source code scanners
DESCRIPTION
Overview of tools for static code security analysis, with special focus on Yasca. See http://ipsec.pl/ for more details.TRANSCRIPT
Source code analysis tools
Paweł Krawczyk
„Static analysis is great for catching common errors early”
Brian Chess (Fortify)
Source code analysis
• Why?– Visibility limitations of blackbox testing– Insight not only into what is implemented but also how– Timing
• Blackbox needs working product• Code analysis can start with single line of code
• Risks– What you see is not always what ends up on the server
Why find bugs early?
Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006
Early code audit
Why find bugs early?
Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006
PentestLate code audit
Source code scanners
• Why?– Manual testing is time consuming– Manual testing is not easily standardised– Human factor of manual testing
• Automated scanning– Repeatable, standardised– Better automated than none
SCA in ASVS
• OWASP Application Security Verification Standard (ASVS)– Level 1B: Source code scan – partial
automated verfication– Level 2B: Code review – partial manual
verification
Tested free tools
• Yasca
• OWASP Code Crawler
• FxCop
• CAT.NET
• Agnitio
Yasca requirements
• PHP– http://www.php.net/
• JRE– 1.6.x from SDS or http://java.sun.com/
Installation
• Download main Yasca package– yasca-2.1.zip– http://sourceforge.net/projects/yasca/files/
• Download plugins– yasca-2.1-something.zip
Installation #2
• Unpack yasca-2.1.zip– No installer– Any destination– Runs directly from that directory
• Unpack plugins to a dedicated directory– c:\static-analyzers
• Set environment variable SA_HOME– SA_HOME=c:\static-analyzers\
Running Yasca
Running Yasca
Yasca performance
• Real application– Java and JSP source code– 17 MB uncompressed– 2500 files– 200 subdirectories– Network share (LAN)
• Run time ~10 minutes
Yasca reporting
Troubleshooting
• Official manual– http://www.yasca.org/h/documentation/
• Issues noticed– PMD crashing sometimes– How to limit large number of irrelevant issues?
OWASP Code Crawler
Features
• Version 2.5.1
• Supports C# and Java
Requirements
• .NET Framework 3.5
• Visual Studio 2008– Works with VS 2010 Beta
Results
Issues
• Trivial detection rules– „sha” in „shared” triggers „weak crypto” alert
• Work on one file at a time
MicrosoftFxCop
Features
• .NET only
• Works on .NET assemblies– EXE, DLL
• Needs full project with debug binaries
• Tested 1.36
Results
MicrosoftCAT.NET
Features
• .NET only
• Requires .NET Framework 4.0
• Requires Visual Studio 2005– Works with VS 2010 Beta
• Tested version 2.0
• Requires unstripped PDB files
• Requires experience with .NET
Running
C:\Program Files\Microsoft Information Security\Microsoft Code Analysis for .NET
(CAT.NET) v2.0>CATNetCmd.exe /file:"h:\Pentesting\Example - Employee Managemet
System\Employee Managemet System\bin\Debug\Employee Managemet System.exe" /confi
gdir:"h:\Pentesting\Example - Employee Managemet System\Employee Managemet Syste
m\Properties"
Results
Agnitio
• Audit management & reporting tool• Record basic application information• Build your own checklist
– „Has a centeralized whitelist approach to input validation been implemented?”
– Find evidence in source code– Answer Yes/No
• Did not really work for me– Issues with saving apps, validating fields
Commercial
• Ounce– now IBM Rational AppScan Source Edition
• Veracode– SaaS model – upload your code, automated
and manually assisted
• Fortify 360 Source Code Analyzer
• Checkmarx CxAudit
• Klocwork
Questions?
• http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis• IBM: „11 proven practices for more effective, efficient peer code
review”– http://ibm.co/eszW1V