This site graciously hosted
by our friends at
In Chapter 6 of Secure Coding, we present numerous tables of
some software tools that can make your work easier, at various
stages of the software development life cycle. Those tables are
included here, with permission, complete with up-to-date product
URL links. The list is by no means a comprehensive list of
everything that is available, and we welcome suggestions for
additions from our readers. The tool listings are broken down by
-- Mark and Ken
Static Code Checkers
Runtime Code Checkers
- Compaq ESC: The Compaq Extended Static Checker
for Java is a programming tool for finding errors in Java
programs. ESC/Java detects, at compile time, common
programming errors that ordinarily are not detected until run
- Flawfinder: Examines source code and reports
possible security weaknesses ("flaws") sorted by risk level.
Written in Python and released under the GNU General Public
- FxCop: Analysis tool that checks .NET managed
code assemblies for conformance to the Microsoft .NET
Framework Design Guidelines. FxCop analyzes programming
elements in assemblies, called targets, by using a set of
customizable and extendable rule architecture.
- RATS: Scans C, C++, Perl, Python, and PHP source
files for common security flaws. Released under the GNU
General Public License (GPL).
- Splint: Secure Programming Lint (SPLINT) from
the University of Virginia's Computer Science department.
Freely available (under the GNU General Public License).
Scans C source code for security vulnerabilities and
- Uno: UNO is named after the three common flaws
that it detects: use of uninitialized variables; nil-pointer
references; out of bounds array indexing. Although not
specifically designed as a security checker, it can be used
to scan C source code for common software defects. Developed
by Gerard Holzmann and freely available at Bell Labs.
- Libsafe: Attempts to prevent buffer overflows
during software execution on many Linux platforms. Freely
available in source code and binary executable formats from
Avaya under the GNU Lesser General Public License.
- ProPolice: A GCC extension from IBM for
protecting applications from stack-smashing attacks.
- PurifyPlus: Commercially available runtime
checker from IBM's Rational Software. Includes a module that
detects software flaws such as memory leaks. Versions are
available for Windows, Unix, and Linux environments.
- Immunix Tools: Three tools we know of from
Wirex Communications, Inc. as part of their "Immunix"
version of Linux are worth investigating. These are
Stackguard, FormatGuard, and RaceGuard. They provide runtime
support for preventing buffer overflows and other common
security coding flaws. Much of Immunix (which is now a
commercial product) was developed as a DARPA-funded research
project; the tools we've mentioned are available as GPL
Penetrations Testing Tools
- Papillon: Written specifically for Sun's Solaris
Operating Environment (Version 8 and 9). Attempts to screen
and prevent attacks by system users.
- Janus: Used for "sandboxing" untrusted
applications by restricting the system calls that they can
make. Janus is a policy enforcement and general-purpose
profiling tool. Currently, it supports Linux and is freely
available. Developed by David Wagner and Tal Garfinkel at the
University of California at Berkeley.
- Gprof: Included as part of the GNU binutils
collection of tools. Produces an execution profile of what
functions get called, and so on, from C, Pascal, or FORTRAN77
program source code.
- Valgrind: Valgrind is a flexible tool for
debugging and profiling Linux-x86 executables. The tool
consists of a core, which provides a synthetic x86 CPU in
software, and a series of "skins", each of which is a
debugging or profiling tool.
Application Scanning Tools
- Nmap: Perhaps the most widely used network port
scanner in use. Written by Fyodor and freely available under
the terms of the GNU General Public License.
- Nessus: Performs vulnerability testing. Nessus
essentially picks up where Nmap leaves off. Originally
developed by Renaud Deraison and kept up to date by Renaud
and an ever-growing community of users. Also freely available
under the GPL.
- ISS Internet Scanner: No doubt the most popular
of many commercial products for doing vulnerability scans at a
network level. ISS (the company) also sells a wide range of
other security products, including a host-based vulnerability
scanner and intrusion detection tools.
For additional information, be sure to check out the list of
software auditing tools available at the Sardonix Security Portal.
- Appscan: Application scanner (for web-based
applications) that functions by attempting various
fault-injection functions. Commercially available from
- Whisker: CGI scanner that scans web-based
applications for common CGI flaws. Freely available from
"Rain Forest Puppy."
- ISS Database Scanner: Scans a select group of
database server applications (including MS-SQL, Sybase, and
Oracle) for common flaws. Commercially available from Internet