SlideShare ist ein Scribd-Unternehmen logo

Static Code Analysis

Als PPTX, PDF herunterladen
G
Geneva, Switzerland

Static source code analysis tools can help developers find bugs early by analyzing code without executing it. The document recommends several free, open source tools for different programming languages that can find security issues, reliability problems, and other bugs. It emphasizes that while tools are useful, manual code reviews by experts are still needed, as no tool can find all issues or guarantee code is bug-free.

Technologie
1 von 25
Source Code:Find your bugs before someone else does!by Thomas Hofer
About me… Thomas Hofer Consultant (blue-infinity, Geneva) Skills: Static analysis Solution architecture Software Engineering (Java – Rails – PHP)
Outline Simple means to improve your code quality! Introduction Motivation Static Source Code Analyzers Recommendations Our criteria Selected tools Additional Information
Reasons for this research CERN is a prized target Renowned Internet Exchange Point However: Any website could be targeted! Potentially undesirable consequences of an attack: Loss of confidentiality Damaged reputation Loss of data
Security: when to care about it? Creating / Managing Documents Web Pages Hardware Services Development Software Web Applications
Development and Security Training (before) Code review (right after) Vulnerability scanning (after)
Development and Security Training (before) Static source code analysis (during and after) Code review (right after) Vulnerability scanning (after)
Development and Security Training (before) Code review (right after) Vulnerability scanning (after)
Security and me… What can YOU do about it… … without sacrificing your deadlines? Static Analysis The earlier a bug is caught, the cheaper it is to fix!
Static source code analysis A static source code analyzer: Reads your source code but… Won’t execute or compile it (usually)! Looks for possible errors regarding Security Reliability Functionality
What can they do? A static source code analyzer can: Look for known and common errors Sometimes suggest fixes or improvements Offer help in findingbugs Find many kinds of bugs, not only security related
What can they not do? A static source code analyzer cannot: ‘Automagically’ fix bugs Find all bugs (i.e. false negatives) Find only bugs (i.e. false positives)
Our criteria / requirements Quick results Very low ‘false alarms’ rate Ease of use At least some results…
Overview of selected tools Perl Perl::Critic RATS Java FindBugs CodePro Analyser PHP Pixy RATS ,[object Object]
Flawfinder
RATS
Coverity
Python
RATS
pychecker
pylint,[object Object]
FindBugs Java Freeware / Eclipse plugin Very flexible, ability to define custom rules… http://cern.ch/security/recommendations/en/codetools/findbugs.shtml
CodeProAnalytix Java Freeware / Google Web Toolkit As flexible as FindBugs, also ability to define your own rules http://code.google.com/javadevtools/codepro/doc/index.html
Perl::Critic Perl Freeware / Unix – Perl module Best Practices: style and security Demo http://cern.ch/security/recommendations/en/codetools/perl_critic.shtml

Empfohlen

Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
Orest Ivasiv
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Rune Sundling
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
Parasoft_Mitchell
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
scmGalaxy Inc
 
Sonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisSonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysis
Prashant Gupta
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
Perforce
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
Сергей Гоменюк
 
Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review Checklist
Mahesh Chopker
 

Empfohlen

Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
Orest Ivasiv
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Rune Sundling
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
Parasoft_Mitchell
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
scmGalaxy Inc
 
Sonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisSonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysis
Prashant Gupta
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
Perforce
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
Сергей Гоменюк
 
Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review Checklist
Mahesh Chopker
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
Mandeep Jadon
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis technique
Andrey Karpov
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)
Aditya Bhuyan
 
Code Review
Code ReviewCode Review
Code Review
rantav
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOps
Wouter de Kort
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
Lalit Kale
 
Code review
Code reviewCode review
Code review
Abhishek Sur
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
Paul Gower
 
Code Review
Code ReviewCode Review
Code Review
Tu Hoang
 
Code Review tool for personal effectiveness and waste analysis
Code Review tool for personal effectiveness and waste analysisCode Review tool for personal effectiveness and waste analysis
Code Review tool for personal effectiveness and waste analysis
Mikalai Alimenkou
 
Code Review for iOS
Code Review for iOSCode Review for iOS
Code Review for iOS
KLabCyscorpions-TechBlog
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
silviad74
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with Sonarlint
UT, San Antonio
 
Code Review
Code ReviewCode Review
Code Review
Mikalai Alimenkou
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
Naga Venkata Sunil Alamuri
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
Paul Gower
 
Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma Scan
Cypress Data Defense
 
Code Review Best Practices
Code Review Best PracticesCode Review Best Practices
Code Review Best Practices
Trisha Gee
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review Process
Dr. Syed Hassan Amin
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
Malachi Jones
 

Weitere ähnliche Inhalte

Was ist angesagt?

Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)
Aditya Bhuyan
 
Code Review
Code ReviewCode Review
Code Review
rantav
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Code Review tool for personal effectiveness and waste analysis
Code Review tool for personal effectiveness and waste analysisCode Review tool for personal effectiveness and waste analysis
Code Review tool for personal effectiveness and waste analysis
Mikalai Alimenkou
 
Code Review for iOS
Code Review for iOSCode Review for iOS
Code Review for iOS
KLabCyscorpions-TechBlog
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
silviad74
 
Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma Scan
Cypress Data Defense
 

Was ist angesagt? (20)

Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis technique
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)
 
Code Review
Code ReviewCode Review
Code Review
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOps
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
Code review
Code reviewCode review
Code review
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
 
Code Review
Code ReviewCode Review
Code Review
 
Code Review tool for personal effectiveness and waste analysis
Code Review tool for personal effectiveness and waste analysisCode Review tool for personal effectiveness and waste analysis
Code Review tool for personal effectiveness and waste analysis
 
Code Review for iOS
Code Review for iOSCode Review for iOS
Code Review for iOS
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with Sonarlint
 
Code Review
Code ReviewCode Review
Code Review
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
 
Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma Scan
 
Code Review Best Practices
Code Review Best PracticesCode Review Best Practices
Code Review Best Practices
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review Process
 

Ähnlich wie Static Code Analysis

Breaking av software
Breaking av softwareBreaking av software
Breaking av software
Joxean Koret
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
rahmanprojectd
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 

Ähnlich wie Static Code Analysis (20)

Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
Super1
Super1Super1
Super1
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 

Kürzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Kürzlich hochgeladen (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Static Code Analysis

  • 1. Source Code:Find your bugs before someone else does!by Thomas Hofer
  • 2. About me… Thomas Hofer Consultant (blue-infinity, Geneva) Skills: Static analysis Solution architecture Software Engineering (Java – Rails – PHP)
  • 3. Outline Simple means to improve your code quality! Introduction Motivation Static Source Code Analyzers Recommendations Our criteria Selected tools Additional Information
  • 4. Reasons for this research CERN is a prized target Renowned Internet Exchange Point However: Any website could be targeted! Potentially undesirable consequences of an attack: Loss of confidentiality Damaged reputation Loss of data
  • 5. Security: when to care about it? Creating / Managing Documents Web Pages Hardware Services Development Software Web Applications
  • 6. Development and Security Training (before) Code review (right after) Vulnerability scanning (after)
  • 7. Development and Security Training (before) Static source code analysis (during and after) Code review (right after) Vulnerability scanning (after)
  • 8. Development and Security Training (before) Code review (right after) Vulnerability scanning (after)
  • 9. Security and me… What can YOU do about it… … without sacrificing your deadlines? Static Analysis The earlier a bug is caught, the cheaper it is to fix!
  • 10. Static source code analysis A static source code analyzer: Reads your source code but… Won’t execute or compile it (usually)! Looks for possible errors regarding Security Reliability Functionality
  • 11. What can they do? A static source code analyzer can: Look for known and common errors Sometimes suggest fixes or improvements Offer help in findingbugs Find many kinds of bugs, not only security related
  • 12. What can they not do? A static source code analyzer cannot: ‘Automagically’ fix bugs Find all bugs (i.e. false negatives) Find only bugs (i.e. false positives)
  • 13. Our criteria / requirements Quick results Very low ‘false alarms’ rate Ease of use At least some results…
  • 14.
  • 16. RATS
  • 19. RATS
  • 21.
  • 22. FindBugs Java Freeware / Eclipse plugin Very flexible, ability to define custom rules… http://cern.ch/security/recommendations/en/codetools/findbugs.shtml
  • 23.
  • 24. CodeProAnalytix Java Freeware / Google Web Toolkit As flexible as FindBugs, also ability to define your own rules http://code.google.com/javadevtools/codepro/doc/index.html
  • 25. Perl::Critic Perl Freeware / Unix – Perl module Best Practices: style and security Demo http://cern.ch/security/recommendations/en/codetools/perl_critic.shtml
  • 26. Pixy PHP Freeware / Unix XSS & SQLi http://cern.ch/security/recommendations/en/codetools/pixy.shtml
  • 27. RATS C / C++ / Perl, (and, partially) Python, PHP Freeware Calls to commonly misused functions http://cern.ch/security/recommendations/en/codetools/rats.shtml
  • 28. What else? ‘Ok, now that I have used this tool, I should be safe…’ Tools are not enough! Even the best tool will miss the most sophisticated errors Sensitive projects should be reviewed ‘manually’ by experts
  • 29. A Fool with a Tool is still a Fool! ‘A fool with a tool is still a fool!’, D. Wheeler The code excerpt below was found in RealPlayer, in 2005. (CVE-2005-0455) char tmp [256]; /* Flawfinder : ignore */ strcpy (tmp , pScreenSize ); /* Flawfinder : ignore */
  • 30. Further information http://cern.ch/security/recommendations/en/code_tools.shtml Presentation of the tools Installation, configuration and usage advice Explanation of some common errors Advice for developing securer software
  • 31. Thank you! To contact me: thomas.hofer@b-i.com