_TAG
T_VARIABLE
=
T_CONSTANT_ENCAPSED_STRING
;
T_CLOSE_TAG
</pre>

==Strengths and Weaknesses==

=== Strengths ===
* Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
* For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.

=== Weaknesses ===
* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Limitations==

===False Positives===
A static code analysis tool will often produce false positive results where the tool reports a possible vulnerability that in fact is not. This often occurs because the tool cannot be sure of the integrity and security of data as it flows through the application from input to output.

False positive results might be reported when analysing an application that interacts with closed source components or external systems because without the source code it is impossible to trace the flow of data in the external system and hence ensure the integrity and security of the data.

===False Negatives===
The use of static code analysis tools can also result in false negative results where vulnerabilities result but the tool does not report them. This might occur if a new vulnerability is discovered in an external component or if the analysis tool has no knowledge of the runtime environment and whether it is configured securely.

==Important Selection Criteria==

* Requirement: Must support your language, but not usually a key factor once it does.
* Types of Vulnerabilities it can detect (The OWASP Top Ten?) (more?)
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)
* Does it support Object-oriented programming (OOP)?

==Examples==

===RIPS PHP Static Code Analysis Tool===
[[File:Rips.jpg|400px|thum|]]

===OWASP LAPSE+ Static Code Analysis Tool===
[[File:LapsePlusScreenshot.png|400px|thum|]]

== Tools ==

===OWASP Tools===
* [https://www.owasp.org/index.php/Category:OWASP_Code_Crawler OWASP Code Crawler] (.NET & Java)
* [https://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] (Java,PHP,C & JSP)
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]] (Java)
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]] (PHP)

=== Open Source/Free ===

* [http://sourceforge.net/projects/agnitiotool/ Agnitio] (Objective-C, C#, Java & Android)
* [http://brakemanscanner.org/ Brakeman] (Rails)
* [http://www.devbug.co.uk DevBug] (PHP)
* [http://findbugs.sourceforge.net/ FindBugs] (Java)
* [http://www.dwheeler.com/flawfinder/ FlawFinder] (C/C++)
* [http://msdn.microsoft.com/en-us/library/bb429476(v=vs.80).aspx Microsoft FxCop] (.NET)
* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/ Google CodeSearchDiggity] (Multiple)
* [http://pmd.sourceforge.net/ PMD] (Java)
* [https://www.pumascan.com Puma Scan] (.NET)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx Microsoft PreFast] (C/C++)
* [http://sonarqube.com SonarQube] (20+ languages including Java, C#, and JavaScript)
* [http://www.splint.org Splint] (C)
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper] (C/C++, C#, VB, PHP, Java & PL/SQL)
* [http://rips-scanner.sourceforge.net/ RIPS] (PHP)

=== Commercial ===

* [https://www.fortify.com/ Fortify] (OWASP Member)
* [https://www.veracode.com/ Veracode] (OWASP Member)
* [http://www.grammatech.com/ GrammaTech]
* [http://www.parasoft.com/jsp/home.jsp ParaSoft]
* [http://www.armorize.com/codesecure/ Armorize CodeSecure] (OWASP Member)
* [http://www.checkmarx.com/ Checkmarx Static Code Analysis] (OWASP Member)
* [http://www-01.ibm.com/software/rational/products/appscan/source/ Rational AppScan Source Edition]
* [http://www.coverity.com/products/static-analysis.html Coverity]
* [http://www.viva64.com/en/ PVS-Studio]
* [http://www.klocwork.com/products/insight.asp Insight]
* [http://www.mathworks.com/products/polyspace/ Polyspace Static Analysis]
* [https://www.ripstech.com/ RIPS NextGen] (PHP)

===Other Tool Lists===

* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST - Source Code Security Analyzers]
* [http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis Wikipedia - List of tools for static code analysis]

==References==

[0] Ministry of Defence (MoD). (1997) ''SAFETY RELATED SOFTWARE IN DEFENSE EQUIPMENT'' [Online]. Available at: http://www.software-supportability.org/Docs/00-55_Part_2.pdf (Accessed: 5 January 2012).

== Further Reading ==

* [https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf OWASP Code Review Guide v1.1]
* http://www.crosstalkonline.org/storage/issue-archives/2003/200311/200311-German.pdf
* http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf
* http://www.php-security.org/downloads/rips.pdf
* http://www.seclab.tuwien.ac.at/papers/pixy.pdf

[[Category:FIXME|
In addition, one should classify control based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Control]]</nowiki>

Availability Control
Authorization Control
Authentication Control
Concurrency Control
Configuration Control
Cryptographic Control
Encoding Control
Error Handling Control
Input Validation Control
Logging and Auditing Control
Session Management Control
]]
__FORCETOC__

[[Category:Control]]

Source Code Analysis Tools

2017-05-20T13:04:11Z

Ejohn20: Added Puma Scan - an open source C# scanner.

Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. Ideally, such tools would automatically find security flaws with such a high degree of confidence that what's found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that just automatically finds flaws. If you are interested in the effectiveness of SAST tools, check out the OWASP [[Benchmark]] project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including SAST.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.

== Strengths and Weaknesses ==

=== Strengths ===

* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected

=== Weaknesses ===

* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Important Selection Criteria==

* Requirement: Must support your programming language, but not usually a key factor once it does.
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)
* How accurate is it? False Positive/False Negative rates?
** Does the tool have an OWASP [[Benchmark]] score?
* Does it understand the libraries/frameworks you use?
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* How hard is it to setup/use?
* Can it be run continuously and automatically?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

==OWASP Tools Of This Type==

* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]]

==Disclaimer==

Disclaimer: The tools listed in the tables below are presented in alphabetical order. OWASP does not endorse any of the vendors or tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.

==Open Source or Free Tools Of This Type==

* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby
* [http://findbugs.sourceforge.net/ FindBugs] - Find Bugs (including a few security flaws) in Java programs
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for FingBugs that significantly improves FindBug's ability to find security vulnerabilities in Java programs
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.
* [http://sourceforge.net/projects/rips-scanner/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. The tool comes with a number of predefined vulnerability detectors which can additionally be extended by the user.

==Commercial Tools Of This Type==

* [http://www-01.ibm.com/software/rational/products/appscan/source/ AppScan Source] (IBM)
* [http://www.blueclosure.com BlueClosure BC Detect] (BlueClosure)
* [https://buguroo.com/products/bugblast-next-gen-appsec-platform/bugscout-sca bugScout] (Buguroo Offensive Security) Latest generation source code analysis tool bugScout detects source code vulnerabilities and makes possible an accurate management of the life cycles due to its easy use.
* [https://www.codacy.com/ Codacy] is free for open source projects, and integrates with tools such as Brakeman, Bandit, FindBugs, and a number of others. It offers security patterns for languages such as Python, Ruby, Scala, Java, Javascript and more.
* [http://www.contrastsecurity.com/ Contrast from Contrast Security] Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (HP)
* [http://www.juliasoft.com/solutions Julia] - SaaS Java static analysis (JuliaSoft)
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)
* [https://www.kiuwan.com/code-analysis/ Kiuwan] - SaaS Software Quality & Security Analysis (an [http://www.optimyth.com Optimyth] company)
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) For C/C++, C#
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)

==More info==

* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools

[[Category:OWASP .NET Project]]
[[Category:SAMM-CR-2]]
__NOTOC__