Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: tools to scan source code
From: "Wahyu Wijaya H." <wahyu.w.h () gmail com>
Date: Wed, 13 Sep 2006 20:33:47 +0700

I've been evaluate SWAAT and it is adequately meet my needs. It
suggest 1 high severity, 324 medium severity, and 5 low severity from
the web-app. :)

It still telling me to audit manually... but at least I know where to
start and it really safe my time... so, seems like I have to stay out
of bed to enter the php world :) --just kidding--

I haven't try RATS, but I will try it soon.

"automated tools don't substitute humans anytime of the day"..  Kish
you're absolutely right.. but to gather a pen-test team is quite hard
for our condition now, the project owner is little strict on budget...
that's why I have to take all the responsibility for security by
myself.. *sigh* it's tiresome but it's part of the job :)

thanks to all for helping,

cheers. :)

On 9/13/06, Kish Pent <kish_pent () yahoo com> wrote:
Hello Wahyu,

I think a doctor should do surgery because he knows
how to do it, same way an application's source code
should be reviewed by penetration-test team to comply
with some methodology like owasp, not by the developer
because they learn to build software and pen-testers
know how to break software.

Second point is RATS - Rough Auditing tool for
Security by Secure Software
(http://www.securesw.com/rats) can audit PHP code too
(but it's not dependable it just analyzes source code
roughly)

Stefano :), you must see Security Forest's page which
says RATS can audit C,C++,Perl,PHP & Python source
code.(http://www.securityforest.com/wiki/index.php/Category:Source_Code_Scanners)

I haven't tried SWAAT from Security compass though,
it's safe to bet on pen-test,because automated tools
don't substitute humans anytime of the day.

Cheers :)

--- Stefano Zanero <zanero () elet polimi it> wrote:

> Ric Messier wrote:
>
> > PHP is fairly C-like. If you know C, it's pretty
> easy to read PHP. However,
> > try RATS.
> http://www.securesoftware.com/download_rats.htm
>
> Are you suggesting that RATS (a source code scanner
> for C) would be able
> to detect security vulnerabilities in PHP ?
>
> That's a challenging proposition :)
>
> As far as I know, very little exist in the area of
> "source code
> auditing" for web application. Developing one is not
> easy (it's one of
> our research tasks at the moment)
>
> From what I've seen, the SWAAT tool mentioned
> elsewhere is little more
> than what you can obtain through grep...
>
> Best,
> Stefano

--- Stefano Zanero <zanero () elet polimi it> wrote:

> Ric Messier wrote:
>
> > PHP is fairly C-like. If you know C, it's pretty
> easy to read PHP. However,
> > try RATS.
> http://www.securesoftware.com/download_rats.htm
>
> Are you suggesting that RATS (a source code scanner
> for C) would be able
> to detect security vulnerabilities in PHP ?
>
> That's a challenging proposition :)
>
> As far as I know, very little exist in the area of
> "source code
> auditing" for web application. Developing one is not
> easy (it's one of
> our research tasks at the moment)
>
> From what I've seen, the SWAAT tool mentioned
> elsewhere is little more
> than what you can obtain through grep...
>
> Best,
> Stefano


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]