[Owasp-testing] [Owasp-codereview] Code Review project andCode-Scanning-Tool(s)

Jeff Williams jeff.williams at aspectsecurity.com
Mon Jan 22 07:19:50 EST 2007


> I know that there are exceptions (and let's keep the business logic
vulnerabilities out

> of this one) but most issues should be detectable. 



I agree we should have a better framework for analyzing code for simple
issues.  LAPSE is interesting, but is really a one-trick pony.  LAPSE
does source-to-sink dataflow analysis, so it's pretty good for analyzing
things like SQL injection and XSS.  But it has no ability to analyze
encryption, logging, access control, authentication, error handling,
concurrency, etc... And it only works on Java.

 

I think "most issues should be detectable" is too aggressive (I've done
quite a lot of work in this space).  That's what the commercial static
analysis tool vendors are trying to do.  I suggest we focus on tools
that assist the manual code reviewer, and DO NOT try to find problems
automatically.

 

For example, a tool that finds and flags all the encryption code is easy
and valuable.  Maybe it helps me navigate the code with "security
goggles" on.  A tool that attempts to analyze the encryption code and
determine if it is sound is ridiculously hard and will have lots of
false alarms.

 

The tool must have some compiler-like features - at least symbol
resolution, because grep is too inaccurate.

 

--Jeff

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070122/2112da78/attachment.html 


More information about the Owasp-testing mailing list