Since everyone seemed to be so excited about our new web application scanner technology that guarantees no false positives, I’m sure everyone will be equally excited about the new Static Analysis Edition. This is just as simple to use as the dynamic scanning tool we released yesterday – just point the scanner to the directory that the application code lives in and it will scan the application for vulnerabilities but the results will inclue NO FALSE POSITIVES. Couldn’t be easier…
Here’s the code. All yours, under an Apache 2.0 license. Just like the web scanner edition.
package com.denimgroup.nofalsepositives;
import java.io.File;
import java.util.ArrayList;
publicclass StaticAnalyzer
{
publicstaticvoid main(String[] args)
{
ArrayList vulnerabilities = new ArrayList();
String sDirToScan;
File dirToScan = null;
long scanStart;
long scanEnd;
// Must at least enter a URL for the site to scan
if(args.length < 1) {
usage();
System.exit(1);
}
// Make sure the file path is valid
sDirToScan = args[0];
dirToScan = new File(sDirToScan);
if (!dirToScan.isDirectory()) {
System.out.println(“Provided path was not a directory. Unable to scan.”);
System.exit(2);
}
// Kick off the scan
scanStart = System.currentTimeMillis();
System.out.println(String.format(“Starting scan of %s at %d”, dirToScan.toString(), scanStart));
// Finalize scan and report findings
scanEnd = System.currentTimeMillis();
System.out.println(String.format(“Finished scan of %s at %d”, dirToScan.toString(), scanEnd));
System.out.println(String.format(“Found %d vulnerabilities with NO false positives”, vulnerabilities.size()));
}
publicstaticvoid usage()
{
System.out.println(“usage: java com.denimgroup.nofalsepositives.StaticAnalyzer <BASE_DIR>”);
}
}
Another facetious post! Based on some Twitter chatter yesterday I’ll bet folks can’t wait for our NO False Positives Web Application Firewall. That one will probably be a shell script that uses netcat. And we can run it in the Cloud if we need to. Buzzword buzzword buzword!
The use of static analysis tools is an incredibly powerful way to identify potential vulnerabilities in code, but no tool is perfect. Automated scans are a portion of an application assessment – not the entirety of one if you really want a realistic evaluation of your security posture. Tuning the default ruleset and crafting framework- and application-specific rules allows you to extract so much more value from your static analysis tools. And manual review is required to look for business logic issues such as problems with authentication, authorization, etc.
Contact us if you would like help performing thorough application assessments or crafting a sensible application security program for your organization.
–Dan
dan _at_ denimgroup.com
