Re: Vuln Scanner for Web App Source Code

["Dan Anderson" <dan.anderson.mobile () gmail com>]

There are quite a few automated code scanners that look for various
things.  The other reply is a good source for many of these.

I'm not sure what your situation is*, but in general, care should be
taken with these tools for several reasons:

1.  They often generate a lot of false positives that need to be
weeded out.  Your credibility can be damaged by reporting too many
false positive results or "technically correct but so what?" style
findings.
2.  While many of these are getting better, they all can still miss
stuff, important stuff, even stuff that is really obvious if you read
the code.
3.  It is not always simple to determine false positives and negatives
without a strong development background even with the best tools
available.
4.  You may not have access to all of the code which you really need
to test - you run into this a lot on windows where you have a blackbox
dll in the middle of a critical program.

These scanners all work better as tools in a "toolbox" that you use to
evaluate code with rather then as the "Solutions" they are often sold
as.

Your most important tool (IMO) is a good methodology and your second
most important tool (IMO) is a good understanding of the application,
environment and the data flows around it (there are some good tools in
this area too, Eclipse has some good plugins, Windows "Search" can be
useful, grep, JavaDocs, etc.).

When selecting a tool for your "toolbox" you should have a clear
understanding of what role it will play in your methodology.  Your
methodology should drive your efforts, not the available tools or the
reports they provide.  This is particularly important to remember when
you are using the high-end scanners which create pretty reports - a
color-coded graph of unverified results is still just a bunch of
unverified results.

There is also probably a philosophical discussion that should be had
concerning these sort of tools...Some of these tools are really
expensive and your organization might be better off spending some
money on secure development specific developer training (including
books - there are some good ones available), basic software resources
(lint, purify, etc) and integrating security into your SDLC
(requirements, code review checklists, QA testing, etc) then to try
and "test security in" at the very end.  In my experience, with
software security the 80% solution is developer training/awareness and
SDLC security process integration/improvements.  (I know - this sounds
like an advertisement for TQM or CMM but it really is true.)

Good Luck!
Dan

* depending on your role in all of this you may care less about some
of these issues - i.e. if you are a developer and are looking for
something to help you improve your code quality (bless you!), maybe
you don't mind looking at a bunch of false positives since you can
weed them out yourself or within your team, whereas if you are in a
compliance position reporting a bunch of false positives may make you
lose credibility to several layers of management and staff - reducing
your overall effectiveness.

On Sun, May 18, 2008 at 12:15 AM,  <cnanne () gmail com> wrote:
> This might be a bit of a dumb question, but does anyone know of a good Vulnerability Scanner for finding faults in 
> the actual Source Code of the Web App? Or can this task can only be done by hand?
>
>
>
> Any feedback on this is highly appreciative
>
>
>
>
>
> cheers,
>
>
>
> PhoenixRbrth
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------