[Owasp-codereview] [Owasp-testing] Code Review project andCode-Scanning-Tool(s)

Jim Manico jim at manico.net
Tue Jan 23 16:13:03 EST 2007 

>  For example, a tool that finds and flags all the encryption code is
easy and valuable. Maybe it helps me navigate the code with "security
goggles" on.

I think this would be a great step forward in code security. I could
image that a tool of this nature would let me flag blocks of code to fit
in a certain security category (input validation, encryption, auth, etc)
and color-code it in some way.

Also, I could as an auditor set a master list of concepts that I need to
search for in my manual audit, add audit-specific notations to code, and
perhaps give me a checklist of concepts I need to "check off" for every
jsp and servlet. Perhaps a flag to mark certain code as questionable, or
needs further review.... Perhaps a comment layer so a team of auditors
could collaborate on the code review/audit process.

Most of the commercial products out there that claim to be an Audit
Workbench are really only static analysis tools, nothing I see out there
really assists me with the manual code review process.

 - Jim


Jeff Williams wrote:
>> I know that there are exceptions (and let's keep the business logic
>>     
> vulnerabilities out
>
>   
>> of this one) but most issues should be detectable. 
>>     
>
>
>
> I agree we should have a better framework for analyzing code for simple
> issues.  LAPSE is interesting, but is really a one-trick pony.  LAPSE
> does source-to-sink dataflow analysis, so it's pretty good for analyzing
> things like SQL injection and XSS.  But it has no ability to analyze
> encryption, logging, access control, authentication, error handling,
> concurrency, etc... And it only works on Java.
>
>  
>
> I think "most issues should be detectable" is too aggressive (I've done
> quite a lot of work in this space).  That's what the commercial static
> analysis tool vendors are trying to do.  I suggest we focus on tools
> that assist the manual code reviewer, and DO NOT try to find problems
> automatically.
>
>  
>
> For example, a tool that finds and flags all the encryption code is easy
> and valuable.  Maybe it helps me navigate the code with "security
> goggles" on.  A tool that attempts to analyze the encryption code and
> determine if it is sound is ridiculously hard and will have lots of
> false alarms.
>
>  
>
> The tool must have some compiler-like features - at least symbol
> resolution, because grep is too inaccurate.
>
>  
>
> --Jeff
>
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-codereview
>   

-- 
Best Regards,
Jim Manico
GIAC GSEC Professional, Sun Certified Java Programmer
jim at manico.net
808.652.3805

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-codereview/attachments/20070123/e242e1c8/attachment.html

More information about the Owasp-codereview mailing list