24 June, 2008

List of Source Code Auditing tools

Name - [ language/s supported ] - web link:

.TEST
- [ C#, VB.NET, MC++ ] - http://www.parasoft.com/jsp/products.jsp

ASTRÉE - [ C ] - http://www.astree.ens.fr

Bandera - [ Java ] - http://bandera.projects.cis.ksu.edu/

BLAST - [ C ] - http://mtc.epfl.ch/software-tools/blast/

BOON - [ C ] - http://www.cs.berkeley.edu/~daw/boon/

C Code Analyzer (CCA) - [ C ] - http://www.drugphish.ch/~jonny/cca.html

C++test - [ C++ ] - http://www.parasoft.com/jsp/products.jsp

CCMetrics - [ C#, VB.NET ] - http://www.serviceframework.com/jwss/utility,ccmetrics,utility.aspx

Checkstyle - [ Java ] - http://checkstyle.sourceforge.net/

CodeCenter - [ C ] - http://www.ics.com/products/centerline/codecenter/features.html

CodeScan - [ .ASP, PHP ] - http://www.codescan.com/

CodeSecure - [ PHP, Java ] - http://www.armorize.com/corpweb/en/products/codesecure

CodeSonar - [ C, C++ ] - http://www.grammatech.com/products/codesonar/overview.html

CQual - [ C ] - http://www.cs.umd.edu/~jfoster/cqual

Csur - [ C ] - http://www.lsv.ens-cachan.fr/csur/

Dehydra - [ C++ ] - http://wiki.mozilla.org/Dehydra_GCC

DevInspect - [ C#, Visual Basic, JavaScript, VB Script] - http://www.spidynamics.com/products/devinspect/

DevPartner SecurityChecker - [ C#, Visual Basic ] - http://www.compuware.com/products/devpartner/securitychecker.htm

DoubleCheck - [ C, C++ ] - http://www.ghs.com/products/doublecheck.html

FindBugs - [ Java ] - http://findbugs.sourceforge.net/

FlawFinder - [ C, C++ ] - http://www.dwheeler.com/flawfinder/

Fluid - [ Java ] - http://www.fluid.cs.cmu.edu/

Frama-C - [ C ] - http://frama-c.cea.fr/

ftnchek - [ FORTRAN ] - http://www.dsm.fordham.edu/~ftnchek/

FxCop - [ .NET ] - http://code.msdn.microsoft.com/codeanalysis

g95-xml - [ FORTRAN ] - http://g95-xml.sourceforge.net/

ITS4 - [ C, C++ ] - http://www.cigital.com/its4/

Jlint - [ Java ] - http://artho.com/jlint/

JsLint - [ JavaScript ] - http://www.jslint.com/

Jtest - [ Java ] - http://www.parasoft.com/jsp/products.jsp

KlocWork / K7 - [ C, C++, Java ] - http://www.klocwork.com/products/k7_security.asp

LAPSE - [ Java ] - http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project

MOPS - [ C ] - http://www.cs.berkeley.edu/~daw/mops/

MSSCASI - [ ASP ] - http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en

MZTools - [ VB6, VBA ] - http://www.mztools.com/index.aspx/

Oink - [ C++ ] - http://www.cubewano.org/oink

Ounce - [ C, C++, Java, JSP, ASP.NET, VB.NET, C# ] - http://www.ouncelabs.com/accurate-complete-results.html

Perl-Critic - [ Perl ] - http://search.cpan.org/dist/Perl-Critic/

PLSQLScanner 2008 - [ PLSQL ] - http://www.red-database-security.com/software/plsqlscanner.html

PHP-Sat - [ PHP ] - http://www.program-transformation.org/PHP/PhpSat

Pixy - [ PHP ] -
http://pixybox.seclab.tuwien.ac.at/pixy/index.php

PMD - [ Java ] - http://pmd.sourceforge.net/

PolySpace - [ Ada, C, C++ ] - http://www.polyspace.com/products.htm

PREfix & PREfast - [ C, C++ ] - http://support.microsoft.com/vst

Prevent - [ C, C++ ] - http://www.coverity.com/html/coverity-software-quality-products.html

PyChecker - [ Python ] - http://pychecker.sourceforge.net/

pylint - [ Python ] - http://www.logilab.org/project/pylint

QA-C, QA-C++, QA-J - [ C, C++, Java, FORTRAN ] - http://www.programmingresearch.com/PRODUCTS.html

QualityChecker - [ Visual Basic 6 ] - http://d.cr.free.fr/

RATS - [ C, C++, Perl, PHP, Python ] - http://www.fortify.com/security-resources/rats.jsp

RSM - [ C, C++, C#, Java ] - http://msquaredtechnologies.com/m2rsm/

Smatch - [ C ] - http://smatch.sourceforge.net/

SCA - [ ASP.NET, C, C++, C#, Java, JSP, PL/SQL, T-SQL, VB.NET, XML ] - http://www.fortifysoftware.com/products/sca/

Skavenger - [ PHP ] - http://code.google.com/p/skavenger/

smarty-lint - [ PHP ] - http://code.google.com/p/smarty-lint/

soot - [ Java ] - http://www.sable.mcgill.ca/soot/

Source Monitor - [ C#, VB.NET ] - http://www.campwoodsw.com/sm20.html

SPARK - [ Ada ] - http://www.praxis-his.com/sparkada/spark.asp

Spike PHP Security Audit Tool - [ PHP ] - http://developer.spikesource.com/projects/phpsecaudit/

Splint - [ C ] - http://www.splint.org/

SWAAT - [ PHP, ASP.NET, JSP, Java ] - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project

UNO - [ C ] - http://spinroot.com/uno/">

vil - [ C#, VB.NET ] - http://www.1bot.com/

Viva64 - [ C++ ] - http://www.viva64.com/

xg++ - [ C ] - http://www.stanford.edu/~engler/mc-osdi.pdf

YTKScan Java - [ Java ] - http://www.cam.org/~droujav/y2k/Y2KScan.html


t00t w00t ;)

23 June, 2008

Risk assessment

Risk assessment is a common first step in a risk management process. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat.

http://en.wikipedia.org/wiki/Risk_assessment