Source code analysis tools

Paweł Krawczyk

„Static analysis is great for catching common errors early”

Brian Chess (Fortify)

Source code analysis

• Why?– Visibility limitations of blackbox testing– Insight not only into what is implemented but also how– Timing

• Blackbox needs working product• Code analysis can start with single line of code

• Risks– What you see is not always what ends up on the server

Why find bugs early?

Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006

Early code audit

Why find bugs early?

Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006

PentestLate code audit

Source code scanners

• Why?– Manual testing is time consuming– Manual testing is not easily standardised– Human factor of manual testing

• Automated scanning– Repeatable, standardised– Better automated than none

SCA in ASVS

• OWASP Application Security Verification Standard (ASVS)– Level 1B: Source code scan – partial

automated verfication– Level 2B: Code review – partial manual

verification

Tested free tools

• Yasca

• OWASP Code Crawler

• FxCop

• CAT.NET

• Agnitio

Yasca requirements

• PHP– http://www.php.net/

• JRE– 1.6.x from SDS or http://java.sun.com/

Installation

• Download main Yasca package– yasca-2.1.zip– http://sourceforge.net/projects/yasca/files/

• Download plugins– yasca-2.1-something.zip

Installation #2

• Unpack yasca-2.1.zip– No installer– Any destination– Runs directly from that directory

• Unpack plugins to a dedicated directory– c:\static-analyzers

• Set environment variable SA_HOME– SA_HOME=c:\static-analyzers\

Running Yasca

Running Yasca

Yasca performance

• Real application– Java and JSP source code– 17 MB uncompressed– 2500 files– 200 subdirectories– Network share (LAN)

• Run time ~10 minutes

Yasca reporting

Troubleshooting

• Official manual– http://www.yasca.org/h/documentation/

• Issues noticed– PMD crashing sometimes– How to limit large number of irrelevant issues?

OWASP Code Crawler

Features

• Version 2.5.1

• Supports C# and Java

Requirements

• .NET Framework 3.5

• Visual Studio 2008– Works with VS 2010 Beta

Results

Issues

• Trivial detection rules– „sha” in „shared” triggers „weak crypto” alert

• Work on one file at a time

MicrosoftFxCop

Features

• .NET only

• Works on .NET assemblies– EXE, DLL

• Needs full project with debug binaries

• Tested 1.36

Results

MicrosoftCAT.NET

Features

• .NET only

• Requires .NET Framework 4.0

• Requires Visual Studio 2005– Works with VS 2010 Beta

• Tested version 2.0

• Requires unstripped PDB files

• Requires experience with .NET

Running

C:\Program Files\Microsoft Information Security\Microsoft Code Analysis for .NET

(CAT.NET) v2.0>CATNetCmd.exe /file:"h:\Pentesting\Example - Employee Managemet

System\Employee Managemet System\bin\Debug\Employee Managemet System.exe" /confi

gdir:"h:\Pentesting\Example - Employee Managemet System\Employee Managemet Syste

m\Properties"

Results

Agnitio

• Audit management & reporting tool• Record basic application information• Build your own checklist

– „Has a centeralized whitelist approach to input validation been implemented?”

– Find evidence in source code– Answer Yes/No

• Did not really work for me– Issues with saving apps, validating fields

Commercial

• Ounce– now IBM Rational AppScan Source Edition

• Veracode– SaaS model – upload your code, automated

and manually assisted

• Fortify 360 Source Code Analyzer

• Checkmarx CxAudit

• Klocwork

Questions?

• http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis• IBM: „11 proven practices for more effective, efficient peer code

review”– http://ibm.co/eszW1V