Static Code Analysis

blue-infinity 3,840 views 25 slides Apr 07, 2011
Slide 1
Slide 1 of 25
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25

About This Presentation

Find your bugs before someone else does!

Size: 300.72 KB
Language: en
Added: Apr 07, 2011
Slides: 25 pages

Slide Content

Source Code: Find your bugs before someone else does! by Thomas Hofer

About me… Thomas Hofer Consultant ( blue-infinity , Geneva) Skills : Static analysis Solution architecture Software Engineering (Java – Rails – PHP)

Outline Simple means to improve your code quality ! Introduction Motivation Static Source Code Analyzers Recommendations Our criteria Selected tools Additional Information

Reasons for this research CERN is a prized target Renowned Internet Exchange Point However: Any website could be targeted! Potentially undesirable consequences of an attack: Loss of confidentiality Damaged reputation Loss of data

Security: when to care about it? Creating / Managing Documents Web Pages Hardware Services Development Software Web Applications

Development and Security Training (before ) Code review (right after) Vulnerability scanning (after)

Development and Security Training (before) Static source code analysis (during and after) Code review (right after) Vulnerability scanning (after)

Development and Security Training (before) Code review (right after) Vulnerability scanning (after)

Security and me… What can YOU do about it… … without sacrificing your deadlines? Static Analysis The earlier a bug is caught, the cheaper it is to fix!

Static source code analysis A static source code analyzer : Reads your source code but… Won’t execute or compile it (usually)! Looks for possible errors regarding Security Reliability Functionality

What can they do? A static source code analyzer can : Look for known and common errors Sometimes suggest fixes or improvements Offer help in finding bugs Find many kinds of bugs, not only security related

What can they not do? A static source code analyzer cannot : ‘ Automagically ’ fix bugs Find all bugs (i.e. false negatives) Find only bugs (i.e . false positives)

Our criteria / requirements Quick results Very low ‘ false alarms ’ rate Ease of use At least some results…

Overview of selected tools Perl Perl:: Critic RATS Java FindBugs CodePro Analyser PHP Pixy RATS C / C++ Flawfinder RATS Coverity Python RATS pychecker pylint

Flawfinder C / C++ Freeware / Unix Calls to commonly misused functions… http://cern.ch/security/recommendations/en/codetools/flawfinder.shtml

FindBugs Java Freeware / Eclipse plugin Very flexible, ability to define custom rules… http://cern.ch/security/recommendations/en/codetools/findbugs.shtml

CodePro Analytix Java Freeware / Google Web Toolkit As flexible as FindBugs , also ability to define your own rules http://code.google.com/javadevtools/codepro/doc/index.html

Perl:: Critic Perl Freeware / Unix – Perl module Best Practices: style and security Demo http://cern.ch/security/recommendations/en/codetools/perl_critic.shtml

Pixy PHP Freeware / Unix XSS & SQLi http://cern.ch/security/recommendations/en/codetools/pixy.shtml

RATS C / C++ / Perl, (and, partially) Python, PHP Freeware Calls to commonly misused functions http://cern.ch/security/recommendations/en/codetools/rats.shtml

What else? ‘Ok, now that I have used this tool, I should be safe…’ Tools are not enough! Even the best tool will miss the most sophisticated errors Sensitive projects should be reviewed ‘ manually ’ by experts

A Fool with a Tool is still a Fool! ‘A fool with a tool is still a fool!’, D. Wheeler The code excerpt below was found in RealPlayer, in 2005. (CVE-2005-0455) char tmp [256]; /* Flawfinder : ignore */ strcpy ( tmp , pScreenSize ); /* Flawfinder : ignore */

Further information http://cern.ch/security/recommendations/en/code_tools.shtml Presentation of the tools Installation, configuration and usage advice Explanation of some common errors Advice for developing securer software

Thank you! To contact me: [email protected]
Tags
it security php c java perl python cern unix source code static code analysis
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 3,840
  • Slides 25
  • Age 5354 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
Know for Certain 21
Know for Certain
DaveSinNM
22 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views
View More in This Category