[Owasp-testing] [Owasp-codereview] Code Review project andCode-Scanning-Tool(s)

Paolo Perego thesp0nge at gmail.com
Wed Jan 24 05:42:37 EST 2007


Jim you're right for the 50%. Orizon will be a dynamic code review tool too.
I'm planning to extract methods, C functions and build on the fly a test
program that stress the aformentioned method or function using an user
supplied input :)

thesp0nge

On 1/24/07, Jim Manico <jim at manico.net> wrote:
>
> My understanding is that both of those products are
> static-code-analyzers and not manual code review helpers. We are talking
> about apples and oranges here.
>
> - Jim
>
> Dinis Cruz wrote:
> > Ok, so we all agree that we need a tool to aid the manual code review
> > process.
> >
> > Who is going to help?
> >
> > We already have two OWASP projects that are trying to tackle this
> > problem (OWASP
> > LAPSE Project
> > <http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project>and
> > OWASP
> > Orizon
> > Project<http://www.owasp.org/index.php/Category:OWASP_Orizon_Project>)
> > so who wants to colaborate can either join these projects or start a new
> > project
> >
> > Dinis Cruz
> > Chief OWASP Evangelist
> > http://www.owasp.org
> >
> > On 1/23/07, Jim Manico <jim at manico.net> wrote:
> >>
> >>  >  For example, a tool that finds and flags all the encryption code is
> >> easy and valuable. Maybe it helps me navigate the code with "security
> >> goggles" on.
> >>
> >> I think this would be a great step forward in code security. I could
> >> image
> >> that a tool of this nature would let me flag blocks of code to fit in a
> >> certain security category (input validation, encryption, auth, etc) and
> >> color-code it in some way.
> >>
> >> Also, I could as an auditor set a master list of concepts that I need
> to
> >> search for in my manual audit, add audit-specific notations to code,
> and
> >> perhaps give me a checklist of concepts I need to "check off" for
> >> every jsp
> >> and servlet. Perhaps a flag to mark certain code as questionable, or
> >> needs
> >> further review.... Perhaps a comment layer so a team of auditors could
> >> collaborate on the code review/audit process.
> >>
> >> Most of the commercial products out there that claim to be an Audit
> >> Workbench are really only static analysis tools, nothing I see out
> there
> >> really assists me with the manual code review process.
> >>
> >>  - Jim
> >>
> >>
> >> Jeff Williams wrote:
> >>
> >>  I know that there are exceptions (and let's keep the business logic
> >>
> >>
> >>  vulnerabilities out
> >>
> >>
> >>
> >>  of this one) but most issues should be detectable.
> >>
> >>
> >>
> >> I agree we should have a better framework for analyzing code for simple
> >> issues.  LAPSE is interesting, but is really a one-trick pony.  LAPSE
> >> does source-to-sink dataflow analysis, so it's pretty good for
> analyzing
> >> things like SQL injection and XSS.  But it has no ability to analyze
> >> encryption, logging, access control, authentication, error handling,
> >> concurrency, etc... And it only works on Java.
> >>
> >>
> >>
> >> I think "most issues should be detectable" is too aggressive (I've done
> >> quite a lot of work in this space).  That's what the commercial static
> >> analysis tool vendors are trying to do.  I suggest we focus on tools
> >> that assist the manual code reviewer, and DO NOT try to find problems
> >> automatically.
> >>
> >>
> >>
> >> For example, a tool that finds and flags all the encryption code is
> easy
> >> and valuable.  Maybe it helps me navigate the code with "security
> >> goggles" on.  A tool that attempts to analyze the encryption code and
> >> determine if it is sound is ridiculously hard and will have lots of
> >> false alarms.
> >>
> >>
> >>
> >> The tool must have some compiler-like features - at least symbol
> >> resolution, because grep is too inaccurate.
> >>
> >>
> >>
> >> --Jeff
> >>
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> _______________________________________________
> >> Owasp-codereview mailing
> >> listOwasp-codereview at lists.owasp
> .orghttp://lists.owasp.org/mailman/listinfo/owasp-codereview
> >>
> >>
> >>
> >> --
> >> Best Regards,
> >> Jim Manico
> >> GIAC GSEC Professional, Sun Certified Java
> >> Programmerjim at manico.net808.652.3805
> >>
> >>
> >
> >
> > --
> >
>
> --
> Best Regards,
> Jim Manico
> GIAC GSEC Professional, Sun Certified Java Programmer
> jim at manico.net
> 808.652.3805
>
>


-- 
Diverso non necessariamente significa peggiore
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070124/ce05ec89/attachment-0001.html 


More information about the Owasp-testing mailing list