I’ve been collecting some list of security source code assessment tools which are built to analyze your codes (C/C++,Java,.NET,PHP,and others) . Hope this list below will help you to choose the best security source code assessment tool for you :
Pmd
URL: http://sourceforge.net/projects/pmd
Java-based static analysis tool
Intended to find correctness and complexity issues, also finds some security issues
Findbugs URL: http://findbugs.sourceforge.net/
Java-based static analysis tool
Intended to find correctnessissues, also identifies some security issues
JeSS: http://sourceforge.net/project/showfiles.php?group_id=141386
JeSS is a plugin for the Eclipse IDE. It is a static security scanner for Java source code. The plugin creates an AST for the source code and then uses the visitor pattern to find patterns in the AST that could be possible security bugs.
milk: http://milk.sourceforge.net/
Milk is a security source code assessment tool using Orizon as API. Milk scans java and .NET source file in order to perform a security code review trying to point out safe coding best practices misuse
BogoSec : Source Code Security Quality Metric http://bogosec.sourceforge.net/
BogoSec aims to increase awareness regarding code security vulnerabilities, while encouraging developers to produce more secure code over time. By simplifying the code scanning process, BogoSec achieves a goal of allowing developers to scan their code regularly and more effectively.
Users also can benefit by using BogoSec in another way; comparing different available packages or consecutive releases of a package and identifying trends in the security level will enable users to make more educated software choices.
BogoSec is a pluggable flexible framework.
It currently has plugins to support the following three scanners:
Flawfinder http://www.dwheeler.com/flawfinder/
RATS http://www.securesw.com/rats/
ITS4 http://www.cigital.com/its4/
Hammurapi
URL: http://www.hammurapi.org/
There are a lot of tools for code analysis, not only java and .net, but also asp, php, c and so on. Enjoy it : http://www.nosec.org/web/index.php?q=codereview
(SWAAT), you can download it from our site. http://securitycompass.com/inner_swaat.shtml
There’s some good material from the speaker at the last OWASP-Austin (TX) meeting. He has links to open source Java and .Net static analysis tools. The presentation also includes some general info on static vs dynamic analysis: http://denimgroup.typepad.com/denim_group/2008/03/static-analysis.html
From this presentation:
• FindBugs (Java) findbugs.sourceforge.net
• PMD (Java) pmd.sourceforge.net
• FxCop(.NET) www.gotdotnet.com/Team/FxCop/
FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines.
http://www.microsoft.com/downloads/details.aspx?familyid=3389F7E4-0E55-4A4D-BC74-4AEABB17997B&displaylang=en
• XSSDetect (.NET) blogs.msdn.com/ace_team/archive/2007/10/22/xssdetect-public-beta-now-available.aspx
Commercial Products:
I got a few recommendations for Fortify http://www.fortifysoftware.com
I got a couple of recommendations for XSS Detect for .NET as well. This beta version appears free to download, at least for now.
XSSDetect http://www.microsoft.com/downloads/details.aspx?FamilyID=19a9e348-bdb9-45b3-a1b7-44ccdcb7cfbe&displaylang=en
XSSDetect is a static code analysis tool that helps identify Cross-Site Scripting security flaws found within Web applications. It is able to scan compiled managed assemblies (C#, Visual Basic .NET, J#) and analyze dataflow paths from sources of user-controlled input to vulnerable outputs. It also detects whether proper encoding or filtering has been applied to the data and will ignore such “sanitized” paths.
Original source : webappsec mailing list
Computer Security Stuff on eBay!Electronics stuffs on ebay
Security source code assessment tools 2008 is posted on April 23rd, 2008 by admin. This post is filed under: Sectools, Security .
Some people come to this post with this search term: FriendsterPasswordHack.java, java FriendsterPasswordHack [name] [password], java FriendsterPasswordHack.java, source code assessment, C# visual basic managed code valnerability scanner, code assessment, Friendster Password Hack.java, source code of friendster for html, security source code review tools, Password Hacking + java source code, open source assessment tools, security source code analysis, code assessment tools, view friendster private, all, c#.net, java code security scanner, computers internet blog, friendster password hacking java, source code assesment,
And here is the related entries of this post:
[...] [Read the rest on (it)gossips network: lain] Related PostsSecurity source code assessment tools 2008Playing Visual Basic Payload In Registry WindowsCounting Source Code Visual BasicTutorial Source Code JavaInstall java and Setting With EditPlus [...]
sweet, as I didn’t find anything when I typed “fuzzer” in google-sama
thanks
hahaha some for linux