ITS4

Cigital developed ITS4 to help automate source code review for security. ITS4 is a simple tool that statically scans C and C++ source code for potential security vulnerabilities. It is a command-line tool that works across Unix and Windows platforms. ITS4 scans source code, looking for function calls that are potentially dangerous. For some calls, ITS4 tries to perform some code analysis to determine how risky the call is. In each case, ITS4 provides a problem report, including a short description of the potential problem and suggestions on how to fix the code.

ITS4 and its source code are provided here to the security community for any use that does not compete with Cigital's consulting practice.

Flawfinder

Flawfinder, a program that examines source code and reports possible security weaknesses (``flaws'') sorted by risk level. It's very useful for quickly finding and removing at least some potential security problems before a program is widely released to the public.

Clint

Clint is a testbed for static source-code checking techniques. It is currently designed to check C++ for common programmer errors and suggest improvements. This tool can run on any POSIX platform (UNIX/Linux/BSD/FreeBSD etc.), and license under GNU General Public License (GPL). This tool was written by C++ and Python, for scanning C++ source code.

Valgrind

Valgrind is an award-winning instrumentation framework for building dynamic analysis tools. There are Valgrind tools that can automatically detect many memory management and threading bugs, and profile your programs in detail. You can also use Valgrind to build new tools.

The Valgrind distribution currently includes six production-quality tools: a memory error detector, two thread error detectors, a cache and branch-prediction profiler, a call-graph generating cache profiler, and a heap profiler. It also includes two experimental tools: a heap/stack/global array overrun detector, and a SimPoint basic block vector generator. It runs on the following platforms: X86/Linux, AMD64/Linux, PPC32/Linux, PPC64/Linux, and X86/Darwin (Mac OS X).

Valgrind is Open Source / Free Software, and is freely available under the GNU General Public License, version 2.

OWASP Code Crawler

A Windows Form application built using .NET (C#). It's reg ex based grepping tool with reporting functionality, testing utilities and other interesting features. Code Crawler is also extensible it's built upon an XML database with around 290 library patterns. Code Crawler has recently reached version 2.7. The engine of this tool is yet not complete, so don't be surprised to find a lot of false positives. At the moment there is no schedule for any further development of the tool unless someone is willing to sponsor the project or wants to contribute.

CodeCrawler

CodeCrawler is a smart, web-based search engine specifically built for use by developers for searching source code. It combines ease of use, superb performance, and intelligent search capabilities in order to increase developer productivity and reduce source code learning time. It works:

• An administrator installs CodeCrawler and configures source code repositories to be searched. 
• CodeCrawler builds a search index for the source code while analyzing each file and extracting important semantic information. 
• Developers search the indexed repositories and examine the code from within a web browser.

Graudit

Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible. Graudit supports scanning code written in several languages; asp, jsp, perl, php and python.

JCSC

JCSC is a powerful tool to check source code against a highly definable coding standard and potential bad code.

The standard covers naming conventions for class, interfaces, fields, parameter, etc . Also the structural layout of the type (class/interface) can be defined. Like where to place fields, either before or after the methods and in which order. The order can be defined through the visibility or by type (instance, class, constant). The same is applicable for methods. Each of those rules is highly customizable. Readability is enhanced by defining where to put white spaces in the code and when to use braces. The existence of correct JavaDoc can be enforced and various levels. Apart from that, it finds weaknesses in the the code -- potential bugs -- like empty catch/finally block, switch without default, throwing of type 'Exception', slow code, etc. JCSC is inspired by lint.

Doctorj

DoctorJ is an application that analyzes Java code and documentation, finding oversights, errors and common mistakes that the javadoc tool does not. This tool can run on any POSIX platform (UNIX/Linux/BSD/FreeBSD etc.), and license under GNU Library or Lesser General Public License (LGPL). DoctorJ was written by C++ and Java. Beyond the level of what Javadoc does, DoctorJ compares documentation against code. Among what it detects: misspelled words, parameter and exception names, Javadoc tags and undocumented classes, methods, fields, parameters. Note that previous versions supported syntax checking.

JeSS

JeSS is a plugin for the Eclipse IDE. It is a static security scanner for Java source code. The plugin creates an AST for the source code and then uses the visitor pattern to find patterns in the AST that could be possible security bugs.

Of benefit to users,  Open Source software is licensed so you can download and use the software free-of-charge. The source code for this software is made available free-of-charge, you (or a programmer you hire) can make changes to this software to better meet your needs, and you can release your changed code back to the community passing the benefit on to other users.

Milk

Milk is a security source code assessment tool using Orizon as API. Milk scans java and .NET source file in order to perform a security code review trying to point out safe coding best practices misuse. Some people does not think their code is insecure. Some people thinks that performances are the primary goal to achieve. Sometimes security is seen as an useless additional cost to a project to deal with. Milk is the experience for those people having their source code assessment served as warn and smooth glass of milk.

Findbugs

FindBugs is a program which uses static analysis to look for bugs in Java code. It is free software, distributed under the terms of the Lesser GNU Public License. The name FindBugs™ and the FindBugs logo are trademarked by The University of Maryland. As of July, 2008, FindBugs has been downloaded more than 700,000 times. FindBugs requires JRE (or JDK) 1.5.0 or later to run.  However, it can analyze programs compiled for any version of Java.

PMD

PMD is a Java source code analyzer. It finds unused variables, empty catch blocks, unnecessary object creation, and so forth. PMD scans Java source code and looks for potential problems like:

• Possible bugs - empty try/catch/finally/switch statements
• Dead code - unused local variables, parameters and private methods
• Suboptimal code - wasteful String/StringBuffer usage
• Overcomplicated expressions - unnecessary if statements, for loops that could be while loops
• Duplicate code - copied/pasted code means copied/pasted bugs

Pscan

Pscan is a package which is designed to audit C and C++ source files for format string vulnerabilities. pscan differs from the previous tools which have been described because it is not a general purpose scanner at all. Instead it is a program specifically aimed at detecting format string bugs. The tool will attempt to find potential issues with the use of variadic functions within C and C++ source code, such as printf, fprintf and syslog.

Format string bugs are fairly simple to detect and fix, although they are the most recent new class of software attacks the majority of them have probably been found and repaired already.

RATS

RcATS is a similar tool to those listed above, with the exception that it comes with support for a much wider range of languages. Currently it has support for C, C++, Perl, PHP and Python. The tool uses a simple XML file to read its vulnerabilities from which makes it one of the easiest of the available tools to modify. New functions can be added easily for each of the supported languages.

Running RATS is as simple as invoking the command with a directory to process. Each of the recognised source files it finds will be processed. RATS understands several programming languages, C, Perl, PHP, and Python and will treat each as valid source to examine.

Inspekt

Inspekt is a PHP library that makes it easier to write secure web applications.

Inspekt acts as a sort of 'firewall' API between user input and the rest of the application. It takes PHP superglobal arrays, encapsulates their data in an "cage" object, and destroys the original superglobal. Data can then be retrieved from the input data object using a variety of accessor methods that apply filtering, or the data can be checked against validation methods. Raw data can only be accessed via a 'getRaw()' method, forcing the developer to show clear intent.