This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Software Security Assessment Tool Review"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
==Description==
 +
The OWASP Software Security Assessment and Testing Tools Profiles Project will create a Wiki of current, directly comparable, unbiased information about commercial and open source Software Security Assessment and Testing Tools. Tool descriptions and evaluations exist elsewhere online and offline, e.g., Wikipedia and the NIST SAMATE portal, including the 2008 Naval Ordnance Safety & Security Activity Software Security Assessment Tools Review on the SAMATE portal. On Wikipedia, the quantity and quality of information varies widely due to lack of a standard template for capturing tool information. Government sources are often obsolete by the time they are published, and are seldom updated. Other sources provide different types of information, which is often biased.
 +
The OWASP tools Profiles differ from other sources by providing a standard set of information about each tool, allowing for direct comparisons between tools. The initial Profiles are wiki versions of the NOSSA tool descriptions, which we recognize are outdated. The wiki format enables the tool's developer, users, and other stakeholders to easily review and revise/update the information, and the Profile template also includes a field for adding non-standard information. A blank Profile wiki template is also provided for creating new tool Profiles. The tool Profiles will also be updated to add information from SAMATE's source code analyzer descriptions, with the Profile template expanded with new information categories if necessary. The wiki format will also allow for future expansion of the Project to cover other types of software/application security tools.
  
 +
SAMATE Source Code Analyzers Page
 +
[http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html <u>http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html</u>]<br>
 +
[[SSATR Template]] use this template to add another tool
  
 +
===Appendix A-2===
 
{| width="80%" border="2" cellspacing="2" cellpadding="2"
 
{| width="80%" border="2" cellspacing="2" cellpadding="2"
|+ '''APPENDIX A: TOOL MATRIX TEMPLATE'''
+
|+ '''SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-2'''
 
|- valign="top"
 
|- valign="top"
 
| width="40%" style="background: #FFCC99" | '''Product'''
 
| width="40%" style="background: #FFCC99" | '''Product'''
| width="40%" style="background: #FFCC99"  |  
+
| width="40%" style="background: #FFCC99"  | AgileJ StructureViews
 
|- valign="top"
 
|- valign="top"
 
| style="background: #FFCC99"  | '''Description'''
 
| style="background: #FFCC99"  | '''Description'''
| style="background: #FFCC99"  |  
+
| style="background: #FFCC99"  | Commercial Java visualization product that is deployed as an Eclipse Feature. The product brings together aspects of the Eclipse JDT Java Model, Set Theory, Class Diagrams, and XP/Agile Methods. The output resembles reverse engineered CASE tool drawings. The Eclipse JDT model performs a number of functions in the Eclipse Java IDE, including populating the package explorer and type hierarchy trees. AgileJ StructureViews taps into that same source of information to populate its class diagrams. The visualizations are UML class diagrams, which can be printed or exported as JPEG images. Class diagrams appear alongside the source file editor in the Eclipse IDE, and navigation is possible from any element on a diagram back to its source code. To comply with the XP goal of minimal documentation, no presentation-specific information is stored with a diagram. From the list of class names, all other information, including class members, inner classes, inheritances, associations and dependencies, is derived from Eclipse. The intention is that the diagrams only serve to increase comprehension of the coding model which they illustrate
 
|- valign="top"
 
|- valign="top"
 
| style="background: #FFCC99" | '''URL'''
 
| style="background: #FFCC99" | '''URL'''
| style="background: #FFCC99" |  
+
| style="background: #FFCC99" | [http://www.agilej.com/ <u>http://www.agilej.com/ </u>]
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Supported Languages'''
 
| style="background: #CCFFFF" | '''Supported Languages'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | Java
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Supported Platforms Where Tool Runs'''
 
| style="background: #CCFFFF" | '''Supported Platforms Where Tool Runs'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | Eclipse
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Supported Platform Where Target Resides'''
 
| style="background: #CCFFFF" | '''Supported Platform Where Target Resides'''
Line 23: Line 30:
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Supported Compilers '''
 
| style="background: #CCFFFF" | '''Supported Compilers '''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | N/A
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Can Tool be used Remotely?'''
 
| style="background: #CCFFFF" | '''Can Tool be used Remotely?'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | No
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Finds or Checks for: (Tool Category)'''
 
| style="background: #CCFFFF" | '''Finds or Checks for: (Tool Category)'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | Risk Analysis
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Lifecycle Position(s)'''
 
| style="background: #CCFFFF" | '''Lifecycle Position(s)'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | Design, Testing
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Scalability (Ability to scan up to 1,000,000 LOC?)'''
 
| style="background: #CCFFFF" | '''Scalability (Ability to scan up to 1,000,000 LOC?)'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | N/A
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Ability to Identify Comments in Code'''
 
| style="background: #CCFFFF" | '''Ability to Identify Comments in Code'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | N/A
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Ability to Discover Debug Code'''
 
| style="background: #CCFFFF" | '''Ability to Discover Debug Code'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | N/A
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Ability to Discover Unused Code'''
 
| style="background: #CCFFFF" | '''Ability to Discover Unused Code'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | N/A
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Tool uses CWE Definitions of Vulnerabilities'''
 
| style="background: #CCFFFF" | '''Tool uses CWE Definitions of Vulnerabilities'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | No
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Frequency of Rule Base Updates by Tool Provider '''
 
| style="background: #CCFFFF" | '''Frequency of Rule Base Updates by Tool Provider '''
| style="background: #CCFFFF" |
+
| style="background: #CCFFFF" | N/A
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Ability of Testers to Modify Existing Rule Bases '''
 
| style="background: #CCFFFF" | '''Ability of Testers to Modify Existing Rule Bases '''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | N/A
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Ability of Testers to Add New Rule Bases'''
 
| style="background: #CCFFFF" | '''Ability of Testers to Add New Rule Bases'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | N/A
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?'''
 
| style="background: #CCFFFF" | '''Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | N/A
 
|- valign="top"
 
|- valign="top"
 
| style="background: #CCFFFF" | '''Cost (Hourly/ Flat Fee) [AVAILABILITY]'''
 
| style="background: #CCFFFF" | '''Cost (Hourly/ Flat Fee) [AVAILABILITY]'''
| style="background: #CCFFFF" |  
+
| style="background: #CCFFFF" | Commercial
 
|- valign="top"
 
|- valign="top"
 
| style="background: #FFFF99" | '''Licensing'''
 
| style="background: #FFFF99" | '''Licensing'''
Line 68: Line 75:
 
|- valign="top"
 
|- valign="top"
 
| style="background: #FFFF99" | '''Vendor Technical Support'''
 
| style="background: #FFFF99" | '''Vendor Technical Support'''
| style="background: #FFFF99" |
+
| style="background: #FFFF99" | Yes
 
|- valign="top"
 
|- valign="top"
 
| style="background: #FFFF99" | '''Vendor Services / Professional services support'''
 
| style="background: #FFFF99" | '''Vendor Services / Professional services support'''
| style="background: #FFFF99" |  
+
| style="background: #FFFF99" | No
 
|- valign="top"
 
|- valign="top"
 
| style="background: #FFFF99" | '''Required training or experience level to operate'''
 
| style="background: #FFFF99" | '''Required training or experience level to operate'''
| style="background: #FFFF99" |  
+
| style="background: #FFFF99" | High
 
|- valign="top"
 
|- valign="top"
 
| style="background: #FFFF99" | '''Vendor provided (or 3rd party provided) training available'''
 
| style="background: #FFFF99" | '''Vendor provided (or 3rd party provided) training available'''
| style="background: #FFFF99" |  
+
| style="background: #FFFF99" | No
 
|- valign="top"
 
|- valign="top"
 
| style="background: #FFFF99" | '''Comments'''
 
| style="background: #FFFF99" | '''Comments'''
 +
| style="background: #FFFF99" |
 +
|}
 +
 +
===Appendix A-3===
 +
{| width="80%" border="2" cellspacing="2" cellpadding="2"
 +
|+ '''SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-3'''
 +
|- valign="top"
 +
| width="40%" style="background: #FFCC99" |'''Product'''
 +
| width="40%" style="background: #FFCC99" |antiparser
 +
|- valign="top"
 +
| style="background: #FFCC99" |'''Description'''
 +
| style="background: #FFCC99" |A fuzz testing and fault injection API
 +
|- valign="top"
 +
| style="background: #FFCC99" |'''URL'''
 +
| style="background: #FFCC99" |[http://antiparser.sourceforge.net/ <u>http://antiparser.sourceforge.net/ </u>]
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Supported Languages'''
 +
| style="background: #CCFFFF" |N/A
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Supported Platforms Where Tool Runs'''
 +
| style="background: #CCFFFF" |
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Supported Platform Where Target Resides'''
 +
| style="background: #CCFFFF" |
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Supported Compilers '''
 +
| style="background: #CCFFFF" |N/A
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Can Tool be used Remotely?'''
 +
| style="background: #CCFFFF" |
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Finds or Checks for: (Tool Category)'''
 +
| style="background: #CCFFFF" |Fuzz Testing
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Lifecycle Position(s)'''
 +
| style="background: #CCFFFF" |Testing
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Scalability (Ability to scan up to 1,000,000 LOC?)'''
 +
| style="background: #CCFFFF" |N/A
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Ability to Identify Comments in Code'''
 +
| style="background: #CCFFFF" |No
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Ability to Discover Debug Code'''
 +
| style="background: #CCFFFF" |No
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Ability to Discover Unused Code'''
 +
| style="background: #CCFFFF" |No
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Tool uses CWE Definitions of Vulnerabilities'''
 +
| style="background: #CCFFFF" |No
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Frequency of Rule Base Updates by Tool Provider '''
 +
| style="background: #CCFFFF" |Unknown
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Ability of Testers to Modify Existing Rule Bases '''
 +
| style="background: #CCFFFF" |Yes
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Ability of Testers to Add New Rule Bases'''
 +
| style="background: #CCFFFF" |Yes
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?'''
 +
| style="background: #CCFFFF" |No
 +
|- valign="top"
 +
| style="background: #CCFFFF" |'''Cost (Hourly/ Flat Fee) [AVAILABILITY]'''
 +
| style="background: #CCFFFF" |Free
 +
|- valign="top"
 +
| style="background: #FFFF99" |'''Licensing'''
 +
| style="background: #FFFF99" |GPL
 +
|- valign="top"
 +
| style="background: #FFFF99" |'''Vendor Technical Support'''
 +
| style="background: #FFFF99" |No
 +
|- valign="top"
 +
| style="background: #FFFF99" |'''Vendor Services / Professional services support'''
 +
| style="background: #FFFF99" |No
 +
|- valign="top"
 +
| style="background: #FFFF99" |'''Required training or experience level to operate'''
 +
| style="background: #FFFF99" |Medium
 +
|- valign="top"
 +
| style="background: #FFFF99" |'''Vendor provided (or 3rd party provided) training available'''
 +
| style="background: #FFFF99" |No
 +
|- valign="top"
 +
| style="background: #FFFF99" |'''Comments'''
 
| style="background: #FFFF99" |
 
| style="background: #FFFF99" |
 
|}
 
|}

Revision as of 21:37, 17 February 2012

Description

The OWASP Software Security Assessment and Testing Tools Profiles Project will create a Wiki of current, directly comparable, unbiased information about commercial and open source Software Security Assessment and Testing Tools. Tool descriptions and evaluations exist elsewhere online and offline, e.g., Wikipedia and the NIST SAMATE portal, including the 2008 Naval Ordnance Safety & Security Activity Software Security Assessment Tools Review on the SAMATE portal. On Wikipedia, the quantity and quality of information varies widely due to lack of a standard template for capturing tool information. Government sources are often obsolete by the time they are published, and are seldom updated. Other sources provide different types of information, which is often biased. The OWASP tools Profiles differ from other sources by providing a standard set of information about each tool, allowing for direct comparisons between tools. The initial Profiles are wiki versions of the NOSSA tool descriptions, which we recognize are outdated. The wiki format enables the tool's developer, users, and other stakeholders to easily review and revise/update the information, and the Profile template also includes a field for adding non-standard information. A blank Profile wiki template is also provided for creating new tool Profiles. The tool Profiles will also be updated to add information from SAMATE's source code analyzer descriptions, with the Profile template expanded with new information categories if necessary. The wiki format will also allow for future expansion of the Project to cover other types of software/application security tools.

SAMATE Source Code Analyzers Page http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
SSATR Template use this template to add another tool

Appendix A-2

SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-2
Product AgileJ StructureViews
Description Commercial Java visualization product that is deployed as an Eclipse Feature. The product brings together aspects of the Eclipse JDT Java Model, Set Theory, Class Diagrams, and XP/Agile Methods. The output resembles reverse engineered CASE tool drawings. The Eclipse JDT model performs a number of functions in the Eclipse Java IDE, including populating the package explorer and type hierarchy trees. AgileJ StructureViews taps into that same source of information to populate its class diagrams. The visualizations are UML class diagrams, which can be printed or exported as JPEG images. Class diagrams appear alongside the source file editor in the Eclipse IDE, and navigation is possible from any element on a diagram back to its source code. To comply with the XP goal of minimal documentation, no presentation-specific information is stored with a diagram. From the list of class names, all other information, including class members, inner classes, inheritances, associations and dependencies, is derived from Eclipse. The intention is that the diagrams only serve to increase comprehension of the coding model which they illustrate
URL http://www.agilej.com/
Supported Languages Java
Supported Platforms Where Tool Runs Eclipse
Supported Platform Where Target Resides
Supported Compilers N/A
Can Tool be used Remotely? No
Finds or Checks for: (Tool Category) Risk Analysis
Lifecycle Position(s) Design, Testing
Scalability (Ability to scan up to 1,000,000 LOC?) N/A
Ability to Identify Comments in Code N/A
Ability to Discover Debug Code N/A
Ability to Discover Unused Code N/A
Tool uses CWE Definitions of Vulnerabilities No
Frequency of Rule Base Updates by Tool Provider N/A
Ability of Testers to Modify Existing Rule Bases N/A
Ability of Testers to Add New Rule Bases N/A
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive? N/A
Cost (Hourly/ Flat Fee) [AVAILABILITY] Commercial
Licensing
Vendor Technical Support Yes
Vendor Services / Professional services support No
Required training or experience level to operate High
Vendor provided (or 3rd party provided) training available No
Comments

Appendix A-3

SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-3
Product antiparser
Description A fuzz testing and fault injection API
URL http://antiparser.sourceforge.net/
Supported Languages N/A
Supported Platforms Where Tool Runs
Supported Platform Where Target Resides
Supported Compilers N/A
Can Tool be used Remotely?
Finds or Checks for: (Tool Category) Fuzz Testing
Lifecycle Position(s) Testing
Scalability (Ability to scan up to 1,000,000 LOC?) N/A
Ability to Identify Comments in Code No
Ability to Discover Debug Code No
Ability to Discover Unused Code No
Tool uses CWE Definitions of Vulnerabilities No
Frequency of Rule Base Updates by Tool Provider Unknown
Ability of Testers to Modify Existing Rule Bases Yes
Ability of Testers to Add New Rule Bases Yes
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive? No
Cost (Hourly/ Flat Fee) [AVAILABILITY] Free
Licensing GPL
Vendor Technical Support No
Vendor Services / Professional services support No
Required training or experience level to operate Medium
Vendor provided (or 3rd party provided) training available No
Comments
Retrieved from "https://wiki.owasp.org/index.php?title=Software_Security_Assessment_Tool_Review&oldid=124474"