Re: Source code review tools for ColdFusion

["Darren Bounds" <dbounds () gmail com>]

Thanks Dean,

We've' been doing similar things with regular expressions and home
grown tools. I was just surprised how difficult (currently impossible
but perhaps Fortify will change that) it is to find a commercial tool
that supports CF considering how prevalent it is.

Contrary to information I've received from several list members,
neither SPIDynamics nor OunceLabs support it.

Darren


On 4/2/07, Dean H. Saxe <dean () fullfrontalnerdity com> wrote:
> IIRC, Fortify has a CF module that you can use.
>
> If you don't have access to Fortify a couple of quick regexes will
> give you a lot of insight.  The easy ones are looking for unsafe
> functions, such as preserveSingleQuotes(), the harder ones look for
> queries which don't use CFQUERYPARAM or unsanitized output.  Back in
> 2003/2004 I wrote a parser in Perl to help automate some of the more
> boring code review tasks in CF.  Unfortunately, the source was left
> with my previous employer and never released as planned.  Was it
> perfect?  Heck no.  Did it help catch a lot of bugs that would have
> otherwise been missed?  Absolutely.
>
> -dhs
>
> Dean H. Saxe, CISSP, CEH
> dean () fullfrontalnerdity com
> "If liberty means anything at all, it means the right to tell people
> what they do not want to hear."
>     -- George Orwell, 1945
>
>
> On Mar 26, 2007, at 2:55 PM, Darren Bounds wrote:
>
> > Is anyone aware of any 'reasonably good' tools to assist with source
> > code review in ColdFusion? I've been having a difficult time finding
> > anything at all.
> >
> > --
> >
> > Thank you,
> > Darren Bounds
> >
> > ----------------------------------------------------------------------
> > ---
> > Sponsored by: Watchfire
> >
> > Methodologies & Tools for Web Application Security Assessment
> > With the rapid rise in the number and types of security threats,
> > web application security assessments should be considered a crucial
> > phase in the development of any web application. What methodology
> > should be followed? What tools can accelerate the assessment
> > process? Download this Whitepaper today!
> >
> > https://www.watchfire.com/securearea/whitepapers.aspx?
> > id=701500000008fHK
> > ----------------------------------------------------------------------
> > ----
> >


--

Thank you,
Darren Bounds

-------------------------------------------------------------------------
Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack. That's 
because hackers know to exploit weaknesses in web applications. 
Traditional approaches to securing these assets no longer apply. Download 
the "Addressing Challenges in Application Security" whitepaper today, 
and see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF
--------------------------------------------------------------------------