Source Code Scanners for Better Code

They aren't a replacement for manual checks and edits, but tools like Flawfinder, RATS and ITS4 can point you in the right direction.
Resources

As always, newer versions of the software may be available.

Flawfinder

RATS

ITS4

Open Source Quality ProjectProject at UC Berkeley to assist in software reliability, excellent links and resources.

Secure Programming for Linux and Unix HOWTODavid Wheeler also provided helpful discussion during the preparation of this article.

Building Secure Software: How to Avoid Security Problems the Right Way by John Viega and Gary McGraw

Security Engineering: A Guide to Building Dependable Distributed Systems by Ross J. Anderson

The Practice of Programming by Brian W. Kernighan and Rob Pike

Jose Nazario is a biochemistry graduate student nearing the completion of his PhD. Side projects include Linux and other UNIX variants, software and security-related matters, and hobbies outside his office, like fly-fishing and photography.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Need more intelligent tools

Anonymous's picture

The problem with scanner type tools is they provide very little intelligent filtering and flood the user with many false positives; invariably users look at the first 10 results and give up.

Re: Source Code Scanners for Better Code

Anonymous's picture

You have a good overview of the 3 source code scanners, are these the commonly used one's, are there any other.
I had a quick question on source code scanners, Can this scanners be used to scan code written for different platforms?(i.e. me running source code scanner on linux, can i scan some piece of code written to run on Windows, Unix)

-
Thanks,
Prasad

Re: Source Code Scanners for Better Code

jnazario's picture

sorry about the bad grammar in some places, i need to be a bit more careful with that. :) anyhow, hope you enjoy the piece.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix