RATS – Rough Auditing Tool for Security – is an open source tool developed and maintained by Secure Software security engineers. Secure Software was acquired by Fortify Software, Inc. RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and [...]
Flawfinder is a program that examines source code and reports possible security weaknesses (flaws) sorted by risk level. It’s very useful for quickly finding and removing at least some potential security problems before a program is widely released to the public. It’s a static analysis source code auditing tool.
Flawfinder is specifically designed to be easy [...]
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It’s comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.
Usage
Graudit supports several options and tries to follow [...]
The Source Code Analysis Risk Evaluation project is a study to create a security complexity metric that will analyze source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. This metric will not say that the binary will be exploited nor does it do [...]
Skavenger? Yes, because scavenger is already used?!?
What is skavenger? Skavenger is a source code auditing tool, firstly though for php, but also used for any kind of source code file; as long as you know what to look for…
Yes I thought is as a replacement tool for egrep/sed under Windows! because not everybody installs cygwin [...]
Continuing with the series of tools I’ve been posting on source code auditing and application security, here is PMD a Java Source Code Scanner.
PMD scans Java source code and looks for potential problems like:
Possible bugs – empty try/catch/finally/switch statements
Dead code – unused local variables, parameters and private methods
Suboptimal code – wasteful String/StringBuffer usage
Overcomplicated expressions – [...]
LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java J2EE applications for common types of security vulnerabilities found in Web applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project.
LAPSE targets the following Web application vulnerabilities:
Parameter manipulation
SQL [...]
FindBugs looks for bugs in Java programs. It is based on the concept of bug patterns. A bug pattern is a code idiom that is often an error. Bug patterns arise for a variety of reasons:
Difficult language features
Misunderstood API methods
Misunderstood invariants when code is modified during maintenance
Garden variety mistakes: typos, use of [...]
Announcing a new web application source code analysis tool called the Securitycompass Web Application Analysis Tool or SWAAT.
You may know it as a static analysis tool.
Currently in its beta release, this .Net command-line tool searches through source code for potential vulnerabilities in the following languages:
Java and JSP
ASP.Net
PHP
Using xml-based signature files, it searches for common functions [...]
Spike is an Open Source tool based on the popular RATS C based auditing tool implemented for PHP.
The tool Spike basically does static analysis of php code for security exploits, PHP5 and call-time pass-by-reference are currently required, but a PHP4 version is coming out this week.
This tool is especially welcomed by Darknet as there aren’t [...]
