This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Code Auditor Workbench Tool"
Dinis.cruz (talk | contribs) |
|||
| Line 1: | Line 1: | ||
| + | Following this thread [http://lists.owasp.org/pipermail/owasp-testing/2007-January/001324.html Code Review project and Code-Scanning-Tool(s)] here are some ideas of what such tool could do: | ||
| + | |||
My conjecture is that static analysis only goes so-far in terms of | My conjecture is that static analysis only goes so-far in terms of | ||
helping in a audit. It's nice, it's flashy, it's expensive, SPI, Fortify | helping in a audit. It's nice, it's flashy, it's expensive, SPI, Fortify | ||
| Line 16: | Line 18: | ||
So my vision is having some kind of web 2.0-like mashup: | So my vision is having some kind of web 2.0-like mashup: | ||
| − | + | # integrated IM | |
| − | + | # integrated commenting system | |
| − | + | # code demarcation/labeling tool | |
| − | + | # a built in programmable checklist (like, this JSP needs to be "checked" for manual review of input validation, authentication, access control, or my applet checklist would be (no business logic, no protected information, etc) - the checklist changes depending on what I'm auditing. Cost limitations almost always necessitate I limit scope of my audit. | |
| − | "checked" for manual review of input validation, authentication, access | + | # integrated documentation features so I can build my auditdocumentation "on the fly" during the audit process within the workbench in a Wiki-fashion so the whole team could work on the doc together at the same time. (For example, this feature would automatically create shell documentation every time I label code as a "critical" problem. |
| − | control, or my applet checklist would be (no business logic, no | + | # It would be nice if this workbench could import reports from those static analyzers (but they have a history of not playing well with the other tools) |
| − | protected information, etc) - the checklist changes depending on what | + | # Lately I've been asked to create system documentation during the audit process (can you believe that some very large systems that I audit have no system documentation? oh my! shocking!) so perhaps enhanced technical documentation functionality would help. |
| − | I'm auditing. Cost limitations almost always necessitate I limit scope | ||
| − | of my audit. | ||
| − | |||
| − | |||
| − | in a Wiki-fashion so the whole team could work on the doc together at | ||
| − | the same time. (For example, this feature would automatically create | ||
| − | shell documentation every time I label code as a "critical" problem. | ||
| − | |||
| − | static analyzers (but they have a history of not playing well with the | ||
| − | other tools) | ||
| − | |||
| − | audit process (can you believe that some very large systems that I audit | ||
| − | have no system documentation? oh my! shocking!) so perhaps enhanced | ||
| − | technical documentation functionality would help. | ||
Revision as of 00:39, 31 January 2007
Following this thread Code Review project and Code-Scanning-Tool(s) here are some ideas of what such tool could do:
My conjecture is that static analysis only goes so-far in terms of helping in a audit. It's nice, it's flashy, it's expensive, SPI, Fortify and the like are spending millions investing in the technology, it looks good to managers (I just bought a 60k security tool for my coders, I'm a cool manager it's all secure now!) - but it's not the static analysis portion of a review that will help me secure a system. (Sure, it helps me find low hanging fruit, but not the real interesting stuff).
Please tell me what static code review tool will bark at me if I forget to add my custom authentication function or functions (which is most common) at the top of each JSP? Not many do stuff like that well.
Also, most Java code audits that I am a part of is done by a team of 2 of more coders. (In fact, I say never do at a code review alone! Bring your friends!)
So my vision is having some kind of web 2.0-like mashup:
- integrated IM
- integrated commenting system
- code demarcation/labeling tool
- a built in programmable checklist (like, this JSP needs to be "checked" for manual review of input validation, authentication, access control, or my applet checklist would be (no business logic, no protected information, etc) - the checklist changes depending on what I'm auditing. Cost limitations almost always necessitate I limit scope of my audit.
- integrated documentation features so I can build my auditdocumentation "on the fly" during the audit process within the workbench in a Wiki-fashion so the whole team could work on the doc together at the same time. (For example, this feature would automatically create shell documentation every time I label code as a "critical" problem.
- It would be nice if this workbench could import reports from those static analyzers (but they have a history of not playing well with the other tools)
- Lately I've been asked to create system documentation during the audit process (can you believe that some very large systems that I audit have no system documentation? oh my! shocking!) so perhaps enhanced technical documentation functionality would help.
