This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Source Code Analysis Tools"
From OWASP
(→Commercial Tools from OWASP Members Of This Type) |
|||
| Line 29: | Line 29: | ||
==Commercial Tools from OWASP Members Of This Type== | ==Commercial Tools from OWASP Members Of This Type== | ||
| + | |||
| + | These vendors have decided to support OWASP by becoming [[Membership|members]]. OWASP appreciates the support from these organizations, but cannnot endorse any commercial products or services. | ||
* [http://www.fortifysoftware.com/products/sca.jsp Fortify - Source Code Analysis] | * [http://www.fortifysoftware.com/products/sca.jsp Fortify - Source Code Analysis] | ||
Revision as of 02:22, 31 October 2006
Page dedicated to the analysis and comment of Source Code Audit tools:
Description
TBD
Strengths and Weaknesses
Important Selection Criteria
- Requirement: Must support your language, but not usually a key factor once it does.
- Types of Vulnerabilities it can detect (Out of the OWASP Top Ten?) (plus more?)
- Does it require a fully buildable set of source?
- Can it run against binaries instead of source?
- Can it be integrated into the developer's IDE?
OWASP Tools Of This Type
Open Source or Free Tools Of This Type
- Microsoft - FxCop: Tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines
- Microsoft - PreFix
- Microsoft - PreFast
- SWAAT - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
- Secure Software - RATS - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
Commercial Tools from OWASP Members Of This Type
These vendors have decided to support OWASP by becoming members. OWASP appreciates the support from these organizations, but cannnot endorse any commercial products or services.
