This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Software Security Assessment Tool Review

From OWASP
Revision as of 22:00, 17 February 2012 by M. Buchanan (talk | contribs)

Jump to: navigation, search

The OWASP Software Security Assessment and Testing Tools Profiles Project will create a Wiki of current, directly comparable, unbiased information about commercial and open source Software Security Assessment and Testing Tools. Tool descriptions and evaluations exist elsewhere online and offline, e.g., Wikipedia and the NIST SAMATE portal, including the 2008 Naval Ordnance Safety & Security Activity Software Security Assessment Tools Review on the SAMATE portal. On Wikipedia, the quantity and quality of information varies widely due to lack of a standard template for capturing tool information. Government sources are often obsolete by the time they are published, and are seldom updated. Other sources provide different types of information, which is often biased. The OWASP tools Profiles differ from other sources by providing a standard set of information about each tool, allowing for direct comparisons between tools. The initial Profiles are wiki versions of the NOSSA tool descriptions, which we recognize are outdated. The wiki format enables the tool's developer, users, and other stakeholders to easily review and revise/update the information, and the Profile template also includes a field for adding non-standard information. A blank Profile wiki template is also provided for creating new tool Profiles. The tool Profiles will also be updated to add information from SAMATE's source code analyzer descriptions, with the Profile template expanded with new information categories if necessary. The wiki format will also allow for future expansion of the Project to cover other types of software/application security tools.

SAMATE Source Code Analyzers Page http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
SSATR Template use this template to add another tool

Appendix A-2: AgileJ StructureViews

SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-2
Product AgileJ StructureViews
Description Commercial Java visualization product that is deployed as an Eclipse Feature. The product brings together aspects of the Eclipse JDT Java Model, Set Theory, Class Diagrams, and XP/Agile Methods. The output resembles reverse engineered CASE tool drawings. The Eclipse JDT model performs a number of functions in the Eclipse Java IDE, including populating the package explorer and type hierarchy trees. AgileJ StructureViews taps into that same source of information to populate its class diagrams. The visualizations are UML class diagrams, which can be printed or exported as JPEG images. Class diagrams appear alongside the source file editor in the Eclipse IDE, and navigation is possible from any element on a diagram back to its source code. To comply with the XP goal of minimal documentation, no presentation-specific information is stored with a diagram. From the list of class names, all other information, including class members, inner classes, inheritances, associations and dependencies, is derived from Eclipse. The intention is that the diagrams only serve to increase comprehension of the coding model which they illustrate
URL http://www.agilej.com/
Supported Languages Java
Supported Platforms Where Tool Runs Eclipse
Supported Platform Where Target Resides
Supported Compilers N/A
Can Tool be used Remotely? No
Finds or Checks for: (Tool Category) Risk Analysis
Lifecycle Position(s) Design, Testing
Scalability (Ability to scan up to 1,000,000 LOC?) N/A
Ability to Identify Comments in Code N/A
Ability to Discover Debug Code N/A
Ability to Discover Unused Code N/A
Tool uses CWE Definitions of Vulnerabilities No
Frequency of Rule Base Updates by Tool Provider N/A
Ability of Testers to Modify Existing Rule Bases N/A
Ability of Testers to Add New Rule Bases N/A
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive? N/A
Cost (Hourly/ Flat Fee) [AVAILABILITY] Commercial
Licensing
Vendor Technical Support Yes
Vendor Services / Professional services support No
Required training or experience level to operate High
Vendor provided (or 3rd party provided) training available No
Comments

Appendix A-3: antiparser

SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-3
Product antiparser
Description A fuzz testing and fault injection API
URL http://antiparser.sourceforge.net/
Supported Languages N/A
Supported Platforms Where Tool Runs
Supported Platform Where Target Resides
Supported Compilers N/A
Can Tool be used Remotely?
Finds or Checks for: (Tool Category) Fuzz Testing
Lifecycle Position(s) Testing
Scalability (Ability to scan up to 1,000,000 LOC?) N/A
Ability to Identify Comments in Code No
Ability to Discover Debug Code No
Ability to Discover Unused Code No
Tool uses CWE Definitions of Vulnerabilities No
Frequency of Rule Base Updates by Tool Provider Unknown
Ability of Testers to Modify Existing Rule Bases Yes
Ability of Testers to Add New Rule Bases Yes
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive? No
Cost (Hourly/ Flat Fee) [AVAILABILITY] Free
Licensing GPL
Vendor Technical Support No
Vendor Services / Professional services support No
Required training or experience level to operate Medium
Vendor provided (or 3rd party provided) training available No
Comments

Appendix A-4: Aspect Security AspectCheck

SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-4
Product Aspect Security AspectCheck
Description Aspect Security uses AspectCheck in code review services to check for security-critical calls
URL www.aspectsecurity.com/
Supported Languages ASP.Net, C#, Java, VB.Net
Supported Platforms Where Tool Runs
Supported Platform Where Target Resides
Supported Compilers
Can Tool be used Remotely? No
Finds or Checks for: (Tool Category) Bytecode analysis
Lifecycle Position(s) Testing
Scalability (Ability to scan up to 1,000,000 LOC?) Unknown
Ability to Identify Comments in Code Unknown
Ability to Discover Debug Code Unknown
Ability to Discover Unused Code Unknown
Tool uses CWE Definitions of Vulnerabilities Unknown
Frequency of Rule Base Updates by Tool Provider Unknown
Ability of Testers to Modify Existing Rule Bases Unknown
Ability of Testers to Add New Rule Bases Unknown
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive? Unknown
Cost (Hourly/ Flat Fee) [AVAILABILITY] Commercial Service
Licensing
Vendor Technical Support Unknown
Vendor Services / Professional services support Yes
Required training or experience level to operate Unknown
Vendor provided (or 3rd party provided) training available Unknown
Comments

Appendix A-5: ASTRÉE

SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-5
Product ASTRÉE
Description Identifies undefined code constructs or run-time errors, such as out-of-bounds array indexing or arithmetic overflow.
URL http://www.astree.ens.fr/
Supported Languages C
Supported Platforms Where Tool Runs Unix, Linux
Supported Platform Where Target Resides
Supported Compilers
Can Tool be used Remotely? No
Finds or Checks for: (Tool Category) Source Code Analyzer
Lifecycle Position(s) Testing
Scalability (Ability to scan up to 1,000,000 LOC?) Advertises significant scalability
Ability to Identify Comments in Code
Ability to Discover Debug Code
Ability to Discover Unused Code
Tool uses CWE Definitions of Vulnerabilities No
Frequency of Rule Base Updates by Tool Provider None
Ability of Testers to Modify Existing Rule Bases N/A
Ability of Testers to Add New Rule Bases N/A
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive? No
Cost (Hourly/ Flat Fee) [AVAILABILITY] Research & Development Tool, Linux version is free
Licensing BSD
Vendor Technical Support None
Vendor Services / Professional services support None
Required training or experience level to operate High
Vendor provided (or 3rd party provided) training available None
Comments No updates being made to tool

Appendix A-6: Black Duck Software

SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-6
Product Black Duck Software
Description Automatic tool for scanning source code and finding intellectual property and licensing issues. The analyses are performed based on patterns of licenses and known packages (e.g., SF.net). Unlike Palamida, Black Duck does not perform security-specific analyses. URL: http://www.blackducksoftware.com/index.html
URL http://www.blackducksoftware.com/
Supported Languages Unknown
Supported Platforms Where Tool Runs Unknown
Supported Platform Where Target Resides
Supported Compilers N/A
Can Tool be used Remotely? Yes
Finds or Checks for: (Tool Category) Pedigree Analysis
Lifecycle Position(s) Development, Testing
Scalability (Ability to scan up to 1,000,000 LOC?) 1,000,000 LOC
Ability to Identify Comments in Code No
Ability to Discover Debug Code No
Ability to Discover Unused Code No
Tool uses CWE Definitions of Vulnerabilities No
Frequency of Rule Base Updates by Tool Provider Unknown
Ability of Testers to Modify Existing Rule Bases No
Ability of Testers to Add New Rule Bases Yes
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive? No
Cost (Hourly/ Flat Fee) [AVAILABILITY] Commercial
Licensing
Vendor Technical Support Yes
Vendor Services / Professional services support No
Required training or experience level to operate Medium
Vendor provided (or 3rd party provided) training available Yes
Comments

Appendix A-7: Boomerang

SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-7
Product Boomerang
Description open source decompiler
URL http://boomerang.sourceforge.net/
Supported Languages C
Supported Platforms Where Tool Runs
Supported Platform Where Target Resides
Supported Compilers N/A
Can Tool be used Remotely? No
Finds or Checks for: (Tool Category) Reverse Engineering
Lifecycle Position(s) Testing
Scalability (Ability to scan up to 1,000,000 LOC?) N/A
Ability to Identify Comments in Code No
Ability to Discover Debug Code No
Ability to Discover Unused Code No
Tool uses CWE Definitions of Vulnerabilities No
Frequency of Rule Base Updates by Tool Provider Unknown
Ability of Testers to Modify Existing Rule Bases Unknown
Ability of Testers to Add New Rule Bases Unknown
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive? Unknown
Cost (Hourly/ Flat Fee) [AVAILABILITY] Free
Licensing BSD
Vendor Technical Support No
Vendor Services / Professional services support No
Required training or experience level to operate Medium
Vendor provided (or 3rd party provided) training available No
Comments

Appendix A-8: BOON

SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-8
Product BOON
Description Performs integer range analysis to determine if an array can be indexed outside its bounds
URL

http://www.cs.berkeley.edu/~daw/boon/

Supported Languages C
Supported Platforms Where Tool Runs Unix, Linux
Supported Platform Where Target Resides
Supported Compilers GCC
Can Tool be used Remotely? No
Finds or Checks for: (Tool Category) Source Code Analyzer
Lifecycle Position(s) Testing
Scalability (Ability to scan up to 1,000,000 LOC?) Unknown
Ability to Identify Comments in Code N/A
Ability to Discover Debug Code N/A
Ability to Discover Unused Code N/A
Tool uses CWE Definitions of Vulnerabilities No
Frequency of Rule Base Updates by Tool Provider None
Ability of Testers to Modify Existing Rule Bases N/A
Ability of Testers to Add New Rule Bases N/A
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive? No
Cost (Hourly/ Flat Fee) [AVAILABILITY] Free
Licensing
Vendor Technical Support None
Vendor Services / Professional services support None
Required training or experience level to operate High
Vendor provided (or 3rd party provided) training available None
Comments No updates being made to tool

Appendix A-9: Borland's Together

SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-9
Product Borland's Together
Description A set of Eclipse plugins that provides UML 1.4 modeling, multi-language support, physical data modeling, design patterns, source code design pattern recognition, code template design and reuse, documentation generation, and code audits and metrics. Together adds language-neutral UML 2.0 diagramming, business process modeling, logical data modeling, and logical to physical data model transformation and custom pattern support. Borland's strategy is to focus on tool integration, enabling best-of-breed strategies. Borland's MDD strategy is to offer application development teams a choice of tools and approaches, rather than channeling them into a single modeling notation. Borland is active in the OMG, leading the Graphical Model Framework (GMF) for Eclipse, and is also active in the Open Systems Group. Borland's Together Visual modeling tool is based on UML2, BPMN, and MOF; it provides key features for software architects, designers, and coders. Together uses the OMG's QVT standard in model-to-model transformations and provides support for UML Object Constraint Language (OCL) 2.0. This includes audits and metrics, which are provided at both the model and code level and are defined in industry standard OCL. Overall, Borland provides a platform of common services and a set of practitioner tools within the broader scope of application life-cycle management.
URL

http://www.borland.com/us/products/together/index.html

Supported Languages UML, XML, QVT, OCL, MDA, EMF
Supported Platforms Where Tool Runs Linux, Mac OS X, Solaris, Windows
Supported Platform Where Target Resides
Supported Compilers N/A
Can Tool be used Remotely? No
Finds or Checks for: (Tool Category) Risk Analysis
Lifecycle Position(s) Design, Testing
Scalability (Ability to scan up to 1,000,000 LOC?) N/A
Ability to Identify Comments in Code N/A
Ability to Discover Debug Code N/A
Ability to Discover Unused Code N/A
Tool uses CWE Definitions of Vulnerabilities No
Frequency of Rule Base Updates by Tool Provider N/A
Ability of Testers to Modify Existing Rule Bases N/A
Ability of Testers to Add New Rule Bases N/A
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive? N/A
Cost (Hourly/ Flat Fee) [AVAILABILITY] Commercial
Licensing
Vendor Technical Support Yes
Vendor Services / Professional services support No
Required training or experience level to operate High
Vendor provided (or 3rd party provided) training available No
Comments

Appendix A-10: C Code Analyzer (CCA)

SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-10
Product C Code Analyzer (CCA)
Description Tests for out-of-bounds array indexing and arithmetic overflow.
URL http://www.drugphish.ch/~jonny/cca.html
Supported Languages C
Supported Platforms Where Tool Runs Unix, Linux, Windows (cygwin)
Supported Platform Where Target Resides Unix, Linux, Windows
Supported Compilers GCC, MSVC
Can Tool be used Remotely? No
Finds or Checks for: (Tool Category) Source Code Analyzer
Lifecycle Position(s) Testing
Scalability (Ability to scan up to 1,000,000 LOC?) Yes (successfully scanned the Linux kernel)
Ability to Identify Comments in Code No
Ability to Discover Debug Code No
Ability to Discover Unused Code No
Tool uses CWE Definitions of Vulnerabilities No
Frequency of Rule Base Updates by Tool Provider None
Ability of Testers to Modify Existing Rule Bases Yes (through modification)
Ability of Testers to Add New Rule Bases Yes (through modification)
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive? No
Cost (Hourly/ Flat Fee) [AVAILABILITY] Free
Licensing BSD
Vendor Technical Support None
Vendor Services / Professional services support None
Required training or experience level to operate Medium
Vendor provided (or 3rd party provided) training available None
Comments The product is designed to minimize false positives.

Appendix A-11: CenterLine Systems CodeCenter

SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-11
Product CenterLine Systems CodeCenter
Description Detects incorrect pointer values, illegal array indices, bad function arguments, type mismatches, and uninitialized variables.
URL http://www.ics.com/products/centerline/codecenter/
Supported Languages C
Supported Platforms Where Tool Runs Unix, Sun SPARC, Solaris
Supported Platform Where Target Resides Unix
Supported Compilers clcc, GCC, SPARC-C
Can Tool be used Remotely? No
Finds or Checks for: (Tool Category) Source Code Analyzer
Lifecycle Position(s) Development
Scalability (Ability to scan up to 1,000,000 LOC?) Unknown
Ability to Identify Comments in Code No
Ability to Discover Debug Code No
Ability to Discover Unused Code Yes
Tool uses CWE Definitions of Vulnerabilities No
Frequency of Rule Base Updates by Tool Provider N/A
Ability of Testers to Modify Existing Rule Bases N/A
Ability of Testers to Add New Rule Bases N/A
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive? No
Cost (Hourly/ Flat Fee) [AVAILABILITY] Commercial
Licensing Commercial
Vendor Technical Support Multiple tiers
Vendor Services / Professional services support Yes
Required training or experience level to operate Medium
Vendor provided (or 3rd party provided) training available Yes
Comments