Re: Vuln Scanner for Web App Source Code

From: Mike Duncan <Mike.Duncan@xxxxxxxx>
Date: Thu, 22 May 2008 14:02:32 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jason wrote:

Fortify and Ounce both have source code scanners and both are quite
capable (at least seem to be). I am in the middle of trying to figure
out which one to use for our source code analysis projects.

Cenzic Hailstorm and SPI Dynamics Web Inspect are vulnerability
scanners ONLY and do NOT inspect source code. Same with Paros Proxy,
this is a pen testing / VA tool more than anything.

I'd still recommend you do manual checks in addition to using a source
code scanner. You'll have to to verify the results.

I couldn't agree more. Most of the static analysis products will convert
the source code into another format (usually XML based) and then search
the content for possible vulnerabilities. With low-hanging-fruit like
XSS caused by not sanitizing and checking inputs, these tools are really
good. However, most lack in the ability to completely analyze the
complete application work flow and see issues in/out of the code base.

-J

On 18 May 2008 04:15:50 -0000, cnanne@xxxxxxxxx <cnanne@xxxxxxxxx> wrote:

This might be a bit of a dumb question, but does anyone know of a good Vulnerability Scanner for finding faults in the actual Source Code of the Web App? Or can this task can only be done by hand?

Any feedback on this is highly appreciative

cheers,

PhoenixRbrth

Mike Duncan
ISSO, Application Security Specialist
NOAA :: National Climatic Data Center

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFINbU3nvIkv6fg9hYRAp9zAJ9lX91nMhMZSzZydwhJ8H26eoi2mACfRCl/
7V9X8fJ2kO2TzZ+qY2J7upA=
=DRWQ
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Follow-Ups:
- Re: Vuln Scanner for Web App Source Code
  - From: Haroon Meer

References:
- Vuln Scanner for Web App Source Code
  - From: cnanne
- Re: Vuln Scanner for Web App Source Code
  - From: Jason

Prev by Date: Re: Hacked by aLpTurkTegin, help patching this hole
Next by Date: RE: username and Password sent as clear text strings
Previous by thread: Re: Vuln Scanner for Web App Source Code
Next by thread: Re: Vuln Scanner for Web App Source Code
Index(es):
- Date
- Thread

Relevant Pages

Re: Top Secret Crypto 3.70
... generator" with their product on these grounds, ... Suppermassive black holes eat regular black ... >method may be simple but the source code is far from elegant. ... product like GNUPG they do not need to worry if they are in violation. ...
(linux.redhat)
Re: Top Secret Crypto 3.70
... generator" with their product on these grounds, ... Suppermassive black holes eat regular black ... >method may be simple but the source code is far from elegant. ... product like GNUPG they do not need to worry if they are in violation. ...
(sci.crypt)
Re: Top Secret Crypto 3.70
... generator" with their product on these grounds, ... Suppermassive black holes eat regular black ... >method may be simple but the source code is far from elegant. ... product like GNUPG they do not need to worry if they are in violation. ...
(alt.computer.security)
Re: the safety of gnupg
... The most recent flaws found in gnupg were around ... titled "The Myth of Open Source Security." ... more than just the gnupg package. ... whether anyone has published a source code audit of gnupg. ...
(Fedora)
Re: Source Code to Plaugers "Standard C Library"
... I find a lot of references for the ... but not the actual source code from the book. ... Enterprise Technology Solutions, TD Bank Financial Group ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
(comp.lang.c)