RE: [WEB SECURITY] Looking for feedback from companies that use static analysis security tools

[<Chad_Barker@xxxxxxxx>]

I'd agree with Chris that a static code analysis scan is appropriately run on a nightly build.  We have some development teams abstract the scan one more layer to run on a separate server (asynchronously) with the build.  This way you see static code analysis results associated with each build version even though results might lag behind the build itself.  This is useful for large, global development teams working a large number of source code repository check-ins.

-Chad

-----Original Message-----
From: Matt Tesauro [mailto:matt.tesauro@xxxxxxxxxxxxxxx] 
Sent: Monday, October 05, 2009 10:31 AM
To: Jim Manico
Cc: Chris Weber; Dorothy Leibowitz; <websecurity@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Looking for feedback from companies that use static analysis security tools

Depends.  Coding mistakes of yore (circa 2006) are still mistakes today.

LAPSE  [1] claims to handle:
* Parameter manipulation        * SQL injections
* Header manipulation           * Cross-site scripting
* Cookie poisoning              * HTTP splitting
* Command-line parameters       * Path traversal 

While there are new variations on those themes, assuming it finds those
in a sane manner, it could be quite useful - especially if you are
starting from zero.  So, generally speaking I'd say these things age
pretty well - depending on your level of sophistication.

Putting on my OWASP Global Project Committee hat, I should mention that
the source for LAPSE is currently AWOL, though you can get the Eclipse
plugin (supporting version 3.3.1) jar file still. [2]  So if you want or
need to see the source, you'll have to chase Bengamin Livshits down who
I think is now at Microsoft.  Maybe somebody has taken over the Griffin
Software Security Project at Stanford. [3] Though, looking at that path,
I'd say that hasn't happened.

[1] http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project

[2] http://suif.stanford.edu/~livshits/work/lapse/download.html

[3] http://suif.stanford.edu/~livshits/work/griffin/


-- 
-- Matt Tesauro
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On Sun, 2009-10-04 at 23:57 -0700, Jim Manico wrote:
> Lapse hasn't been touched in a few years. Is it really of any value
> today?
> 
> - Jim
> 
> On Sep 24, 2009, at 11:18 AM, "Chris Weber" <chris@xxxxxxxxxxxxx>
> wrote:
> 
> 
> 
> > You donât need to scan after every code modification â static
> > analysis typically gets run as part of a nightly build process in my
> > experience.  While in tandem, developers may run analysis locally
> > throughout the day if they choose using a combination of strict
> > compiler settings plus static code analysis.  With static analysis
> > results, I would recommend a triage process where someone can weed
> > out the false positives and prioritize the bugs before the devs have
> > to see them.   
> > 
> > You probably realize that thereâs no silver bullet solution, and you
> > may not need to spend a ton of money.  There are some free tools
> > available.  For example, if youâre a Microsoft shop, theyâve made
> > their SDL Process templates available, which include IDE integration
> > with Visual Studio.  VSTS already has static analysis builtin with
> > PREfast, through the GUI or command line.  If you build ASP.NET
> > applications, then CAT.NET could serve you well.   If you build Java
> > J2EE applications then Ben Livshitsâ LAPSE might appeal to you.
> > 
> > However commercial products like Fortify, Ounce and the others
> > clearly have their place in terms of broad coverage, R&D, and
> > support contracts.
> > 
> > Chris Weber
> > 
> > Casaba Security, LLC 
> > 
> > Web: http://www.casabasecurity.com
> > 
> > Blog: http://www.lookout.net
> > 
> > 
> >  
> > 
> > From: Dorothy Leibowitz [mailto:dorothy.leibowitz@xxxxxxxxx] 
> > Sent: Thursday, September 24, 2009 9:12 AM
> > To: websecurity@xxxxxxxxxxxxx
> > Subject: [WEB SECURITY] Looking for feedback from companies that use
> > static analysis security tools
> > 
> > 
> >  
> > 
> > Hello,
> > 
> > Iâm a software architect in my company (~50 developers). Right now,
> > we only use blackbox scanning, and penetration testing at the end of
> > the development process (either during QA or after the apps are
> > launched). Weâre looking to enhance our security process, by
> > performing static analysis during development, and I wanted to hear
> > other peopleâs opinion on this. 
> > 
> > It seems to me that current static analysis security tools (Fortify,
> > Ounce) are geared towards security testers, and not developers. For
> > example, the plug-in that is usually provided, does not have the
> > look & feel of standard IDEs â usually you have to scan your entire
> > code base, after every code modification, which can take a long
> > time, and frustrate developers. 
> > 
> > Are there any people on the list, with experience in integrating
> > static analysis tools for developers(!) and not for security
> > testers? I would love to hear you feedback and/or recommendations.
> > Do all of your developers use it, or maybe only team leaders have it
> > installed?
> > 
> > I appreciate your input.
> > D.L.
> > 
> > 
> >  
> > 
> > 

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA