Code scanners recommendations
-
So there really aren't static code analysis tools that I know of that will really do what you're asking, as most OWASP vulnerabilities are based on a running configuration. The freeware that I'd recommend for someone that isn't familiar wil security scanning is the OWASP utility ZAP: [OWASP Zed Attack Proxy Project - OWASP](https://www.owasp.org/index.php/OWASP\_Zed\_Attack\_Proxy\_Project) There are, of course, other utilities, but if you have access to security professionals that are accustomed to running vulnerability scans, I would highly suggest making use of their expertise. If not, ZAP is definitely better than nothing, but needs to be run against an operating site. You can use it against a site running on IISExpress on your local machine.
"Never attribute to malice that which can be explained by stupidity." - Hanlon's Razor
-
I see. So, maybe OWASP is not the right term for what I need. I'll look into static code analysis. Thanks.
Everyone is born right handed. Only the strongest overcome it. Fight for left-handed rights and hand equality.
No, that's correct. OWASP is the organization that is dedicated to web security, and their top 10 are based on the most common vulnerabilities seen in the wild. The problem is that, generally, vulnerabilities can be difficult to identify from static (not currently executing) code. Some are obvious, like SQL injection, but most are not so easy to identify unless an application is actively executing, like MitM attacks or exploits that are based on malformed packets. You won't see these until they are used against your application, which is exactly what ZAP does.
"Never attribute to malice that which can be explained by stupidity." - Hanlon's Razor
-
1. post a question on Q&A 2. post your code as a reply many people will scan, critique and perhaps even improve it. 100% free.
This internet thing is amazing! Letting people use it: worst idea ever!
If you post it as a solution at SO, you will get a whole load more critique! (Though most of it will be from people who know a lot less than the OP does, I suspect)
Sent from my Amstrad PC 1640 Bad command or file name. Bad, bad command! Sit! Stay! Staaaay... AntiTwitter: @DalekDave is now a follower!
-
No, that's correct. OWASP is the organization that is dedicated to web security, and their top 10 are based on the most common vulnerabilities seen in the wild. The problem is that, generally, vulnerabilities can be difficult to identify from static (not currently executing) code. Some are obvious, like SQL injection, but most are not so easy to identify unless an application is actively executing, like MitM attacks or exploits that are based on malformed packets. You won't see these until they are used against your application, which is exactly what ZAP does.
"Never attribute to malice that which can be explained by stupidity." - Hanlon's Razor
-
Any recommendations on code scanners that check for security vulnerabilities? In particular the Top 10 OWASP vulnerabilities? I have never used one before so I'm not even sure what I'm looking for. Something that can scan code, preferably in Visual Studio, and can find security vulnerabilities. Any experience you can share would be helpful. Thanks.
Everyone is born right handed. Only the strongest overcome it. Fight for left-handed rights and hand equality.
something like Black Duck? Open Source Security & License Compliance | Black Duck Software[^]
-
something like Black Duck? Open Source Security & License Compliance | Black Duck Software[^]
It looks like Black Duck helps you manage which Open Source projects you are using in your code. I didn't see anything that said it can scan your own code looking for issues. Perhaps I missed it?
Everyone is born right handed. Only the strongest overcome it. Fight for left-handed rights and hand equality.
-
Any recommendations on code scanners that check for security vulnerabilities? In particular the Top 10 OWASP vulnerabilities? I have never used one before so I'm not even sure what I'm looking for. Something that can scan code, preferably in Visual Studio, and can find security vulnerabilities. Any experience you can share would be helpful. Thanks.
Everyone is born right handed. Only the strongest overcome it. Fight for left-handed rights and hand equality.
did u check microsoft tools SDL Tools[^] and Coverity Scan Static Analysis[^] / Coverity - Wikipedia[^]
Caveat Emptor. "Progress doesn't come from early risers – progress is made by lazy men looking for easier ways to do things." Lazarus Long
-
It looks like Black Duck helps you manage which Open Source projects you are using in your code. I didn't see anything that said it can scan your own code looking for issues. Perhaps I missed it?
Everyone is born right handed. Only the strongest overcome it. Fight for left-handed rights and hand equality.
we use AppScan and Klocwork, for our static scans.
-
If you post it as a solution at SO, you will get a whole load more critique! (Though most of it will be from people who know a lot less than the OP does, I suspect)
Sent from my Amstrad PC 1640 Bad command or file name. Bad, bad command! Sit! Stay! Staaaay... AntiTwitter: @DalekDave is now a follower!
-
Any recommendations on code scanners that check for security vulnerabilities? In particular the Top 10 OWASP vulnerabilities? I have never used one before so I'm not even sure what I'm looking for. Something that can scan code, preferably in Visual Studio, and can find security vulnerabilities. Any experience you can share would be helpful. Thanks.
Everyone is born right handed. Only the strongest overcome it. Fight for left-handed rights and hand equality.
-
