SoftwareSecurity2014/Group 4/Code Scanning Reflection

Uit Werkplaats
Ga naar: navigatie, zoeken

FORTIFY

The Fortify Static Code Analysis tools could do a static analysis on a set of source-code input files. The command-line tool alerts the user all kinds of vulnerabilities or flaws in the program being analyzed. The tool can analyze either a single file or an entire application consisting of many files.

Fortify is definitely a good tool to help us about input validation. the UIF is brilliant at listing all the vulnerabilities and giving all kinds of hint and suggestions about them. For each vulnerability, it first gives the cause, e.g. cross-site scripting, following with the category especially for input validation. Besides that, it provides with some details and recommendations for each vulnerability and even shows the relevant data-flow diagram to help us have a better understanding. It also provides different classifications of the vulnerabilities and possibility to search the usage of any functions or classes. All these functions help us to quickly locate the vulnerable codes and trace the data flow easily.

The weakness of Fortify is that it lists some false positive which increases the total amount of warnings a lot. Meanwhile, there are some false negatives that Fortify misses for some of the requirements of input validation. This increased the overall workload because we need more manually checking for the level 2B evaluation.

RATS (ROUGH AUDITING TOOLS FOR SECURITY)

RATS is a simple tool for scanning C, C++, Perl, PHP, Python (and soon Ruby) source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. Some of the race conditions might result in input validation, although it is really rare in web applications. Well the problem is that the total amount of warnings that RATS gives is too low compared to Fortify. Even worse, it provides with lots of false positive and false negative. So it gives limited information for manually inspection of further checking. But greatly aided with this tool.