The author notified me of a new version that was recently released with quite a few additions. For those not familiar with it, Agnitio is a tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting.

Changes in V2.0

The major changes in v2.0 is the addition of a code analysis module which comes with Android and iOS rules, an editor for the checklist questions and the ability to create/edit/remove code analysis rules.

• Fixed verify report button bug. It used to make the app crash if the report path field was empty because it didn’t check if it was empty before trying to use the field value.
• Delete profile functionality added on the “view profiles” tab. Some users requested this functionality.
• Removed hard coded filesystem paths and database names/locations from the code and make them configuration items.
• Data editor for both principles and checklist guidance sections. This allows users to customise the guidance using their own languages, guidance text etc.
• Increase the max size value of the text boxes on the principles guidance tab to allow more information to be entered by users.
• More accurate error on the profile creation tab – specify exactly what fields have been missed rather than listing all.
• Added “About” form with info, license, credits etc
• Regular expressions expanded to include a wider range of characters including non English characters.
• Turn the “other” language box red if the user clicks save with the other check box ticked but not language entered on the create and view profile tabs.
• Metrics tab now “returns” if only one app is available rather than trying to load all graphs and throwing a separate error for each one.

The author is always interested in feedback and has integrated a lot of it into v2.0 of Agnitio, if you want to give some suggestions/bug reports or whatever after using the tool you can do so via the Security Ninja blog here, or on Twitter @securityninja.

You can download Agnitio v2.0 here:

Agnitio v2.zip

Or read more here.

RATS – Rough Auditing Tool for Security – is an open source tool developed and maintained by Secure Software security engineers. Secure Software was acquired by Fortify Software, Inc. RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.

RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.

As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.

Requirements

RATS requires expat to be installed in order to build and run. Expat is often installed in /usr/local/lib and /usr/local/include. On some systems, you will need to specify –with-expat-lib and –with-expat-include options to configure so that it can find your installation of the library and header. Expat can be found here.

You can download RATS here:

Source Code: rats-2.3.tar.gz
Windows Binary: rats-2.3-win32.zip

Or read more here.

Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It’s comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

Usage

Graudit supports several options and tries to follow good shell practices. For a list of the options you can run graudit -h or see below. The simplest way to use graudit is;

graudit /path/to/scan

You can download Graudit v1.1 here:

graudit-1.1.tar.bz2

Or read more here.