Code analysis and security audit (tools)
Get flash to fully experience Pearltrees
Software | RATS - Rough Auditing Tool for Security
Welcome to RATS - Rough Auditing Tool for Security RATS - Rough Auditing Tool for Security - is an open source tool developed and maintained by Secure Software security engineers. Secure Software was acquired by Fortify Software, Inc. RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.
Yasca - Scovetta.com
Yasca is a source code analysis tool that I started writing in 2007. It could best be described as a "glorified grep script" plus an aggregator of other open-source tools. Yasca can scan source code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, and other languages. Yasca can integrate easily with other tools, including:
GRAUDIT Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible. Graudit supports scanning code written in several languages; asp, jsp, perl, php and python.
Graudit - Just Another Hacker
Jlint 3.0 Jlint will check your Java code and find bugs, inconsistencies and synchronization problems by doing data flow analysis and building the lock graph. Jlint is extremely fast - even on large projects, it requires only to check all classes! It is easy to learn and requires no changes in the class files. Jlint has been used in an industrial environment and successfully uncovered faults with little effort! This version of Jlint is the extended version featuring some improved synchronization checks.
Jlint
PHP-sat: PHP static analysis tool
Static analysis for PHP Features Some of the (unique) features of PHP-sat are: Documented bug-patterns Configurable security check ( status ) Option to preserve comments Pretty printer Automatic inclusion of files ( status ) Tools Tools that are included in the package are: php-sat php-sat-config pp-php-sat
To provide a flexible and extendable software, it is a good OO practice to reduce the dependencies between implementing classes. This could be achieved by developing against abstractions which means both, abstract classes and interfaces. By using abstractions instead of real implementation in the application you provide some sort of contract, that could be used by others to hook into the application with their own classes that fulfill the contract. Except the extensibility of an application a good abstraction reduces the risk of breaks in multiple subsystems when something was changed in a single package. But how to get rid of all these dependencies, doing this by hand will become an impossible job, at least for larger projects.
Track your dependencies with PHP_Depend - Manuel Pichler
Documentation
Code coverage tells you which lines of script (or set of scripts) have been executed during a request. With this information you can for example find out how good your unit tests are. array xdebug_get_code_coverage()
Xdebug allows you to log all function calls, including parameters and return values to a file in different formats. Those so-called "function traces" can be a help for when you are new to an application or when you are trying to figure out what exactly is going on when your application is running. The function traces can optionally also show the values of variables passed to the functions and methods, and also return values. In the default traces those two elements are not available. There are three output formats.
Documentation
Pixy: XSS and SQLI Scanner for PHP
Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities are present in many modern web applications, and are reported continuously on pages such as BugTraq . In the past, finding such vulnerabilities usually involved manual source code audits. Unfortunately, this manual vulnerability search is a very tiresome and error-prone task.
nWire for PHP | PHP Code Analysis Plugin for Eclipse
"nWire enabled me (in real-time) to look at variable related context (reading, changing, inheritance, other files..) in a way I couldn't imagine before. This is really nice if you got 100K+ lines of code without knowing much about it, but must to do something with it. In just few hours one can get understanding of the code relation..."Black Duck plans to integrate the SpikeSource products and services into its offerings. The SpikeForge open source projects are being migrated to other forges, and we’re encouraging members of the Developer Zone to join developers on Ohloh.net , Black Duck’s open source project directory and community. As mentioned on the Developer Zone homepage, we will be discontinuing the SpikeSource website and the Developer Zone starting January 9, 2011. If you are looking another Spikeforge project, please contact us at spikesource@blackducksoftware.com .
phpsecaudit - Spike Developer Zone
PHPLint
Current version: 1.1_20120402 PHPLint is a validator and documentator for PHP 4 and PHP 5 programs. PHPLint extends the PHP language through transparent meta-code that can drive the parser to a even more strict check of the source.A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments. Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more. Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments. <p style="text-align:right;color:#A8A8A8"></p>
ratproxy - semi automated audit tool for web 2.0
SecCom Labs » Exploit-Me
Exploit-Me is a suite of Firefox web application security testing tools designed to be lightweight and easy to use. The Exploit-Me series was originally introduced at the SecTor conference in Toronto. The slides for the presentation are available for download. Along with this SecTor is making the audio of the talk available. XSS-MeWritten and maintained by: < Michal Zalewski >, < Niels Heinen > and < Sebastian Roschke > Copyright 2009 - 2012 Google Inc, rights reserved. Released under terms and conditions of the Apache License, version 2.0. What is skipfish?