Crash Analysis Tools.pptx - Ohio Department of Transportation
22 static analysis tools.pptx
-
Upload
rap-payne -
Category
Technology
-
view
163 -
download
2
description
Transcript of 22 static analysis tools.pptx
Static Code Analysis
Security checking your source code
Sources of weaknesses
How we protect ourselves
o Do not rely on merely your own ability to detect insecure code.
o Use a program which will reliably check according to a predefined set of security rules.
Security Testing can be static or dynamic
Static tools o Scan source code o Before deployment o Find potential
holes from a list of known vectors
o Called static code analysis
o Negative testing
Dynamic tools o Scan site o After deployment o Find actual holes
from previously unknown vectors
o Called security scanning or penetration testing
o Positive testing
There are many static analyzers
So, how do I pick one? o Coverage o Performance o Completeness o Accuracy o Customizability o Repeatability o Deployment o Usability o Reports o Security o Cost
Codename: FXCop
Job Description: Scan and analyze code. Report on problems.
FXCop needs rules
o Download and install the latest rules from Microsoft.
To start it, go Build – Run Code Analysis
The problems show up as build warnings
Some warnings are very detailed.
You can choose which rules run in Project-Properties
We should enable it to run upon build.
Also make it part of check-in.
When checking in code, it can halt progress until it passes the code analysis.
What if I don’t have Premium or Ultimate? Download the Windows 7 SDK.
But it runs from the command line, not integrated.
We can also get new rules sets
o http://fxcopASPNETSecurity.codeplex.com
Additional rules flag new findings
o Before:
o After:
Since the rules may come up with false positives and false negatives, we can tune
them
o Add new rules o Delete/disable existing rules o Change the rules
Summary
o Static analysis tools check your source code for known vulnerabilities
o Analysis should be run automatically on compile and/or code check-in.
o VS 2010’s Code Analysis tool is easy and thorough.
Further study
o List of static analysis tools: o http://bit.ly/StaticAnalysisTools
o Nice overview of VS Code Analysis Tool: • http://bit.ly/VSCodeAnalysisTool
o Security rules package for Code Analysis: • http://FXCopAspNetSecurity.Codeplex.com