Source Code Analysis Tools

Page dedicated to the analysis and comment of Source Code Audit tools:

Description

TBD

Strengths and Weaknesses

Important Selection Criteria

• Requirement: Must support your language, but not usually a key factor once it does.

• Types of Vulnerabilities it can detect (Out of the OWASP Top Ten?) (plus more?)
• Does it require a fully buildable set of source?
• Can it run against binaries instead of source?
• Can it be integrated into the developer's IDE?

OWASP Tools Of This Type

• OWASP_LAPSE_Project

Open Source or Free Tools Of This Type

• Microsoft - FxCop: Tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines
• Microsoft - PreFix
• Microsoft - PreFast
• SWAAT - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
• Secure Software - RATS - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions

Commercial Tools from OWASP Members Of This Type

• Fortify - Source Code Analysis
• Secure Software - CodeAssure

Other Well Known Commercial Tools Of This Type

• Ounce Labs - Ounce
• Coverity - Prevent

More Info

• add comments from: http://lists.owasp.org/pipermail/owasp-dotnet/2006-August/000002.html
• http://www.owasp.org/index.php/Appendix_A:_Testing_Tools