[Owasp-testing] [Owasp-codereview] Code Review project andCode-Scanning-Tool(s)
jim at manico.net
Tue Jan 23 16:13:03 EST 2007
> For example, a tool that finds and flags all the encryption code is
easy and valuable. Maybe it helps me navigate the code with "security
I think this would be a great step forward in code security. I could
image that a tool of this nature would let me flag blocks of code to fit
in a certain security category (input validation, encryption, auth, etc)
and color-code it in some way.
Also, I could as an auditor set a master list of concepts that I need to
search for in my manual audit, add audit-specific notations to code, and
perhaps give me a checklist of concepts I need to "check off" for every
jsp and servlet. Perhaps a flag to mark certain code as questionable, or
needs further review.... Perhaps a comment layer so a team of auditors
could collaborate on the code review/audit process.
Most of the commercial products out there that claim to be an Audit
Workbench are really only static analysis tools, nothing I see out there
really assists me with the manual code review process.
Jeff Williams wrote:
>> I know that there are exceptions (and let's keep the business logic
> vulnerabilities out
>> of this one) but most issues should be detectable.
> I agree we should have a better framework for analyzing code for simple
> issues. LAPSE is interesting, but is really a one-trick pony. LAPSE
> does source-to-sink dataflow analysis, so it's pretty good for analyzing
> things like SQL injection and XSS. But it has no ability to analyze
> encryption, logging, access control, authentication, error handling,
> concurrency, etc... And it only works on Java.
> I think "most issues should be detectable" is too aggressive (I've done
> quite a lot of work in this space). That's what the commercial static
> analysis tool vendors are trying to do. I suggest we focus on tools
> that assist the manual code reviewer, and DO NOT try to find problems
> For example, a tool that finds and flags all the encryption code is easy
> and valuable. Maybe it helps me navigate the code with "security
> goggles" on. A tool that attempts to analyze the encryption code and
> determine if it is sound is ridiculously hard and will have lots of
> false alarms.
> The tool must have some compiler-like features - at least symbol
> resolution, because grep is too inaccurate.
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
GIAC GSEC Professional, Sun Certified Java Programmer
jim at manico.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing