[Owasp-board] [Owasp-codereview] [Owasp-testing] Code Review project and Code-Scanning-Tool(s)

Dinis Cruz dinis at ddplus.net
Thu Jan 18 22:59:16 UTC 2007

I think that (for several reasons, but mainly for practical, operational and
user value) OWASP needs to have its code scanning tool which is used to
validate and test the rules proposed (even if some of the test cases are
developed in a way that allow its detection by our tool).

And here is what I think the commercial vendors in this space should be

   - Work with OWASP in the defintion of these test cases (and note that
   I am including here both documentation / taxonomy and automated code
   scanning tests)
   - Create products that are able to detect those issues much more
   effectively, with lower number of false positives, better GUI, better
   support and 'management-level support services' (which is why companies will
   pay for these tools/services).
   - Focus their development and research efforts in detecting 'Business
   Logic Vulnerabilities' which are much harder to detect but can be as
   dangerous/exploitables as 'technical' issues like SQL Injections.
   - Get into the field of 'real time application profiling, fuzzing and
   exploitation detection' which will detect many more vulnerabilities
   - Work on the development of GUIs designed specifically for security
   consultants performing source code audit. Actualy what I really wanted was
   something like Google's Mondrian (
   http://video.google.co.uk/videoplay?docid=-8502904076440714866 ,
   ) with a focus on security source code review. This web based source
   code review solution designed for source code audits, would be a killer
   application specially if it was able to:
      - perform automatic checks on code for security vulnerabilities
   - using RegExs
      - using language specifc analysis (.Net, Java, Phyton, C++,
         - using Sandboxes where exceptions are monitored and used
         to determine non-normal behaviour
         - document those findings and initiate a review workflow,
      - aid the security consultant/auditor in classifying the risk of
      the issue identified (and find other instances of that issue)
      - aid in the normal security source code review process (for
      example by identifying all data inputs or all authorization decisions)
      - aid in the resolution of the issues (maybe with code samples
      or auto-correction features)

Ideally we would end up in a situation where anybody is able to detect
automatically most of 'technical' security issues (SQL Injection, XSS, Bad
Configuration Settings, etc..) using a free OWASP tool. This tool would be
could be used during Code Development (as part of the check-in of code) or
during Security Audits.

Comercial companies would continue to pay for specialized (see list above
for why) products who are more expensive but (in principle) more targeted to
large comercial companies needs.

If we get this rigth, we would make a massive difference in the number of
vulnerable applications out there (and the good news is that clients would
be able to demand that the code that they are buying was 'at least' analyzed
with these tools).

I actually think that this could be the one of the most important OWASP
projects and could be the one that would make the most difference chaging
the (in)security landscape of our web applications.

Of course that I am NOT saying that these tools will be able to detect every
single vulnerability (and note that I am excluding business logic
vulnerabilities from its capabilities). What I am saying is that is it
possible to build a code scanning tool which is able to detect 80% to 90%
(or more) of certain types of Critical, High and medium vulnerabilities.

Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?

On 1/18/07, Jim Manico <jim at manico.net> wrote:
>  In the Java space the best code scanning tool I see in the OSS space is
> FindBugs; and in the commercial space I think Fortify is best.
> Instead of worrying about building an actual code scanning tool, why not
> focus on maxing a flaw taxonomy database that any tool vendor or OSS project
> can use?
> - Jim
> Javier Fernández-Sanguino wrote:
> Stephen de Vries dijo:
>  I mention Flawfinder (and not Rats) because it seems to be more
> actively
> developed. It has been brought to my attention that the latest release
> (1.27) includes the capability to work with control version systems
> (reporting on the differences found when making changes).
>  Am I correct in assuming that flawfinder can only find issues in C/C+
> + code?  If so, this would be of limited benefit to the web app world
> because it's not used as often as things like .NET, PHP and even RoR.
>      True, flawfinder only works currently for C/C++ code (RATS provides
> coverage of more languages including PHP, Perl and Python). Anyone of
> them, however, could be possibly extended to cover more languages. Maybe
> that's a SoC project on it's own.
>    Are there any existing tools in OSS land for .NET and PHP?
>  For PHP: Rats
> For .NET: I don't know of any
> Regards
> Javier
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-codereview
> --
> Best Regards,
> Jim Manico
> GIAC GSEC Professional, Sun Certified Java Programmer
> jim at manico.net
> 808.652.3805

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070118/924d6258/attachment-0002.html>

More information about the Owasp-board mailing list