Secure Coding Practices, Part 10: Code Quality
Overall code quality is important for secure applications. Software bugs may create opportunities for attackers to exploit the application or gain information they should not have about system internals or even user credentials.
Security professionals may not know enough about the code they review to understand what is a defect and potential vulnerability. Some developers also overlook coding problems. This is why automated static analysis of source code is so important. Although it does not replace manual review, it is an excellent supplement to help find problems.
Keep in mind that these automated tools generally find a lot of defects that are not actually defects. Each warning created by these tools needs to be looked at and qualified before raising them as issues.
Below is a brief summary of some code review tools that are specifically geared for security. Try using different tools for the same code. It may help you find more defects.Software Java C/C++ Perl Python Comments Commercial Fortify SCA Lots of other languages Ounce Also .Net, C#, ASP Free Software FindBugs Excellent choice Lint4J Good choice RATS
Do you have other tools that work well for you to find security vulnerabilities in source code? Please share them in the comments section.
Labels: Secure Coding Practices
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home