This site graciously hosted
by our friends at

Software Tools

In Chapter 6 of Secure Coding, we present numerous tables of some software tools that can make your work easier, at various stages of the software development life cycle. Those tables are included here, with permission, complete with up-to-date product URL links. The list is by no means a comprehensive list of everything that is available, and we welcome suggestions for additions from our readers. The tool listings are broken down by category.

-- Mark and Ken

Static Code Checkers
  • Compaq ESC:  The Compaq Extended Static Checker for Java is a programming tool for finding errors in Java programs. ESC/Java detects, at compile time, common programming errors that ordinarily are not detected until run time.

  • Flawfinder:  Examines source code and reports possible security weaknesses ("flaws") sorted by risk level. Written in Python and released under the GNU General Public License (GPL).

  • FxCop:  Analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. FxCop analyzes programming elements in assemblies, called targets, by using a set of customizable and extendable rule architecture.

  • RATS:  Scans C, C++, Perl, Python, and PHP source files for common security flaws. Released under the GNU General Public License (GPL).

  • Splint:  Secure Programming Lint (SPLINT) from the University of Virginia's Computer Science depart­ment. Freely available (under the GNU General Public License). Scans C source code for security vulnerabilities and programming mistakes.

  • Uno:  UNO is named after the three common flaws that it detects: use of uninitialized variables; nil-pointer references; out of bounds array indexing. Although not specifically designed as a security checker, it can be used to scan C source code for common software defects. Developed by Gerard Holzmann and freely available at Bell Labs.
Runtime Code Checkers
  • Libsafe:  Attempts to prevent buffer overflows during software execution on many Linux plat­forms. Freely available in source code and binary executable formats from Avaya under the GNU Lesser General Public License.

  • ProPolice:  A GCC extension from IBM for protecting applications from stack-smashing attacks.

  • PurifyPlus:  Commercially available runtime checker from IBM's Rational Software. Includes a module that detects software flaws such as memory leaks. Versions are available for Windows, Unix, and Linux environments.

  • Immunix Tools:  Three tools we know of from Wirex Communications, Inc. as part of their "Immunix" version of Linux are worth investigating. These are Stackguard, FormatGuard, and RaceGuard. They provide runtime support for preventing buffer overflows and other common security coding flaws. Much of Immunix (which is now a commercial product) was developed as a DARPA-funded research project; the tools we've mentioned are available as GPL software.
Profiling Tools
  • Papillon:  Written specifically for Sun's Solaris Operating Environment (Version 8 and 9). Attempts to screen and prevent attacks by system users.

  • Janus:  Used for "sandboxing" untrusted applications by restricting the system calls that they can make. Janus is a policy enforcement and general-purpose profiling tool. Currently, it supports Linux and is freely available. Developed by David Wagner and Tal Garfinkel at the University of California at Berkeley.

  • Gprof:  Included as part of the GNU binutils collection of tools. Produces an execution profile of what functions get called, and so on, from C, Pascal, or FORTRAN77 program source code.

  • Valgrind:  Valgrind is a flexible tool for debugging and profiling Linux-x86 executables. The tool consists of a core, which provides a synthetic x86 CPU in software, and a series of "skins", each of which is a debugging or profiling tool.
Penetrations Testing Tools
  • Nmap:  Perhaps the most widely used network port scanner in use. Written by Fyodor and freely available under the terms of the GNU General Public License.

  • Nessus:  Performs vulnerability testing. Nessus essentially picks up where Nmap leaves off. Originally developed by Renaud Deraison and kept up to date by Renaud and an ever-grow­ing community of users. Also freely available under the GPL.

  • ISS Internet Scanner:  No doubt the most popular of many commercial products for doing vulnerability scans at a network level. ISS (the company) also sells a wide range of other security products, including a host-based vulnerability scanner and intrusion detection tools.
Application Scanning Tools
  • Appscan:  Application scanner (for web-based applications) that functions by attempting various fault-injection functions. Commercially available from Sanctum.

  • Whisker:  CGI scanner that scans web-based applications for common CGI flaws. Freely available from "Rain Forest Puppy."

  • ISS Database Scanner:  Scans a select group of database server applications (including MS-SQL, Sybase, and Oracle) for common flaws. Commercially available from Internet Security Systems.
For additional information, be sure to check out the list of software auditing tools available at the Sardonix Security Portal.

Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.