Friday, March 24, 2006

Source Code Security Vulnerability Scanners

In last few weeks I attended lots of web cast and seminars regarding security. Also served different companies in different positions and roles. Its my observation companies are trying hard to protect their assets and get compliant so that they will not be target for hackers or so. Every one talks allot abt Network security , Application security , and so on . All those people talks abt big words like SQL injection , Buffer overflow, Format string vulnerabilities. But what these actually are and what precaution we have to take to get away from these is missing . I talked allot abt security with different vendors and finally found that only information which is coming to me is for Firewalls , IDS ; VPN , network audits , procedure audits and so . These things are essential but I was asking abt the complete security solutiuon no one highlited abt that we can also supress bugs related to these vulnaribilities at the time of devlopment too. Above aspects are most common and trust every guy working in security knows too. Hence net out come is that all vendors are trying to sell product not solutions.
Lots of well know bugs are present in already deployed software so ist essential to pretect them but what ever is going to be future please concentrate on that too. I worked with highly qualified test engineers they all talk abt the big testing software like Jtest, Robo J etc . But man where is mechanism which will tell u that the developers are generating an secure codes against the well know vulnerabilities. I know by this time this article seems boring to u . But this is the fact . Very few people know that their are automated tool present in market with the help of which you can suppress the mistakes already done earlier means vulnerability.
These automated tools do the audit on the principle of know mistakes or signature. For example if I am saying that buffer overflow vulnerability means their is improper usage of gets() , scanf(), sprint (), strcat (), strcp () function calls. Definitely these function call are required but some time by mistakes its not properly used which generate different kind of vulnerabilities. As per one survey their is 10000 + know vulnerabilities present and trust almost 50% of this figure is also analyzed by experts to know the patterns which commonly come to create vulnerabilities. So these automated audit tools match ur codes against these know patterns and if it find matching pattern of strings then it will give an alert for potential vulnerabilities. Some of the known audit tools are described below.

Automated Source Code Security Vulnerability Scanners
There are intelligent tools available to help you examine large amounts of source code for security vulnerabilities.

Examines source code and reports possible security vulnerabilities
RATS from Secure Software Solutions
Scans C, C++, PERL, PHP and Python source code for potential security vulnerabilities.
ITS4 from Cigital
Scans source code looking for potentially vulnerable function calls and preforms source code analysis to determine the level of risk
A limited problem scanner for C source files
Buffer Overrun detectiON
MOdelchecking Programs for Security properties
A tool for adding type qualifiers to C
Meta-Level Compilation
Extended Static Checking for Java
Secure Programming Lint
A Model-Checker for Pushdown Systems
JavaCard Applet Verification Environment
The Boop Toolkit
Utilizes abstraction and refinement to determine the reachability of program points in a C program
Berkeley Lazy Abstraction Software Verification Tool
Simple tool for source code analysis
Scans Java source code and looks for potential problems
C++ Test
Unit testing and static analysis tool

No comments: