STATIC ANALYSIS TOOLS

LET’S BEGIN…

What is Static Analysis?

2

Static analysis is the analysis of Static analysis is the analysis of computer software that is performed computer software that is performed without actually executing, or without actually executing, or running, that software. Static analysis running, that software. Static analysis tools look at applications in a non-tools look at applications in a non-runtime environment. This method of runtime environment. This method of testing has distinct advantages in that testing has distinct advantages in that it can evaluate both web and non-web it can evaluate both web and non-web applications and through advanced applications and through advanced modeling, can detect flaws in the modeling, can detect flaws in the software’s inputs and outputs that software’s inputs and outputs that cannot be seen through dynamic web cannot be seen through dynamic web scanning alone. In the past this scanning alone. In the past this technique required source code which technique required source code which is not only unpractical as source code is not only unpractical as source code often is unavailable but also often is unavailable but also insufficientinsufficient. .

Features of Static Analysis Tools:

To calculate metrics such as cyclomatic complexity or To calculate metrics such as cyclomatic complexity or nesting levels (which can help to identify where more nesting levels (which can help to identify where more testing may be needed due to increased risk).testing may be needed due to increased risk).

To enforce coding standards.To enforce coding standards.

To analyse structures and dependencies.To analyse structures and dependencies.

Help in code understanding.Help in code understanding.

To identify anomalies or defects in the code.To identify anomalies or defects in the code.

3

Delivering Software Security…Enterprise security is highly focused on the application layer today, and Enterprise security is highly focused on the application layer today, and for good reason. Because the network perimeter has been successfully for good reason. Because the network perimeter has been successfully secured to a great degree, most malicious attacks are now directed at secured to a great degree, most malicious attacks are now directed at applications. To address this threat, enterprises must test applications for applications. To address this threat, enterprises must test applications for flaws or threats before procuring or implementing them. Static analysis is flaws or threats before procuring or implementing them. Static analysis is one of the leading testing techniques. A static analysis tool reviews one of the leading testing techniques. A static analysis tool reviews program code, searching for application coding flaws, back doors, or program code, searching for application coding flaws, back doors, or other malicious code that could give hackers access to critical company other malicious code that could give hackers access to critical company data or customer information. But most static analysis tools only can scan data or customer information. But most static analysis tools only can scan source code, which is problematic. Many applications integrate code from source code, which is problematic. Many applications integrate code from third-party libraries, offshore software, and commercial off-the-shelf third-party libraries, offshore software, and commercial off-the-shelf (COTS) applications - and source code for these applications are often (COTS) applications - and source code for these applications are often unavailable for scanning.unavailable for scanning.

4

“Multi Language” Analysis Tools: This presentation will brief you This presentation will brief you through the “multi –language” through the “multi –language” static analysis tools, i.e. an analysis static analysis tools, i.e. an analysis tool used to test more than one tool used to test more than one programming languages.programming languages.

5

6

Axivion Bauhaus Suite

Created in response to the problem of softwarerot, the project aims to analyse, and recover the means and methods developed for legacy software by understanding the software'sarchitecture. As part of its research, the project develops software tools (such as the Bauhaus Toolkit ) for software architecture, software maintenance and reengineering and program understanding.

The Bauhaus Toolkit includes a static code analysis tool for C, C++, C#, Java and Ada code. It comprises various analyses such as architecture checking, interface analysis, and clone detection. Bauhaus was originally derived from the older Rigi reverse engineering environment, which was expanded by Bauhaus due to the Rigi's limitations. It is among the most notable visualization tools in the field. The Bauhaus tool suite aids the analysis of source code by creating abstractions (representations) of the code in an intermediate language as well as through a resource flow graph (RFG).The RFG is a hierarchal graph with typed nodes and edges, which are structured in various views.

Black Duck SuiteBlack Duck Software maintains a Black Duck Software maintains a KnowledgebaseKnowledgebase of open of open

source and third party components - most of which are source and third party components - most of which are available on the Internet. Each component is available on the Internet. Each component is characterized by characterized by metadatametadata such as license, language, such as license, language, version, author, and known security vulnerabilities. version, author, and known security vulnerabilities. Black Duck products use this information to facilitate Black Duck products use this information to facilitate search, selection, approval, auditing and tracking of search, selection, approval, auditing and tracking of software components. Black Duck Software also software components. Black Duck Software also maintains the maintains the open sourceopen source search enginesearch engine Ohloh Code,a Ohloh Code,a free resource for software developers, and free resource for software developers, and Open HubOpen Hub, a , a free public directory of open source projects and free public directory of open source projects and contributors.contributors.

Black Duck Software maintains the Open Source DeliversBlack Duck Software maintains the Open Source Delivers

industry blog on the adoption and enablement of OSS, industry blog on the adoption and enablement of OSS, and the Open Source Resource Center (OSRC).and the Open Source Resource Center (OSRC).

7

CAST Application Intelligence

Program

8

The CAST Application Intelligence Platform (AIP) is an automated system for measuring the quality and size of business applications.

It is made by CAST, based in Meudon in France. The AIP

inspects the source code, identifies and tracks quality issues, and provides the data to monitor development performance.

CigitalCigital SecureAssist identifies

security bug. within the IDE and provides custom guidance to

developers in reducing defects in future development. Build Secure

eLibrary is an online portal containing a suite of software

security training classes. Enterprise Security Portal tracks identified

security bugs and checks for omissions to ensure a thorough

analysis of the software. They also do research, for example, in a 2009 study, they found that poker games

such as Texas Hold 'em involve considerable skill.

9

ConCATConQAT analyses are usually executed on a

command line in batch mode. Beside the application in software quality audits it is also often used integrated into a nightly build of a

system. ConQAT implements processors (so called Scopes) to read data from different

sources, such as source code or binary code files as well as from issue trackers or

version managementsystems.Lexer processors and other pre-processing operations are

available. ConQAT implements algorithms for detecting redundancy, architecture analysis etc.

in own processors/blocks. Furthermore, it integrates established tools, like FindBugs, FxCop etc. using processors that read their

output formats. Although ConQAT supports different output formats (e.g. XML), usually generated HTML files are used to present the analysis results. Visualizations like different types of diagrams, treemaps, architecture

diagrams etc.

10

DMS ToolkitDMS has been used to implement a wide variety of DMS has been used to implement a wide variety of practical tools, include domain-specific languages (test practical tools, include domain-specific languages (test coverage and profiling tools, clone detection, language coverage and profiling tools, clone detection, language migration tools, C++ component reengineering.,and for migration tools, C++ component reengineering.,and for research into difficult topics such as refactoring C++ research into difficult topics such as refactoring C++ reliably.reliably.

The toolkit provides means for defining language The toolkit provides means for defining language grammars and will produce parsers which automatically grammars and will produce parsers which automatically construct abstract syntax trees (ASTs), and prettyprinters construct abstract syntax trees (ASTs), and prettyprinters to convert original or modified ASTs back into compliable to convert original or modified ASTs back into compliable source text. The parse trees capture, and the prettyprinters source text. The parse trees capture, and the prettyprinters regenerate, complete detail about the original source regenerate, complete detail about the original source program, including source position, comments, radix and program, including source position, comments, radix and format of numbers, etc., to ensure that regenerated source format of numbers, etc., to ensure that regenerated source text is as recognizable to a programmer as the original text text is as recognizable to a programmer as the original text modulo any applied transformations.modulo any applied transformations.

11

Fortify SoftwareFortify Software'Fortify Software' known now as known now as FortifyFortify

was a was a CaliforniaCalifornia-based software -based software security vendor, founded in 2003 security vendor, founded in 2003 and acquired by Hewlett-Packard and acquired by Hewlett-Packard in 2010.Fortify is now part of in 2010.Fortify is now part of HP Enterprise Security ProductsHP Enterprise Security Products in in the HP Software business, providing the HP Software business, providing application security products and application security products and services for enterprise customers to services for enterprise customers to assess, assure and protect enterprise assess, assure and protect enterprise software and applications from software and applications from security vulnerabilitiessecurity vulnerabilities..

Fortify created a Security Research Fortify created a Security Research Group which maintained the Group which maintained the Java Java Open ReviewOpen Review project project and the and the VulncatVulncat taxonomy of security taxonomy of security vulnerabilities in addition to the vulnerabilities in addition to the security rules for Fortify's analysis security rules for Fortify's analysis softwaresoftware..

12

IBM Security AppScan

IBM Security AppScanIBM Security AppScan previously known as previously known as IBM Rational IBM Rational AppScanAppScan is a family of web security testing and is a family of web security testing and monitoring tools from the monitoring tools from the Rational SoftwareRational Software division of division of IBMIBM. AppScan is intended to test Web applications for . AppScan is intended to test Web applications for security vulnerabilities during the development process, security vulnerabilities during the development process, when it is least expensive to fix such problems. The product when it is least expensive to fix such problems. The product learns the behaviour of each application, whether an off-learns the behaviour of each application, whether an off-the-shelf application or internally developed, and the-shelf application or internally developed, and develops a program intended to test all of its functions for develops a program intended to test all of its functions for both common and application-specific vulnerabilities.both common and application-specific vulnerabilities.

13

KlocworkKlocworkKlocwork is a software company with is a software company with headquarters in headquarters in Burlington, MABurlington, MA and R&D and R&D based in based in Ottawa, ONOttawa, ON, Canada. Klocwork , Canada. Klocwork was founded in 2001 as a spin-out of was founded in 2001 as a spin-out of Nortel NetworksNortel Networks and has over 1,000 and has over 1,000 customerscustomers[1][1] who use its who use its software development toolssoftware development tools. Klocwork says . Klocwork says their tool help "developers create more their tool help "developers create more secure and reliable software by analyzing secure and reliable software by analyzing source code on-the-fly, simplifying peer code source code on-the-fly, simplifying peer code reviews, and extending the life of complex reviews, and extending the life of complex software.”software.”

KlocworkKlocwork is a is a static code analysisstatic code analysis tool used to tool used to identify security, safety and reliability issues identify security, safety and reliability issues in in CC, , C++C++, , JavaJava and and C#C# code. The product code. The product includes numerous desktop plug-ins for includes numerous desktop plug-ins for developers, metrics and reporting.developers, metrics and reporting.

14

LDRA Testlab STATIC ANALYSIS initiates LDRA Testbed activity by undertaking lexical and syntactic analysis of the source STATIC ANALYSIS initiates LDRA Testbed activity by undertaking lexical and syntactic analysis of the source code for a single file or a complete system.code for a single file or a complete system.

The enforcement of programming standards (or coding standards) is commonly regarded as good practice. The The enforcement of programming standards (or coding standards) is commonly regarded as good practice. The adherence to such standards can be automatically checked by products like LDRA Testbed. Main Static Analysis adherence to such standards can be automatically checked by products like LDRA Testbed. Main Static Analysis searches the source code for any Programming Standards Violations, by checking the source file(s) against the searches the source code for any Programming Standards Violations, by checking the source file(s) against the superset supplied with LDRA Testbed, This system can be configured for:superset supplied with LDRA Testbed, This system can be configured for:

User definable filters – switch standards on or offUser definable filters – switch standards on or off

Change standards from mandatory to optional or vice-versa.Change standards from mandatory to optional or vice-versa.

Use annotations to switch off standards for specific instances of violations.Use annotations to switch off standards for specific instances of violations.

LDRA Testbed reports violations of the chosen set of standards in both textual reports and as annotations to LDRA Testbed reports violations of the chosen set of standards in both textual reports and as annotations to graphical displays.graphical displays.

15

MALPASThe MALPAS toolset comprises five specific analysis tools that address various properties of a program. The input to the analysers needs to be written in MALPAS The MALPAS toolset comprises five specific analysis tools that address various properties of a program. The input to the analysers needs to be written in MALPAS Intermediate Language (IL); this can be hand-written or produced by an automated translation tool from the original source code. Automatic translators exist for Intermediate Language (IL); this can be hand-written or produced by an automated translation tool from the original source code. Automatic translators exist for common high-level programming languages such as common high-level programming languages such as AdaAda, , CC and and PascalPascal, as well as assembler languages such as , as well as assembler languages such as Intel 80*86Intel 80*86, , PowerPCPowerPC and and 6800068000. The IL text is . The IL text is input into MALPAS via the "IL Reader", which constructs a input into MALPAS via the "IL Reader", which constructs a directed graphdirected graph and associated semantics for the program under analysis. The graph is reduced using a and associated semantics for the program under analysis. The graph is reduced using a series of graph reduction techniques.series of graph reduction techniques.

The MALPAS toolset consists of 5 analysers:The MALPAS toolset consists of 5 analysers:

Control Flow Analyser. This examines the program structure, identifying key features: Entry/Exit points, Loops, Branches and unreachable code. It provides a Control Flow Analyser. This examines the program structure, identifying key features: Entry/Exit points, Loops, Branches and unreachable code. It provides a summary report drawing attention to undesirable constructs and an indication of the complexity of the program structure.summary report drawing attention to undesirable constructs and an indication of the complexity of the program structure.

Data Use Analyser. This separates the variables and parameters used by the program into distinct classes depending upon their use. (i.e. Data that is read before Data Use Analyser. This separates the variables and parameters used by the program into distinct classes depending upon their use. (i.e. Data that is read before being written, Data that is written without being read or Data that is written twice without an intervening read). The report can identify errors such as uninitialized being written, Data that is written without being read or Data that is written twice without an intervening read). The report can identify errors such as uninitialized data and function outputs not written on all paths.data and function outputs not written on all paths.

Information Flow AnalyserInformation Flow Analyser. This identifies the data and branch dependencies for each output variable or parameter. Unwanted or unexpected dependencies can . This identifies the data and branch dependencies for each output variable or parameter. Unwanted or unexpected dependencies can be revealed for all paths through the code. Information is also provided regarding unused variables and redundant statements.be revealed for all paths through the code. Information is also provided regarding unused variables and redundant statements.

Semantic Analyser (also known as Semantic Analyser (also known as symbolic executionsymbolic execution). This reveals the exact functional relationship between all inputs and outputs over all semantically-feasible ). This reveals the exact functional relationship between all inputs and outputs over all semantically-feasible paths through the code.paths through the code.

Compliance Analyser. This compares the mathematical behaviour of the code with its formal IL specification, detailing where one differs from the other. The IL Compliance Analyser. This compares the mathematical behaviour of the code with its formal IL specification, detailing where one differs from the other. The IL specification is written as specification is written as PreconditionsPreconditions and and PostconditionsPostconditions, as well as optional code assertions. Compliance analysis can be used to gain a very high level of , as well as optional code assertions. Compliance analysis can be used to gain a very high level of confidence in the functional correctness of the code in relation to its specification.confidence in the functional correctness of the code in relation to its specification.

16

MOOSEThe philosophy of Moose is to enable the analyst to produce new dedicated analysis tools, and to customize the flow of analysis. While Moose is mainly used in The philosophy of Moose is to enable the analyst to produce new dedicated analysis tools, and to customize the flow of analysis. While Moose is mainly used in software analysis, it is built to work for any data.software analysis, it is built to work for any data.

To achieve this it offers multiple mechanisms and frameworks:To achieve this it offers multiple mechanisms and frameworks:

Importing and meta-meta-modeling is achieved through a generic meta-described engine.Any Importing and meta-meta-modeling is achieved through a generic meta-described engine.Any meta-modelmeta-model is described in terms of a self-described is described in terms of a self-described meta-meta-model, and based on this description, the import/export is provided through the MSE file format. Through this file format, Moose can meta-meta-model, and based on this description, the import/export is provided through the MSE file format. Through this file format, Moose can exchange data with external tools.exchange data with external tools.

For parsing, Moose provides a novel framework that makes use of several parsing technologies and that provides a For parsing, Moose provides a novel framework that makes use of several parsing technologies and that provides a fluent interfacefluent interface for easy for easy construction.construction.

Software analysis is specifically supported through the FAMIX family of meta-models. The core of FAMIX is a language independent meta-model that is Software analysis is specifically supported through the FAMIX family of meta-models. The core of FAMIX is a language independent meta-model that is similar to similar to UMLUML but it is focused on analysis. Furthermore, it provides rich interface for querying models. but it is focused on analysis. Furthermore, it provides rich interface for querying models.

VisualizationVisualization is supported through two different engines: one for expressing graph visualizations,and one for expressing charts. They both provide a is supported through two different engines: one for expressing graph visualizations,and one for expressing charts. They both provide a fluent interfacefluent interface for easy construction. for easy construction.

Browsing is an important principle in Moose, and it is supported in multiple ways as well. A generic interface enables the analyst to browse any model. Browsing is an important principle in Moose, and it is supported in multiple ways as well. A generic interface enables the analyst to browse any model. To be able to specify specific browsers, Moose offers a generic engine that eases the specification through a specific To be able to specify specific browsers, Moose offers a generic engine that eases the specification through a specific fluent interfacefluent interface..

17

PARASOFTParasoft develops automated defect prevention technologies that support the Parasoft develops automated defect prevention technologies that support the Automated Defect Prevention methodology developed by Automated Defect Prevention methodology developed by AdamAdamKolawaKolawa.These .These technologies automate a number of defect prevention practices for technologies automate a number of defect prevention practices for JavaJava, , CC and and C++C++, , and and .NET.NET. The . The static code analysisstatic code analysis practice identifies coding issues that lead to security, practice identifies coding issues that lead to security, reliability, performance, and maintainability issues later on. In 1996, Parasoft reliability, performance, and maintainability issues later on. In 1996, Parasoft submitted a patent application for their rule-based static code analysis. Since then, the submitted a patent application for their rule-based static code analysis. Since then, the original static analysis technology has been extended to include original static analysis technology has been extended to include security static analysissecurity static analysis, , data flow analysisdata flow analysis, and , and softwaresoftwaremetricsmetrics.In 1996, Parasoft submitted patent .In 1996, Parasoft submitted patent applications for technology that automatically generates unit test cases.Since then, the applications for technology that automatically generates unit test cases.Since then, the original unit testing technology has been extended to include original unit testing technology has been extended to include code coverage analysiscode coverage analysis, , regression testingregression testing, and , and traceabilitytraceability.The .The peer code reviewpeer code review practice involves manually practice involves manually inspecting source code to examine algorithms, review design, and search for subtle inspecting source code to examine algorithms, review design, and search for subtle errors that automated tools cannot detect. errors that automated tools cannot detect.

18

COPY/PASTE DETECTOR(CPD)

PMDPMD is a static rule-set based is a static rule-set based JavaJava source codesource code analyzeranalyzer that identifies potential problems like: that identifies potential problems like:

Possible bugsPossible bugs—Empty try/catch/finally/switch blocks.—Empty try/catch/finally/switch blocks.

Dead codeDead code—Unused —Unused local variableslocal variables, , parametersparameters and and private methodsprivate methods..

Empty if/while statements.Empty if/while statements.

Overcomplicated expressionsOvercomplicated expressions—Unnecessary if statements, for loops that could be while loops.—Unnecessary if statements, for loops that could be while loops.

Suboptimal codeSuboptimal code—Wasteful String/StringBuffer usage.—Wasteful String/StringBuffer usage.

Classes with high Classes with high CyclomaticCyclomaticComplexityComplexity measurements. measurements.

Duplicate codeDuplicate code—Copied/pasted code can mean copied/pasted bugs, and decreases —Copied/pasted code can mean copied/pasted bugs, and decreases maintainability.maintainability.

19

PolyspacePolyspacePolyspace is a static code analysis tool for large-scale analysis by is a static code analysis tool for large-scale analysis by

abstract interpretationabstract interpretation to detect, or prove the absence of, certain run-time errors in to detect, or prove the absence of, certain run-time errors in source code for the C, C++, and Ada programming languages. The tool also checks source code for the C, C++, and Ada programming languages. The tool also checks

source code for adherence to appropriate code standards. source code for adherence to appropriate code standards.

The product family consists of Polyspace Code Prover and Polyspace Bug Finder. The product family consists of Polyspace Code Prover and Polyspace Bug Finder. The Code Prover module annotates source code with a color-coding scheme to The Code Prover module annotates source code with a color-coding scheme to

indicate the status of each element in the code.It uses indicate the status of each element in the code.It uses formal methodsformal methods-based static -based static code analysis to verify program execution at the language level. The tool checks code analysis to verify program execution at the language level. The tool checks

each code instruction by taking into account all possible values of every variable at each code instruction by taking into account all possible values of every variable at every point in the code, providing a formal diagnostic for each operation in the every point in the code, providing a formal diagnostic for each operation in the

code under both normal and abnormal usage conditions.code under both normal and abnormal usage conditions.

20

Pretty Diff

Pretty DiffPretty Diff is a language-aware is a language-aware datadatacomparisoncomparison utility implemented in utility implemented in JavaScriptJavaScript. The online utility is capable of source code . The online utility is capable of source code beautificationbeautification, , minificationminification, and comparison of two pieces of input text. It operates by , and comparison of two pieces of input text. It operates by removing code comments from supported languages and then performs a removing code comments from supported languages and then performs a pretty-printpretty-print operation prior to executing the operation prior to executing the diffdiff algorithm. An algorithm. An abbreviated list of abbreviated list of unit testsunit tests is provided.The documentation is provided.The documentation claims the claims the JavaScript pretty-print operation conforms to the requirements of JavaScript pretty-print operation conforms to the requirements of JSLintJSLint..

As Pretty Diff is written entirely in JavaScript, the application executes in a As Pretty Diff is written entirely in JavaScript, the application executes in a web browserweb browser or on or on command linecommand line using a stand alone JavaScript using a stand alone JavaScript interpreterinterpreter, such as , such as Node.jsNode.js or with or with WSHWSH provided a .wsf file. A provided a .wsf file. A NPMNPM package is providedpackage is provided for use with Node.js.for use with Node.js.

The source code is published at the Pretty Diff The source code is published at the Pretty Diff GitHubGitHub repository. repository.

21

SonarQubeFEATURES-FEATURES-

Supports Supports 25+ languages25+ languages: : JavaJava, , CC//C++C++, , Objective-CObjective-C, , C#C#, , PHPPHP, , FlexFlex, , GroovyGroovy, , JavaScriptJavaScript, , PythonPython, , PL/SQLPL/SQL, , COBOLCOBOL, ,

Can also be used in Android development.Can also be used in Android development.

Offers reports on Offers reports on duplicated codeduplicated code, , coding standardscoding standards, , unit testsunit tests, , code coveragecode coverage, , complex codecomplex code, , potential bugspotential bugs, , commentscomments and and design and architecturedesign and architecture..

Records metrics history and provides evolution graphs ("time machine") and differential views.Records metrics history and provides evolution graphs ("time machine") and differential views.

Integrates with external tools: Integrates with external tools: JIRAJIRA, , MantisMantis, , LDAPLDAP, , FortifyFortify, ,

ImplementsImplements the the SQALESQALE methodology to compute methodology to compute technical debttechnical debt..

Supports Tomcat. However, end of support to Tomcat is planned for SonarQube 4.1. The Supports Tomcat. However, end of support to Tomcat is planned for SonarQube 4.1. The standalone modestandalone mode is now the is now the only mode that is supported. The standalone mode embeds a Tomcat server.only mode that is supported. The standalone mode embeds a Tomcat server.

22

SotoarcSotoarcSotoarc is a commercial is a commercial static code analysisstatic code analysis tool for tool for

software architects. It graphically visualizes the static software architects. It graphically visualizes the static structure of software systems written in structure of software systems written in JavaJava, , C#C# or in or in C++C++ code. The code structure is displayed as code. The code structure is displayed as hierarchies (trees) of modules, packages and files. hierarchies (trees) of modules, packages and files. Besides the user can describe by graphical means the Besides the user can describe by graphical means the specified software architecture of a software system. specified software architecture of a software system. By doing so the tool is immediately comparing this By doing so the tool is immediately comparing this intended architecture with the implemented code intended architecture with the implemented code structure and is highlighting all architecture violations structure and is highlighting all architecture violations (i.e. all code references and dependencies which do (i.e. all code references and dependencies which do not correspond to the intended architecture.)not correspond to the intended architecture.)

23

SQuORESQuORESQuORE is a is a business intelligencebusiness intelligence and and static code analysisstatic code analysis tool for tool for software projects. It gathers information from different artefacts software projects. It gathers information from different artefacts types (e.g. source code, test results, bug tracking system) and tools types (e.g. source code, test results, bug tracking system) and tools (reads outputs of (reads outputs of CheckstyleCheckstyle, , PMDPMD, , FindBugsFindBugs, , PolyspacePolyspace, , CoverityCoverity or or SonarQubeSonarQube) and publishes a summarised view of the project quality ) and publishes a summarised view of the project quality or progress.or progress.

The quality model used for analysis is fully customisable, and many The quality model used for analysis is fully customisable, and many different quality models have been implemented: different quality models have been implemented: SQALESQALE, , ISO9126 maintainabilityISO9126 maintainability, , European Cooperation for Space StandardizationEuropean Cooperation for Space Standardization or or HIS Automotive groupHIS Automotive group. It is used in the industry. It is used in the industry and academic and academic researchresearch for software engineering and data mining related concerns.for software engineering and data mining related concerns.

24

VeracodeVeracode offers security assessments of applications Veracode offers security assessments of applications through a variety of technologies, including through a variety of technologies, including static code analysisstatic code analysis on on compiledcompiled binarybinaryexecutablesexecutables or or bytecodebytecode; ; dynamic web application analysisdynamic web application analysis; and ; and manual manual penetration testingpenetration testing and and source code reviewsource code review. . The capabilities are delivered through a The capabilities are delivered through a software as a servicesoftware as a service platform and are sold by platform and are sold by subscription. Using the Veracode platform, users can subscription. Using the Veracode platform, users can detect and triage flaws, get a security rating, and detect and triage flaws, get a security rating, and review findings and metrics about their applications.review findings and metrics about their applications.

Veracode supports analysis of binaries, bytecode, Veracode supports analysis of binaries, bytecode, and other application formats in a variety of and other application formats in a variety of different languages, platforms, and compilers, different languages, platforms, and compilers, including including CC, , C++C++, , JavaJava, , .NET.NET bytecode, bytecode, PHPPHP, , ColdFusionColdFusion, , Ruby on RailsRuby on Rails, , Windows MobileWindows Mobile, , BlackBerryBlackBerry, , AndroidAndroid, and , and iOSiOS..

25

YascaYascaYasca is an is an open sourceopen source program program which looks for security vulnerabilities, which looks for security vulnerabilities, code-quality, performance, and code-quality, performance, and conformance to best practices in conformance to best practices in program source code. It leverages program source code. It leverages external external open sourceopen source programs, such as programs, such as FindBugsFindBugs, , PMDPMD, , JLintJLint, , JavaScript LintJavaScript Lint, , PHPLintPHPLint, , CppcheckCppcheck, , ClamAVClamAV, , PixyPixy, and , and RATSRATS to scan specific file types,and to scan specific file types,and also contains many custom scanners also contains many custom scanners developed for Yasca. It is a command-developed for Yasca. It is a command-line tool that generates reports in HTML, line tool that generates reports in HTML, CSV, XML, CSV, XML, MySQLMySQL, , SQLiteSQLite, and other , and other formats. It is listed as an inactive project formats. It is listed as an inactive project at the well-known at the well-known OWASPOWASP security security project,and also in a government project,and also in a government software security tools review at the U.S software security tools review at the U.S Department of Homeland Security web Department of Homeland Security web site.site.

26

Code Analysis

(Veracode)

27

Get on demand code review

Veracode is the world's best automated, on-demand, application security Veracode is the world's best automated, on-demand, application security testing and code review solution. Founded by experts from security testing and code review solution. Founded by experts from security companies such as Guardent, Symantec, @stake, and VeriSign, and built on companies such as Guardent, Symantec, @stake, and VeriSign, and built on a Software-as-a-Service model - Veracode solutions deliver application a Software-as-a-Service model - Veracode solutions deliver application security and automated code review services for enterprises that want to security and automated code review services for enterprises that want to cost-efficiently test software security by identifying flaws in applications. cost-efficiently test software security by identifying flaws in applications. Veracode helps developers create secure software by scanning compiled Veracode helps developers create secure software by scanning compiled code (also called “binary” or “byte” code) instead of source code. This code (also called “binary” or “byte” code) instead of source code. This innovative approach enables deeper and more comprehensive application innovative approach enables deeper and more comprehensive application security assurance, since Veracode can code review both internally security assurance, since Veracode can code review both internally developed software as well as third-party applications that might developed software as well as third-party applications that might otherwise be off-limits for review because of proprietary issues. otherwise be off-limits for review because of proprietary issues.

28

Static Code AnalysisVeracode offers the industry’s most comprehensive automated static Veracode offers the industry’s most comprehensive automated static analysis tools, making your application development faster and more analysis tools, making your application development faster and more reliable than ever before. Veracode scans binary code - compiled or reliable than ever before. Veracode scans binary code - compiled or “byte” code - allowing enterprises to scan 100 percent of an “byte” code - allowing enterprises to scan 100 percent of an application, even when source is not available for practical or application, even when source is not available for practical or proprietary considerations. Veracode is built on the software-as-a-proprietary considerations. Veracode is built on the software-as-a-service model, allowing organizations to access and scale security service model, allowing organizations to access and scale security testing without the need for capital expense or investment. There is no testing without the need for capital expense or investment. There is no vulnerability assessment software or hardware to purchase and no vulnerability assessment software or hardware to purchase and no security personnel to train. Developers or software procurement security personnel to train. Developers or software procurement personnel submit code through an online platform, and results are personnel submit code through an online platform, and results are returned within 24 hours. Veracode's automated format greatly returned within 24 hours. Veracode's automated format greatly reduces the amount of effort and resources needed to perform static reduces the amount of effort and resources needed to perform static analysis, while greatly increasing the accuracy of test results.analysis, while greatly increasing the accuracy of test results.

29

Source Code AnalysisVeracode provides a truly comprehensive software security Veracode provides a truly comprehensive software security testing solution. In addition to source code analysis, testing solution. In addition to source code analysis, Veracode offers dynamic application security testing and Veracode offers dynamic application security testing and manual penetration testing to provide comprehensive testing manual penetration testing to provide comprehensive testing in an all-in-one solution. Dynamic application security testing in an all-in-one solution. Dynamic application security testing is akin to an automated penetration test. With greater code is akin to an automated penetration test. With greater code coverage and more accurate results, Veracode helps coverage and more accurate results, Veracode helps enterprises achieve better application security in less time enterprises achieve better application security in less time and more cost-effectively. This in turn allows development and more cost-effectively. This in turn allows development teams and software procurement teams to meet deadlines teams and software procurement teams to meet deadlines more easily, and to even accelerate speed to market. Learn more easily, and to even accelerate speed to market. Learn more about source code analysis with Veracode, as well as more about source code analysis with Veracode, as well as web application security, PCI compliance, and more.web application security, PCI compliance, and more.

30

Static Analysis ToolsVeracode offers the industry’s most comprehensive automated static analysis Veracode offers the industry’s most comprehensive automated static analysis tools, making your application development faster and more reliable than tools, making your application development faster and more reliable than ever before. Veracode scans binary code - compiled or “byte” code - allowing ever before. Veracode scans binary code - compiled or “byte” code - allowing enterprises to scan 100 percent of an application, even when source is not enterprises to scan 100 percent of an application, even when source is not available for practical or proprietary considerations. Veracode is built on the available for practical or proprietary considerations. Veracode is built on the software-as-a-service model, allowing organizations to access and scale software-as-a-service model, allowing organizations to access and scale security testing without the need for capital expense or investment. There is security testing without the need for capital expense or investment. There is no vulnerability assessment software or hardware to purchase and no no vulnerability assessment software or hardware to purchase and no security personnel to train. Developers or software procurement personnel security personnel to train. Developers or software procurement personnel submit code through an online platform, and results are returned within 24 submit code through an online platform, and results are returned within 24 hours. Veracode's automated format greatly reduces the amount of effort hours. Veracode's automated format greatly reduces the amount of effort and resources needed to perform static analysis, while greatly increasing the and resources needed to perform static analysis, while greatly increasing the accuracy of test results.accuracy of test results.

31

Web Application Security

The founders of Veracode believe web application security should be simple and The founders of Veracode believe web application security should be simple and cost-efficient. Veracode deliver an automated, application security testing solution cost-efficient. Veracode deliver an automated, application security testing solution that makes dynamic analysis available as an on-demand service. Dynamic that makes dynamic analysis available as an on-demand service. Dynamic analysis is a "black-box" testing technique that analyzes web applications for analysis is a "black-box" testing technique that analyzes web applications for flaws and vulnerabilities such as Cross-site Scripting (XSS) that could subject the flaws and vulnerabilities such as Cross-site Scripting (XSS) that could subject the enterprise to attack. Because Veracode is offered as a software-as-a-service enterprise to attack. Because Veracode is offered as a software-as-a-service model, enterprises can access dynamic analysis as needed and scale testing model, enterprises can access dynamic analysis as needed and scale testing effortlessly to meet the demands of aggressive software development deadlines. effortlessly to meet the demands of aggressive software development deadlines. There is no web application security software to buy, and no hardware to invest in. There is no web application security software to buy, and no hardware to invest in. No web application testing experts need be added to the payroll - Veracode No web application testing experts need be added to the payroll - Veracode employs a team of world-class experts who continually refine testing employs a team of world-class experts who continually refine testing methodologies. Companies can access dynamic analysis through an online portal methodologies. Companies can access dynamic analysis through an online portal and quickly get web testing results. Web application security testing results are and quickly get web testing results. Web application security testing results are prioritized in a Fix-First Analysis that identifies flaws that need remediation most prioritized in a Fix-First Analysis that identifies flaws that need remediation most urgently as well as ones that can be fixed most quickly - so developers can urgently as well as ones that can be fixed most quickly - so developers can optimize their efforts, saving additional resources for the enterprise.optimize their efforts, saving additional resources for the enterprise.

32

Source Code Security Analyser

Veracode's service is the industry's leading source code security analyzer. Veracode's service is the industry's leading source code security analyzer. Whether you are analyzing applications developed internally or by third Whether you are analyzing applications developed internally or by third parties, Veracode enables you to quickly and cost-effectively scan software parties, Veracode enables you to quickly and cost-effectively scan software for flaws and get actionable source code analysis results. Offering an for flaws and get actionable source code analysis results. Offering an independent and trusted analysis of the security of your applications, independent and trusted analysis of the security of your applications, Veracode enables you to better protect your enterprise without sacrificing Veracode enables you to better protect your enterprise without sacrificing productivity or profitability. Using an on-demand, Software-as-a-Service productivity or profitability. Using an on-demand, Software-as-a-Service source code analysis tool allows you to more easily control costs, paying only source code analysis tool allows you to more easily control costs, paying only for the services you need. And because Veracode scans at the binary level, for the services you need. And because Veracode scans at the binary level, reviewing compiled or "byte" code rather than source code, you get the most reviewing compiled or "byte" code rather than source code, you get the most accurate and comprehensive analysis available. All applications, regardless accurate and comprehensive analysis available. All applications, regardless of their origin, can be scanned and reviewed by Veracode. Veracode can even of their origin, can be scanned and reviewed by Veracode. Veracode can even assess third-party software at the binary level, without requring access to assess third-party software at the binary level, without requring access to source code. Veracode is simply the most effective solution for source code source code. Veracode is simply the most effective solution for source code analysis in the industry today.analysis in the industry today.

33