We are currently looking for some tool to help us find weaknesses in our code. There is not lots of options currently on the market. A tool we are looking on is http://www.fortify.com and http://www.armorize.com/, but who does best work on code? Biggest advantage for Fortify is that it supports many different languages, but damn it is really expensive tools.
Microsoft is planning to release their Security Tools but i think they are currently on early stage.
- CAT.NET – the managed code security source code scanning tool
- WACA – Web Application Configuration Analyzer
- WPL – Web Protection Library (formerly Anti-XSS)
- TAM – Threat Modeling and Analysis tool
- Only tool i tried to so far is CAT.NET but something is going terribly wrong when i run test on code (see error below), but i think this is a great initiative from Microsoft. What is wrong with my pdb, think is have wrong paths set or something…
Error from my run CAT.NET
C:\Program Files (x86)\Microsoft Information Security\Microsoft Code Analysis for .NET (CAT.NET) v2.0>CATNetCmd.exe /fil
Microsoft (r) Code Analysis Tool for .NET (CAT.NET) Tool 220.127.116.11
Copyright (c) Microsoft Corporation 2009. All rights reserved.
Running in 32-bit mode
2009-11-25 13:17 : Information : Loading analysis rules…done.
2009-11-25 13:17 : Information : Total 40 rules loaded by the engine.
2009-11-25 13:17 : Information : Processing analysis rules…
2009-11-25 13:17 : Information : Initializing configuration analysis engine…done.
2009-11-25 13:17 : Information : Initializing interprocedural data flow analysis engine…The available PDB has been str
ipped so it does not contain the required
information for native or IJW images.
Please find the full PDB for this binary and re-run your scenario.
Unhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indi
cation that other memory is corrupt.
at Phx.Pdb.ReaderImplementation.GetDataStream(String sectionNameString)
at Microsoft.InformationSecurity.CodeAnalysis.Engines.AnalysisEngine.TaintedAnalysisEngine.Initialize(String assembly
path, String phoenixargs, Int32 maxnumofpasses, Rules rules)
at Microsoft.InformationSecurity.CodeAnalysis.UI.CommandLine.Program.Main(String args)
- Seems like it is a Windows 7 problem.