RE: tools to scan source code

["Benjamin Livshits" <livshits () cs stanford edu>]

We have contemplated augmenting LAPSE with .NET support. LAPSE, an
open-source Java source code auditing tool, is now housed at OWASP:

        http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project

Let me know if you are interested.

-Ben  

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Ben Hall
> Sent: Wednesday, September 13, 2006 2:35 AM
> To: Stefano Zanero
> Cc: kish_pent () yahoo com; Ric Messier; Wahyu Wijaya H.; 
> pen-test () securityfocus com
> Subject: Re: tools to scan source code
>
> Hello all,
>
> been watching this conversation closely as it is hugely 
> relevant to me at the moment.
>
> I am just about to enter my final year of University, and I 
> was hoping to create a static source code analyser for 
> ASP.net applications......I thought it was a good idea, 
> however after reading this I am starting to think otherwise, 
> and maybe there could be better uses of the opportunity to 
> complete a large project.
>
> Does anyone have any advice?  I want to do a project involving
> security and .net.   I've been recommend to do a application to edit
> the http request - like WebScarab however this has been done 
> many times, and doesn't represent anything 'new'  and while 
> source code auditors aren't new, they are less readily 
> available as open source software.  This still is an option I 
> might look into, and taking it off on a tangent some how, and 
> doing more of a full pen-test application.
>
> I welcome anyones advice.
>
> Thank you
>
> Ben
>
>
> On 13/09/06, Stefano Zanero <zanero () elet polimi it> wrote:
> > Hi Kish,
> >
> > I realize I've been a bit too cryptic in my answer:
> >
> > > Stefano :), you must see Security Forest's page which 
> says RATS can 
> > > audit C,C++,Perl,PHP & Python source
> code.(http://www.securityforest.com/wiki/index.php/Category:Source_C
> > > ode_Scanners)
> >
> > Yes, RATS _can_ audit PHP source. What I was referring to 
> is that web 
> > app vulnerabilities have a different structure than the 
> > vulnerabilities you commonly audit C source code for.
> >
> > For instance, you can detect candidates for buffer overflow (along 
> > with a bunch of false positives) through simple regexp pattern 
> > matching. It's way more difficult to detect with few false 
> positives 
> > candidates for SQL injection.
> >
> > The fact that RATS is able to handle PHP code is not a 
> synonym to the 
> > fact that it can handle web-app vulnerabilities.
> >
> > Stefano
> ----------------------------------------------------------------------
> > --
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> > http://www.cenzic.com/products_services/download_hailstorm.php
> ----------------------------------------------------------------------
> > --
>
> --------------------------------------------------------------
> ----------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> --------------------------------------------------------------
> ----------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------