Penetration Testing mailing list archives
Re: tools to scan source code
From: "Wahyu Wijaya H." <wahyu.w.h () gmail com>
Date: Wed, 13 Sep 2006 20:33:47 +0700
I've been evaluate SWAAT and it is adequately meet my needs. It suggest 1 high severity, 324 medium severity, and 5 low severity from the web-app. :) It still telling me to audit manually... but at least I know where to start and it really safe my time... so, seems like I have to stay out of bed to enter the php world :) --just kidding-- I haven't try RATS, but I will try it soon. "automated tools don't substitute humans anytime of the day".. Kish you're absolutely right.. but to gather a pen-test team is quite hard for our condition now, the project owner is little strict on budget... that's why I have to take all the responsibility for security by myself.. *sigh* it's tiresome but it's part of the job :) thanks to all for helping, cheers. :) On 9/13/06, Kish Pent <kish_pent () yahoo com> wrote:
Hello Wahyu, I think a doctor should do surgery because he knows how to do it, same way an application's source code should be reviewed by penetration-test team to comply with some methodology like owasp, not by the developer because they learn to build software and pen-testers know how to break software. Second point is RATS - Rough Auditing tool for Security by Secure Software (http://www.securesw.com/rats) can audit PHP code too (but it's not dependable it just analyzes source code roughly) Stefano :), you must see Security Forest's page which says RATS can audit C,C++,Perl,PHP & Python source code.(http://www.securityforest.com/wiki/index.php/Category:Source_Code_Scanners) I haven't tried SWAAT from Security compass though, it's safe to bet on pen-test,because automated tools don't substitute humans anytime of the day. Cheers :) --- Stefano Zanero <zanero () elet polimi it> wrote: > Ric Messier wrote: > > > PHP is fairly C-like. If you know C, it's pretty > easy to read PHP. However, > > try RATS. > http://www.securesoftware.com/download_rats.htm > > Are you suggesting that RATS (a source code scanner > for C) would be able > to detect security vulnerabilities in PHP ? > > That's a challenging proposition :) > > As far as I know, very little exist in the area of > "source code > auditing" for web application. Developing one is not > easy (it's one of > our research tasks at the moment) > > From what I've seen, the SWAAT tool mentioned > elsewhere is little more > than what you can obtain through grep... > > Best, > Stefano --- Stefano Zanero <zanero () elet polimi it> wrote: > Ric Messier wrote: > > > PHP is fairly C-like. If you know C, it's pretty > easy to read PHP. However, > > try RATS. > http://www.securesoftware.com/download_rats.htm > > Are you suggesting that RATS (a source code scanner > for C) would be able > to detect security vulnerabilities in PHP ? > > That's a challenging proposition :) > > As far as I know, very little exist in the area of > "source code > auditing" for web application. Developing one is not > easy (it's one of > our research tasks at the moment) > > From what I've seen, the SWAAT tool mentioned > elsewhere is little more > than what you can obtain through grep... > > Best, > Stefano __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- tools to scan source code Wahyu Wijaya H. (Sep 11)
- RE: tools to scan source code Ric Messier (Sep 11)
- Re: tools to scan source code Stefano Zanero (Sep 12)
- Re: tools to scan source code Kish Pent (Sep 13)
- Re: tools to scan source code Stefano Zanero (Sep 13)
- Re: tools to scan source code Ben Hall (Sep 13)
- Re: tools to scan source code Dan Catalin Vasile (Sep 13)
- RE: tools to scan source code Benjamin Livshits (Sep 13)
- Re: tools to scan source code Kish Pent (Sep 16)
- Re: tools to scan source code Stefano Zanero (Sep 12)
- Re: tools to scan source code Wahyu Wijaya H. (Sep 13)
- Re: tools to scan source code Barrie Dempster (Sep 14)
- RE: tools to scan source code Benjamin Livshits (Sep 15)
- RE: tools to scan source code Ric Messier (Sep 11)
- RE: tools to scan source code Lisa Foster (Sep 13)
- RE: tools to scan source code andy cuff (Sep 14)
- RE: tools to scan source code Ric Messier (Sep 14)
- RE: tools to scan source code Clemens, Dan (Sep 14)