The OWASP Software Security Assessment and Testing Tools Profiles Project will create a Wiki of current, directly comparable, unbiased information about commercial and open source Software Security Assessment and Testing Tools. Tool descriptions and evaluations exist elsewhere online and offline, e.g., Wikipedia and the NIST SAMATE portal, including the 2008 Naval Ordnance Safety & Security Activity Software Security Assessment Tools Review on the SAMATE portal. On Wikipedia, the quantity and quality of information varies widely due to lack of a standard template for capturing tool information. Government sources are often obsolete by the time they are published, and are seldom updated. Other sources provide different types of information, which is often biased.
The OWASP tools Profiles differ from other sources by providing a standard set of information about each tool, allowing for direct comparisons between tools. The initial Profiles are wiki versions of the NOSSA tool descriptions, which we recognize are outdated. The wiki format enables the tool's developer, users, and other stakeholders to easily review and revise/update the information, and the Profile template also includes a field for adding non-standard information. A blank Profile wiki template is also provided for creating new tool Profiles. The tool Profiles will also be updated to add information from SAMATE's source code analyzer descriptions, with the Profile template expanded with new information categories if necessary. The wiki format will also allow for future expansion of the Project to cover other types of software/application security tools.
SAMATE Source Code Analyzers Page
http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
SSATR Template use this template to add another tool
Appendix A-2: AgileJ StructureViews
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-2
Product
|
AgileJ StructureViews
|
Description
|
Commercial Java visualization product that is deployed as an Eclipse Feature. The product brings together aspects of the Eclipse JDT Java Model, Set Theory, Class Diagrams, and XP/Agile Methods. The output resembles reverse engineered CASE tool drawings. The Eclipse JDT model performs a number of functions in the Eclipse Java IDE, including populating the package explorer and type hierarchy trees. AgileJ StructureViews taps into that same source of information to populate its class diagrams. The visualizations are UML class diagrams, which can be printed or exported as JPEG images. Class diagrams appear alongside the source file editor in the Eclipse IDE, and navigation is possible from any element on a diagram back to its source code. To comply with the XP goal of minimal documentation, no presentation-specific information is stored with a diagram. From the list of class names, all other information, including class members, inner classes, inheritances, associations and dependencies, is derived from Eclipse. The intention is that the diagrams only serve to increase comprehension of the coding model which they illustrate
|
URL
|
http://www.agilej.com/
|
Supported Languages
|
Java
|
Supported Platforms Where Tool Runs
|
Eclipse
|
Supported Platform Where Target Resides
|
|
Supported Compilers
|
N/A
|
Can Tool be used Remotely?
|
No
|
Finds or Checks for: (Tool Category)
|
Risk Analysis
|
Lifecycle Position(s)
|
Design, Testing
|
Scalability (Ability to scan up to 1,000,000 LOC?)
|
N/A
|
Ability to Identify Comments in Code
|
N/A
|
Ability to Discover Debug Code
|
N/A
|
Ability to Discover Unused Code
|
N/A
|
Tool uses CWE Definitions of Vulnerabilities
|
No
|
Frequency of Rule Base Updates by Tool Provider
|
N/A
|
Ability of Testers to Modify Existing Rule Bases
|
N/A
|
Ability of Testers to Add New Rule Bases
|
N/A
|
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
N/A
|
Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Commercial
|
Licensing
|
|
Vendor Technical Support
|
Yes
|
Vendor Services / Professional services support
|
No
|
Required training or experience level to operate
|
High
|
Vendor provided (or 3rd party provided) training available
|
No
|
Comments
|
|
Appendix A-3: antiparser
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-3
Product
|
antiparser
|
Description
|
A fuzz testing and fault injection API
|
URL
|
http://antiparser.sourceforge.net/
|
Supported Languages
|
N/A
|
Supported Platforms Where Tool Runs
|
|
Supported Platform Where Target Resides
|
|
Supported Compilers
|
N/A
|
Can Tool be used Remotely?
|
|
Finds or Checks for: (Tool Category)
|
Fuzz Testing
|
Lifecycle Position(s)
|
Testing
|
Scalability (Ability to scan up to 1,000,000 LOC?)
|
N/A
|
Ability to Identify Comments in Code
|
No
|
Ability to Discover Debug Code
|
No
|
Ability to Discover Unused Code
|
No
|
Tool uses CWE Definitions of Vulnerabilities
|
No
|
Frequency of Rule Base Updates by Tool Provider
|
Unknown
|
Ability of Testers to Modify Existing Rule Bases
|
Yes
|
Ability of Testers to Add New Rule Bases
|
Yes
|
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
No
|
Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Free
|
Licensing
|
GPL
|
Vendor Technical Support
|
No
|
Vendor Services / Professional services support
|
No
|
Required training or experience level to operate
|
Medium
|
Vendor provided (or 3rd party provided) training available
|
No
|
Comments
|
|
Appendix A-4: Aspect Security AspectCheck
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-4
Product
|
Aspect Security AspectCheck
|
Description
|
Aspect Security uses AspectCheck in code review services to check for security-critical calls
|
URL
|
www.aspectsecurity.com/
|
Supported Languages
|
ASP.Net, C#, Java, VB.Net
|
Supported Platforms Where Tool Runs
|
|
Supported Platform Where Target Resides
|
|
Supported Compilers
|
|
Can Tool be used Remotely?
|
No
|
Finds or Checks for: (Tool Category)
|
Bytecode analysis
|
Lifecycle Position(s)
|
Testing
|
Scalability (Ability to scan up to 1,000,000 LOC?)
|
Unknown
|
Ability to Identify Comments in Code
|
Unknown
|
Ability to Discover Debug Code
|
Unknown
|
Ability to Discover Unused Code
|
Unknown
|
Tool uses CWE Definitions of Vulnerabilities
|
Unknown
|
Frequency of Rule Base Updates by Tool Provider
|
Unknown
|
Ability of Testers to Modify Existing Rule Bases
|
Unknown
|
Ability of Testers to Add New Rule Bases
|
Unknown
|
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
Unknown
|
Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Commercial Service
|
Licensing
|
|
Vendor Technical Support
|
Unknown
|
Vendor Services / Professional services support
|
Yes
|
Required training or experience level to operate
|
Unknown
|
Vendor provided (or 3rd party provided) training available
|
Unknown
|
Comments
|
|
Appendix A-5: ASTRÉE
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-5
Product
|
ASTRÉE
|
Description
|
Identifies undefined code constructs or run-time errors, such as out-of-bounds array indexing or arithmetic overflow.
|
URL
|
http://www.astree.ens.fr/
|
Supported Languages
|
C
|
Supported Platforms Where Tool Runs
|
Unix, Linux
|
Supported Platform Where Target Resides
|
|
Supported Compilers
|
|
Can Tool be used Remotely?
|
No
|
Finds or Checks for: (Tool Category)
|
Source Code Analyzer
|
Lifecycle Position(s)
|
Testing
|
Scalability (Ability to scan up to 1,000,000 LOC?)
|
Advertises significant scalability
|
Ability to Identify Comments in Code
|
|
Ability to Discover Debug Code
|
|
Ability to Discover Unused Code
|
|
Tool uses CWE Definitions of Vulnerabilities
|
No
|
Frequency of Rule Base Updates by Tool Provider
|
None
|
Ability of Testers to Modify Existing Rule Bases
|
N/A
|
Ability of Testers to Add New Rule Bases
|
N/A
|
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
No
|
Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Research & Development Tool, Linux version is free
|
Licensing
|
BSD
|
Vendor Technical Support
|
None
|
Vendor Services / Professional services support
|
None
|
Required training or experience level to operate
|
High
|
Vendor provided (or 3rd party provided) training available
|
None
|
Comments
|
No updates being made to tool
|
Appendix A-6: Black Duck Software
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-6
Product
|
Black Duck Software
|
Description
|
Automatic tool for scanning source code and finding intellectual property and licensing issues. The analyses are performed based on patterns of licenses and known packages (e.g., SF.net). Unlike Palamida, Black Duck does not perform security-specific analyses. URL: http://www.blackducksoftware.com/index.html
|
URL
|
http://www.blackducksoftware.com/
|
Supported Languages
|
Unknown
|
Supported Platforms Where Tool Runs
|
Unknown
|
Supported Platform Where Target Resides
|
|
Supported Compilers
|
N/A
|
Can Tool be used Remotely?
|
Yes
|
Finds or Checks for: (Tool Category)
|
Pedigree Analysis
|
Lifecycle Position(s)
|
Development, Testing
|
Scalability (Ability to scan up to 1,000,000 LOC?)
|
1,000,000 LOC
|
Ability to Identify Comments in Code
|
No
|
Ability to Discover Debug Code
|
No
|
Ability to Discover Unused Code
|
No
|
Tool uses CWE Definitions of Vulnerabilities
|
No
|
Frequency of Rule Base Updates by Tool Provider
|
Unknown
|
Ability of Testers to Modify Existing Rule Bases
|
No
|
Ability of Testers to Add New Rule Bases
|
Yes
|
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
No
|
Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Commercial
|
Licensing
|
|
Vendor Technical Support
|
Yes
|
Vendor Services / Professional services support
|
No
|
Required training or experience level to operate
|
Medium
|
Vendor provided (or 3rd party provided) training available
|
Yes
|
Comments
|
|
Appendix A-7: Boomerang
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-7
Product
|
Boomerang
|
Description
|
open source decompiler
|
URL
|
http://boomerang.sourceforge.net/
|
Supported Languages
|
C
|
Supported Platforms Where Tool Runs
|
|
Supported Platform Where Target Resides
|
|
Supported Compilers
|
N/A
|
Can Tool be used Remotely?
|
No
|
Finds or Checks for: (Tool Category)
|
Reverse Engineering
|
Lifecycle Position(s)
|
Testing
|
Scalability (Ability to scan up to 1,000,000 LOC?)
|
N/A
|
Ability to Identify Comments in Code
|
No
|
Ability to Discover Debug Code
|
No
|
Ability to Discover Unused Code
|
No
|
Tool uses CWE Definitions of Vulnerabilities
|
No
|
Frequency of Rule Base Updates by Tool Provider
|
Unknown
|
Ability of Testers to Modify Existing Rule Bases
|
Unknown
|
Ability of Testers to Add New Rule Bases
|
Unknown
|
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
Unknown
|
Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Free
|
Licensing
|
BSD
|
Vendor Technical Support
|
No
|
Vendor Services / Professional services support
|
No
|
Required training or experience level to operate
|
Medium
|
Vendor provided (or 3rd party provided) training available
|
No
|
Comments
|
|
Appendix A-8: BOON
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-8
Product
|
BOON
|
Description
|
Performs integer range analysis to determine if an array can be indexed outside its bounds
|
URL
|
http://www.cs.berkeley.edu/~daw/boon/
|
Supported Languages
|
C
|
Supported Platforms Where Tool Runs
|
Unix, Linux
|
Supported Platform Where Target Resides
|
|
Supported Compilers
|
GCC
|
Can Tool be used Remotely?
|
No
|
Finds or Checks for: (Tool Category)
|
Source Code Analyzer
|
Lifecycle Position(s)
|
Testing
|
Scalability (Ability to scan up to 1,000,000 LOC?)
|
Unknown
|
Ability to Identify Comments in Code
|
N/A
|
Ability to Discover Debug Code
|
N/A
|
Ability to Discover Unused Code
|
N/A
|
Tool uses CWE Definitions of Vulnerabilities
|
No
|
Frequency of Rule Base Updates by Tool Provider
|
None
|
Ability of Testers to Modify Existing Rule Bases
|
N/A
|
Ability of Testers to Add New Rule Bases
|
N/A
|
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
No
|
Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Free
|
Licensing
|
|
Vendor Technical Support
|
None
|
Vendor Services / Professional services support
|
None
|
Required training or experience level to operate
|
High
|
Vendor provided (or 3rd party provided) training available
|
None
|
Comments
|
No updates being made to tool
|
Appendix A-9: Borland's Together
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-9
Product
|
Borland's Together
|
Description
|
A set of Eclipse plugins that provides UML 1.4 modeling, multi-language support, physical data modeling, design patterns, source code design pattern recognition, code template design and reuse, documentation generation, and code audits and metrics. Together adds language-neutral UML 2.0 diagramming, business process modeling, logical data modeling, and logical to physical data model transformation and custom pattern support. Borland's strategy is to focus on tool integration, enabling best-of-breed strategies. Borland's MDD strategy is to offer application development teams a choice of tools and approaches, rather than channeling them into a single modeling notation. Borland is active in the OMG, leading the Graphical Model Framework (GMF) for Eclipse, and is also active in the Open Systems Group. Borland's Together Visual modeling tool is based on UML2, BPMN, and MOF; it provides key features for software architects, designers, and coders. Together uses the OMG's QVT standard in model-to-model transformations and provides support for UML Object Constraint Language (OCL) 2.0. This includes audits and metrics, which are provided at both the model and code level and are defined in industry standard OCL. Overall, Borland provides a platform of common services and a set of practitioner tools within the broader scope of application life-cycle management.
|
URL
|
http://www.borland.com/us/products/together/index.html
|
Supported Languages
|
UML, XML, QVT, OCL, MDA, EMF
|
Supported Platforms Where Tool Runs
|
Linux, Mac OS X, Solaris, Windows
|
Supported Platform Where Target Resides
|
|
Supported Compilers
|
N/A
|
Can Tool be used Remotely?
|
No
|
Finds or Checks for: (Tool Category)
|
Risk Analysis
|
Lifecycle Position(s)
|
Design, Testing
|
Scalability (Ability to scan up to 1,000,000 LOC?)
|
N/A
|
Ability to Identify Comments in Code
|
N/A
|
Ability to Discover Debug Code
|
N/A
|
Ability to Discover Unused Code
|
N/A
|
Tool uses CWE Definitions of Vulnerabilities
|
No
|
Frequency of Rule Base Updates by Tool Provider
|
N/A
|
Ability of Testers to Modify Existing Rule Bases
|
N/A
|
Ability of Testers to Add New Rule Bases
|
N/A
|
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
N/A
|
Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Commercial
|
Licensing
|
|
Vendor Technical Support
|
Yes
|
Vendor Services / Professional services support
|
No
|
Required training or experience level to operate
|
High
|
Vendor provided (or 3rd party provided) training available
|
No
|
Comments
|
|
Appendix A-10: C Code Analyzer (CCA)
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-10
Product
|
C Code Analyzer (CCA)
|
Description
|
Tests for out-of-bounds array indexing and arithmetic overflow.
|
URL
|
http://www.drugphish.ch/~jonny/cca.html
|
Supported Languages
|
C
|
Supported Platforms Where Tool Runs
|
Unix, Linux, Windows (cygwin)
|
Supported Platform Where Target Resides
|
Unix, Linux, Windows
|
Supported Compilers
|
GCC, MSVC
|
Can Tool be used Remotely?
|
No
|
Finds or Checks for: (Tool Category)
|
Source Code Analyzer
|
Lifecycle Position(s)
|
Testing
|
Scalability (Ability to scan up to 1,000,000 LOC?)
|
Yes (successfully scanned the Linux kernel)
|
Ability to Identify Comments in Code
|
No
|
Ability to Discover Debug Code
|
No
|
Ability to Discover Unused Code
|
No
|
Tool uses CWE Definitions of Vulnerabilities
|
No
|
Frequency of Rule Base Updates by Tool Provider
|
None
|
Ability of Testers to Modify Existing Rule Bases
|
Yes (through modification)
|
Ability of Testers to Add New Rule Bases
|
Yes (through modification)
|
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
No
|
Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Free
|
Licensing
|
BSD
|
Vendor Technical Support
|
None
|
Vendor Services / Professional services support
|
None
|
Required training or experience level to operate
|
Medium
|
Vendor provided (or 3rd party provided) training available
|
None
|
Comments
|
The product is designed to minimize false positives.
|
Appendix A-11: CenterLine Systems CodeCenter
SOFTWARE SECURITY ASSESSMENT TOOLS REVIEW: APPENDIX A-11
Product
|
CenterLine Systems CodeCenter
|
Description
|
Detects incorrect pointer values, illegal array indices, bad function arguments, type mismatches, and uninitialized variables.
|
URL
|
http://www.ics.com/products/centerline/codecenter/
|
Supported Languages
|
C
|
Supported Platforms Where Tool Runs
|
Unix, Sun SPARC, Solaris
|
Supported Platform Where Target Resides
|
Unix
|
Supported Compilers
|
clcc, GCC, SPARC-C
|
Can Tool be used Remotely?
|
No
|
Finds or Checks for: (Tool Category)
|
Source Code Analyzer
|
Lifecycle Position(s)
|
Development
|
Scalability (Ability to scan up to 1,000,000 LOC?)
|
Unknown
|
Ability to Identify Comments in Code
|
No
|
Ability to Discover Debug Code
|
No
|
Ability to Discover Unused Code
|
Yes
|
Tool uses CWE Definitions of Vulnerabilities
|
No
|
Frequency of Rule Base Updates by Tool Provider
|
N/A
|
Ability of Testers to Modify Existing Rule Bases
|
N/A
|
Ability of Testers to Add New Rule Bases
|
N/A
|
Ability to provide suggestions for mitigating vulnerabilities (Remediation). If able, is it Active or Passive?
|
No
|
Cost (Hourly/ Flat Fee) [AVAILABILITY]
|
Commercial
|
Licensing
|
Commercial
|
Vendor Technical Support
|
Multiple tiers
|
Vendor Services / Professional services support
|
Yes
|
Required training or experience level to operate
|
Medium
|
Vendor provided (or 3rd party provided) training available
|
Yes
|
Comments
|
|