Category:Source Code Scanners
From SecurityForest
- Flawfinder
: Analyzes code for security risks
- Flawfinder is a source code scanner for C or C++ code. It scans source code it's given, and reports patterns that suggest a security vulnerability. By default, it sorts on the likelihood of a security risk. Flawfinder is written in Python and released under the General Public License (GPL).
- http://www.dwheeler.com/flawfinder
- Rats
: Rough Auditing Tool
- RATS - Rough Auditing Tool for Security - is an open source tool developed and maintained by Secure Software security engineers. RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. Note: Expat (http://expat.sourceforge.net) is required.
- http://www.securesw.com/rats
- ITS4 : Software Security Tool
- TS4 scans source code, looking for function calls that are potentially dangerous. For some calls, ITS4 tries to perform some code analysis to determine how risky the call is. In each case, ITS4 provides a problem report, including a short description of the potential problem and suggestions on how to fix the code.
- http://www.cigital.com/its4
- Blast : Berkeley Lazy Abstraction Software Verification Tool
- BLAST is a software model checker for C programs. The goal of BLAST is to be able to check that software satisfies behavioral properties of the interfaces it uses. Blast uses counterexample-driven automatic abstraction refinement to construct an abstract model which is model checked for safety properties. The abstraction is constructed on-the-fly, and only to the required precision. License: BSD-ish
- http://www-cad.eecs.berkeley.edu/~blast/
- Splint
: Secure Programming Lint
- Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint. License: GPL
- http://www.splint.org/
- CodeAssure Workbench : Secure Software's (John Viega's outfit) first offering
- CodeAssure Workbench delivers on-demand, automated discovery and assessment of security vulnerabilities and policy violations in application source code. With supporting CodeAssure Language Packs, CodeAssure Workbench supports analysis and assessments of programs written in Java, C, and C++. License: Commercial
- http://www.securesoftware.com/products/source.html
- Fortify : Source analysis and attack simulation
- Fortify Software's innovative source code analysis software pinpoints security vulnerabilities throughout your entire code base as an integral part of the development cycle, or as part of software security audits License: Commercial
- http://www.fortifysoftware.com/
