12:50 Looking for static code analysis tools to find vulnerabilities | |
| Wanted static code analysis tools in different programming languages, designed to find vulnerabilities by analyzing streams of data, especially for Web applications. For clarity an example of one such well-known tool for me - Pixy. In short, the essence of such tools is that the tool scans the source code and trying to build a graph of flow data. And then on the graph traces the path of data that come from outside the program - from a user of the database from any external plug-in, etc. If such data without checks and transformations reach the SQL-query - we have a vulnerability such as SQL injection. If they get to the output in HTML-code - Just get XSS. Of course, such tests can be done by hand, to analyze data streams, using conventional means of charting the call, but the tools are great to save time, suggested where to start digging. Tools Pixy works with the language of PHP, and works fine, but for the sake of completeness I want to find similar tools for other languages ??- Perl, Python, Ruby, Java,. Net, or at least to understand whether there are, who have done it already a niche or until opened. Tools for the "normal" static analysis, which analyze only the control flow, not to offer, I watched most of them, they are coping well with the search for low-level problems such as uninitialized variables or deadlocks. And you want to find tools that work at a higher level of abstraction. That's why I'm interested in the ones who know how to work with data streams. Krosspost a personal blog | |
|
| |
| Total comments: 0 | |