Static source code analysis tools can help developers find bugs early by analyzing code without executing it. The document recommends several free, open source tools for different programming languages that can find security issues, reliability problems, and other bugs. It emphasizes that while tools are useful, manual code reviews by experts are still needed, as no tool can find all issues or guarantee code is bug-free.
2. About me… Thomas Hofer Consultant (blue-infinity, Geneva) Skills: Static analysis Solution architecture Software Engineering (Java – Rails – PHP)
3. Outline Simple means to improve your code quality! Introduction Motivation Static Source Code Analyzers Recommendations Our criteria Selected tools Additional Information
4. Reasons for this research CERN is a prized target Renowned Internet Exchange Point However: Any website could be targeted! Potentially undesirable consequences of an attack: Loss of confidentiality Damaged reputation Loss of data
5. Security: when to care about it? Creating / Managing Documents Web Pages Hardware Services Development Software Web Applications
6. Development and Security Training (before) Code review (right after) Vulnerability scanning (after)
7. Development and Security Training (before) Static source code analysis (during and after) Code review (right after) Vulnerability scanning (after)
8. Development and Security Training (before) Code review (right after) Vulnerability scanning (after)
9. Security and me… What can YOU do about it… … without sacrificing your deadlines? Static Analysis The earlier a bug is caught, the cheaper it is to fix!
10. Static source code analysis A static source code analyzer: Reads your source code but… Won’t execute or compile it (usually)! Looks for possible errors regarding Security Reliability Functionality
11. What can they do? A static source code analyzer can: Look for known and common errors Sometimes suggest fixes or improvements Offer help in findingbugs Find many kinds of bugs, not only security related
12. What can they not do? A static source code analyzer cannot: ‘Automagically’ fix bugs Find all bugs (i.e. false negatives) Find only bugs (i.e. false positives)
13. Our criteria / requirements Quick results Very low ‘false alarms’ rate Ease of use At least some results…
22. FindBugs Java Freeware / Eclipse plugin Very flexible, ability to define custom rules… http://cern.ch/security/recommendations/en/codetools/findbugs.shtml
23.
24. CodeProAnalytix Java Freeware / Google Web Toolkit As flexible as FindBugs, also ability to define your own rules http://code.google.com/javadevtools/codepro/doc/index.html
25. Perl::Critic Perl Freeware / Unix – Perl module Best Practices: style and security Demo http://cern.ch/security/recommendations/en/codetools/perl_critic.shtml
27. RATS C / C++ / Perl, (and, partially) Python, PHP Freeware Calls to commonly misused functions http://cern.ch/security/recommendations/en/codetools/rats.shtml
28. What else? ‘Ok, now that I have used this tool, I should be safe…’ Tools are not enough! Even the best tool will miss the most sophisticated errors Sensitive projects should be reviewed ‘manually’ by experts
29. A Fool with a Tool is still a Fool! ‘A fool with a tool is still a fool!’, D. Wheeler The code excerpt below was found in RealPlayer, in 2005. (CVE-2005-0455) char tmp [256]; /* Flawfinder : ignore */ strcpy (tmp , pScreenSize ); /* Flawfinder : ignore */