The OWASP Software Security Assessment and Testing Tools Profiles Project will create a Wiki of current, directly comparable, unbiased information about commercial and open source Software Security Assessment and Testing Tools. Tool descriptions and evaluations exist elsewhere online and offline, e.g., Wikipedia and the NIST SAMATE portal, including the 2008 Naval Ordnance Safety & Security Activity Software Security Assessment Tools Review on the SAMATE portal. On Wikipedia, the quantity and quality of information varies widely due to lack of a standard template for capturing tool information. Government sources are often obsolete by the time they are published, and are seldom updated. Other sources provide different types of information, which is often biased.
The OWASP tools Profiles differ from other sources by providing a standard set of information about each tool, allowing for direct comparisons between tools. The initial Profiles are wiki versions of the NOSSA tool descriptions, which we recognize are outdated. The wiki format enables the tool's developer, users, and other stakeholders to easily review and revise/update the information, and the Profile template also includes a field for adding non-standard information. A blank Profile wiki template is also provided for creating new tool Profiles. The tool Profiles will also be updated to add information from SAMATE's source code analyzer descriptions, with the Profile template expanded with new information categories if necessary. The wiki format will also allow for future expansion of the Project to cover other types of software/application security tools.
SAMATE Source Code Analyzers Page
http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
SSATR Template use this template to add another tool
Appendix A-2
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-2
| Product
|
AgileJ StructureViews
|
| Description
|
Commercial Java visualization product that is deployed as an Eclipse Feature. The product brings together aspects of the Eclipse JDT Java Model, Set Theory, Class Diagrams, and XP/Agile Methods. The output resembles reverse engineered CASE tool drawings. The Eclipse JDT model performs a number of functions in the Eclipse Java IDE, including populating the package explorer and type hierarchy trees. AgileJ StructureViews taps into that same source of information to populate its class diagrams. The visualizations are UML class diagrams, which can be printed or exported as JPEG images. Class diagrams appear alongside the source file editor in the Eclipse IDE, and navigation is possible from any element on a diagram back to its source code. To comply with the XP goal of minimal documentation, no presentation-specific information is stored with a diagram. From the list of class names, all other information, including class members, inner classes, inheritances, associations and dependencies, is derived from Eclipse. The intention is that the diagrams only serve to increase comprehension of the coding model which they illustrate
|
| URL
|
http://www.agilej.com/
|
| Supported Languages
|
Java
|
| Supported Platforms Where Tool Runs
|
Eclipse
|
| Supported Platform Where Target Resides
|
|
| Supported Compilers
|
N/A
|
| Can Tool be used Remotely?
|
No
|
| Finds or Checks for: (Tool Category)
|
Risk Analysis
|
| Lifecycle Position(s)
|
Design, Testing
|
| Scalability (Ability to scan up to 1,000,000 LOC?)
|
N/A
|
| Ability to Identify Comments in Code
|
N/A
|
| Ability to Discover Debug Code
|
N/A
|
| Ability to Discover Unused Code
|
N/A
|
| Tool uses CWE Definitions of Vulnerabilities
|
No
|
| Frequency of Rule Base Updates by Tool Provider
|
N/A
|
| Ability of Testers to Modify Existing Rule Bases
|
N/A
|
| Ability of Testers to Add New Rule Bases
|
N/A
|
| Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
N/A
|
| Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Commercial
|
| Licensing
|
|
| Vendor Technical Support
|
Yes
|
| Vendor Services / Professional services support
|
No
|
| Required training or experience level to operate
|
High
|
| Vendor provided (or 3rd party provided) training available
|
No
|
| Comments
|
|
Appendix A-3
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-3
| Product
|
antiparser
|
| Description
|
A fuzz testing and fault injection API
|
| URL
|
http://antiparser.sourceforge.net/
|
| Supported Languages
|
N/A
|
| Supported Platforms Where Tool Runs
|
|
| Supported Platform Where Target Resides
|
|
| Supported Compilers
|
N/A
|
| Can Tool be used Remotely?
|
|
| Finds or Checks for: (Tool Category)
|
Fuzz Testing
|
| Lifecycle Position(s)
|
Testing
|
| Scalability (Ability to scan up to 1,000,000 LOC?)
|
N/A
|
| Ability to Identify Comments in Code
|
No
|
| Ability to Discover Debug Code
|
No
|
| Ability to Discover Unused Code
|
No
|
| Tool uses CWE Definitions of Vulnerabilities
|
No
|
| Frequency of Rule Base Updates by Tool Provider
|
Unknown
|
| Ability of Testers to Modify Existing Rule Bases
|
Yes
|
| Ability of Testers to Add New Rule Bases
|
Yes
|
| Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
No
|
| Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Free
|
| Licensing
|
GPL
|
| Vendor Technical Support
|
No
|
| Vendor Services / Professional services support
|
No
|
| Required training or experience level to operate
|
Medium
|
| Vendor provided (or 3rd party provided) training available
|
No
|
| Comments
|
|
APPENDIX A-4
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-4
| Product
|
Aspect Security AspectCheck
|
| Description
|
Aspect Security uses AspectCheck in code review services to check for security-critical calls
|
| URL
|
www.aspectsecurity.com/
|
| Supported Languages
|
ASP.Net, C#, Java, VB.Net
|
| Supported Platforms Where Tool Runs
|
|
| Supported Platform Where Target Resides
|
|
| Supported Compilers
|
|
| Can Tool be used Remotely?
|
No
|
| Finds or Checks for: (Tool Category)
|
Bytecode analysis
|
| Lifecycle Position(s)
|
Testing
|
| Scalability (Ability to scan up to 1,000,000 LOC?)
|
Unknown
|
| Ability to Identify Comments in Code
|
Unknown
|
| Ability to Discover Debug Code
|
Unknown
|
| Ability to Discover Unused Code
|
Unknown
|
| Tool uses CWE Definitions of Vulnerabilities
|
Unknown
|
| Frequency of Rule Base Updates by Tool Provider
|
Unknown
|
| Ability of Testers to Modify Existing Rule Bases
|
Unknown
|
| Ability of Testers to Add New Rule Bases
|
Unknown
|
| Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
Unknown
|
| Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Commercial Service
|
| Licensing
|
|
| Vendor Technical Support
|
Unknown
|
| Vendor Services / Professional services support
|
Yes
|
| Required training or experience level to operate
|
Unknown
|
| Vendor provided (or 3rd party provided) training available
|
Unknown
|
| Comments
|
|
APPENDIX A-5=
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-5
| Product
|
ASTRÉE
|
| Description
|
Identifies undefined code constructs or run-time errors, such as out-of-bounds array indexing or arithmetic overflow.
|
| URL
|
http://www.astree.ens.fr/
|
| Supported Languages
|
C
|
| Supported Platforms Where Tool Runs
|
Unix, Linux
|
| Supported Platform Where Target Resides
|
|
| Supported Compilers
|
|
| Can Tool be used Remotely?
|
No
|
| Finds or Checks for: (Tool Category)
|
Source Code Analyzer
|
| Lifecycle Position(s)
|
Testing
|
| Scalability (Ability to scan up to 1,000,000 LOC?)
|
Advertises significant scalability
|
| Ability to Identify Comments in Code
|
|
| Ability to Discover Debug Code
|
|
| Ability to Discover Unused Code
|
|
| Tool uses CWE Definitions of Vulnerabilities
|
No
|
| Frequency of Rule Base Updates by Tool Provider
|
None
|
| Ability of Testers to Modify Existing Rule Bases
|
N/A
|
| Ability of Testers to Add New Rule Bases
|
N/A
|
| Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
No
|
| Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Research & Development Tool, Linux version is free
|
| Licensing
|
BSD
|
| Vendor Technical Support
|
None
|
| Vendor Services / Professional services support
|
None
|
| Required training or experience level to operate
|
High
|
| Vendor provided (or 3rd party provided) training available
|
None
|
| Comments
|
No updates being made to tool
|
