Penetration Testing mailing list archives
Re: tools to scan source code
From: Kish Pent <kish_pent () yahoo com>
Date: Tue, 12 Sep 2006 21:08:13 -0700 (PDT)
Hello Wahyu, I think a doctor should do surgery because he knows how to do it, same way an application's source code should be reviewed by penetration-test team to comply with some methodology like owasp, not by the developer because they learn to build software and pen-testers know how to break software. Second point is RATS - Rough Auditing tool for Security by Secure Software (http://www.securesw.com/rats) can audit PHP code too (but it's not dependable it just analyzes source code roughly) Stefano :), you must see Security Forest's page which says RATS can audit C,C++,Perl,PHP & Python source code.(http://www.securityforest.com/wiki/index.php/Category:Source_Code_Scanners) I haven't tried SWAAT from Security compass though, it's safe to bet on pen-test,because automated tools don't substitute humans anytime of the day. Cheers :) --- Stefano Zanero <zanero () elet polimi it> wrote:
Ric Messier wrote:PHP is fairly C-like. If you know C, it's prettyeasy to read PHP. However,try RATS.http://www.securesoftware.com/download_rats.htm Are you suggesting that RATS (a source code scanner for C) would be able to detect security vulnerabilities in PHP ? That's a challenging proposition :) As far as I know, very little exist in the area of "source code auditing" for web application. Developing one is not easy (it's one of our research tasks at the moment) From what I've seen, the SWAAT tool mentioned elsewhere is little more than what you can obtain through grep... Best, Stefano
--- Stefano Zanero <zanero () elet polimi it> wrote:
Ric Messier wrote:PHP is fairly C-like. If you know C, it's prettyeasy to read PHP. However,try RATS.http://www.securesoftware.com/download_rats.htm Are you suggesting that RATS (a source code scanner for C) would be able to detect security vulnerabilities in PHP ? That's a challenging proposition :) As far as I know, very little exist in the area of "source code auditing" for web application. Developing one is not easy (it's one of our research tasks at the moment) From what I've seen, the SWAAT tool mentioned elsewhere is little more than what you can obtain through grep... Best, Stefano
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- tools to scan source code Wahyu Wijaya H. (Sep 11)
- RE: tools to scan source code Ric Messier (Sep 11)
- Re: tools to scan source code Stefano Zanero (Sep 12)
- Re: tools to scan source code Kish Pent (Sep 13)
- Re: tools to scan source code Stefano Zanero (Sep 13)
- Re: tools to scan source code Ben Hall (Sep 13)
- Re: tools to scan source code Dan Catalin Vasile (Sep 13)
- RE: tools to scan source code Benjamin Livshits (Sep 13)
- Re: tools to scan source code Kish Pent (Sep 16)
- Re: tools to scan source code Stefano Zanero (Sep 12)
- Re: tools to scan source code Wahyu Wijaya H. (Sep 13)
- Re: tools to scan source code Barrie Dempster (Sep 14)
- RE: tools to scan source code Benjamin Livshits (Sep 15)
- RE: tools to scan source code Ric Messier (Sep 11)