Re: tools to scan source code

[Dan Catalin Vasile <hardware_cta () yahoo com>]

Hi Ben,

You can contribute to open source projects like RATS.
You will have a lot of benefits from this, including a
good CV. And also, we will have (hopefuly) better
software to analize source code :).

Have secure fun,
Dan


--- Ben Hall <ben2004uk () googlemail com> wrote:

> Hello all,
>
> been watching this conversation closely as it is
> hugely relevant to me
> at the moment.
>
> I am just about to enter my final year of
> University, and I was hoping
> to create a static source code analyser for ASP.net
> applications......I thought it was a good idea,
> however after reading
> this I am starting to think otherwise, and maybe
> there could be better
> uses of the opportunity to complete a large project.
>
> Does anyone have any advice?  I want to do a project
> involving
> security and .net.   I've been recommend to do a
> application to edit
> the http request - like WebScarab however this has
> been done many
> times, and doesn't represent anything 'new'  and
> while source code
> auditors aren't new, they are less readily available
> as open source
> software.  This still is an option I might look
> into, and taking it
> off on a tangent some how, and doing more of a full
> pen-test
> application.
>
> I welcome anyones advice.
>
> Thank you
>
> Ben
>
>
> On 13/09/06, Stefano Zanero <zanero () elet polimi it>
> wrote:
> > Hi Kish,
> >
> > I realize I've been a bit too cryptic in my
> answer:
> > > Stefano :), you must see Security Forest's page
> which
> > > says RATS can audit C,C++,Perl,PHP & Python
> source
> > >
code.(http://www.securityforest.com/wiki/index.php/Category:Source_Code_Scanners)
> > Yes, RATS _can_ audit PHP source. What I was
> referring to is that web
> > app vulnerabilities have a different structure
> than the vulnerabilities
> > you commonly audit C source code for.
> >
> > For instance, you can detect candidates for buffer
> overflow (along with
> > a bunch of false positives) through simple regexp
> pattern matching. It's
> > way more difficult to detect with few false
> positives candidates for SQL
> > injection.
> >
> > The fact that RATS is able to handle PHP code is
> not a synonym to the
> > fact that it can handle web-app vulnerabilities.
> >
> > Stefano
------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download
> Hailstorm for FREE.
> >
http://www.cenzic.com/products_services/download_hailstorm.php
> >
------------------------------------------------------------------------
> >
------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download
> Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
>
------------------------------------------------------------------------
>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------