This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Source Code Analysis Tools"
From OWASP
m (Source Code Audit Tools moved to Source Code Analysis Tools) |
|||
| Line 1: | Line 1: | ||
Page dedicated to the analysis and comment of Source Code Audit tools: | Page dedicated to the analysis and comment of Source Code Audit tools: | ||
| + | ==Description== | ||
| − | == | + | TBD |
| + | |||
| + | ==Strengths and Weaknesses== | ||
| + | |||
| + | ==Important Selection Criteria== | ||
| + | |||
| + | * Requirement: Must support your language, but not usually a key factor once it does. | ||
| + | |||
| + | * Types of Vulnerabilities it can detect (Out of the OWASP Top Ten?) (plus more?) | ||
| + | * Does it require a fully buildable set of source? | ||
| + | * Can it run against binaries instead of source? | ||
| + | * Can it be integrated into the developer's IDE? | ||
| + | |||
| + | ==OWASP Tools Of This Type== | ||
* [http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project OWASP_LAPSE_Project] | * [http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project OWASP_LAPSE_Project] | ||
| − | * [http://www.securitycompass.com/swaat.html SWAAT] | + | |
| − | * [http://www.fortifysoftware.com/products/sca.jsp Fortify Source Code Analysis] | + | ==Open Source or Free Tools Of This Type== |
| + | |||
| + | * [http://www.gotdotnet.com/Team/FxCop/ Microsoft - FxCop: Tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines] | ||
| + | * Microsoft - PreFix | ||
| + | * Microsoft - PreFast | ||
| + | * [http://www.securitycompass.com/swaat.html SWAAT - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP] | ||
| + | * [http://www.securesoftware.com/resources/download_rats.html Secure Software - RATS - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions] | ||
| + | |||
| + | ==Commercial Tools from OWASP Members Of This Type== | ||
| + | |||
| + | * [http://www.fortifysoftware.com/products/sca.jsp Fortify - Source Code Analysis] | ||
| + | * [http://www.securesoftware.com/products/ Secure Software - CodeAssure] | ||
| + | |||
| + | ==Other Well Known Commercial Tools Of This Type== | ||
| + | |||
| + | * [http://www.ouncelabs.com/ Ounce Labs - Ounce] | ||
| + | * [http://www.coverity.com/products/prevent.html Coverity - Prevent] | ||
| + | |||
| + | ==More Info== | ||
| + | |||
* add comments from: http://lists.owasp.org/pipermail/owasp-dotnet/2006-August/000002.html | * add comments from: http://lists.owasp.org/pipermail/owasp-dotnet/2006-August/000002.html | ||
* http://www.owasp.org/index.php/Appendix_A:_Testing_Tools | * http://www.owasp.org/index.php/Appendix_A:_Testing_Tools | ||
| − | |||
| + | [[Category:OWASP .NET Project]] | ||
| − | [[Category:OWASP | + | [[Category:OWASP Tools Project]] |
| − | + | __NOTOC__ | |
Revision as of 01:41, 28 October 2006
Page dedicated to the analysis and comment of Source Code Audit tools:
Description
TBD
Strengths and Weaknesses
Important Selection Criteria
- Requirement: Must support your language, but not usually a key factor once it does.
- Types of Vulnerabilities it can detect (Out of the OWASP Top Ten?) (plus more?)
- Does it require a fully buildable set of source?
- Can it run against binaries instead of source?
- Can it be integrated into the developer's IDE?
OWASP Tools Of This Type
Open Source or Free Tools Of This Type
- Microsoft - FxCop: Tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines
- Microsoft - PreFix
- Microsoft - PreFast
- SWAAT - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
- Secure Software - RATS - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
