16 March 2010 | 7,172 views

OWASP CodeCrawler – Static Code Review Tool

Don't let your data go over to the Dark Side!

CodeCrawler is a tool aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code. It’s a Microsoft .NET 3.5 Windows Form application which supports the OWASP Code Review Project.

It provides automatic STRIDE classification a very simple DREAD calculator and few minor utilities. Direct links to WAST 2.0 Threat Classification, Secure Java Development Guidelines and OWASP Tools are also part of the package.


  • .NET Framework 3.5 (Service Pack 1)
  • Visual Studio 2008
  • Windows Platform

You can download CodeCrawler here:


Or read more here.


Recent in Countermeasures:
- WAF-FLE – Graphical ModSecurity Console Dashboard
- LOKI – Indicators Of Compromise Scanner
- Integrit – File Verification System

Related Posts:
- Agnitio v2.1 Released – Manual Security Code Review Tool
- The Top 10 PHP Security Vulnerabilities from OWASP
- OWASP (Open Web Application Security Project) Testing Guide v3 Released

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 119,823 views
- Password Hasher Firefox Extension - 117,571 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,653 views

Advertise on Darknet

4 Responses to “OWASP CodeCrawler – Static Code Review Tool”

  1. Hannibal 23 March 2010 at 12:09 pm Permalink

    Personally i think this thing sucks :) It does not do a good a job, and Microsoft own tool fxcop is pretty damn awesome…

    But that’s only my opinion. :)

  2. aero 25 March 2010 at 9:02 am Permalink


  3. dotnetprogrammer 29 March 2010 at 9:45 pm Permalink

    Considering this thing alerts on COMMENTS the noise level is far beyond anything useful. Example if you have a comment with the word “Select” as in “selects items from an array and orders by value” this thing logs it as a critical fault (potential SQL injection).


  4. Darknet 30 March 2010 at 10:24 am Permalink

    That sounds lame, gonna check out fxcop.