Code ScanningSecure Coding Course

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

Home Forums Courses Secure Coding Course Code Scanning

This topic contains 10 replies, has 9 voices, and was last updated by  s3crafcp 2 years, 4 months ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #46065

    hollinshead
    Participant

    What are some recommended code scanners for conducting code reviews to help catch some of these errors?

    #46075

    Sunny Wear
    Participant

    Thank you for your question. Static code analyzers (scanners) can be either purchased or freely available for every language. Start with the target language you wish to scan. Then, start to google for “code scanners” in that language. If, for example, you wish to find a code scanner for Java, there are a plethora of code scanners available as Eclipse plugins; take a look at the Eclipse marketplace as a starting point: https://marketplace.eclipse.org/taxonomy/term/14,31/favorites. Those scanners tend to be free for individual use. Commercial use would be scanners like HP Fortify, Veracode, Checkmarx. These products have different models and pricing for various types of scans (e.g., on-premise, cloud-based, etc.).

    Is there a particular language you are looking to scan?
    I hope this information is helpful to you.
    Sunny

    #46077

    hollinshead
    Participant

    Thank you for the response. The app is a hybrid of Java Script with calls to Angular JS and it uses Ionic as well. I will try the Eclipse for a Java scanner. Right now I will have to use a free scanner.

    #46267

    Ciph3r00t
    Participant

    @sunnywear Glad to check your course on Cybrary. Thanks for the nice explanation.

    Can you please suggest the tools and methodologies to carry out the secure Code review process for different languages.
    What are the ways to perform Secure code review.

    Thanks.

    #46273

    Sunny Wear
    Participant

    Thank you for your question. OWASP is a great website to start your search for secure code review guides and checklists. For example, https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf

    These are just starting points, however, to help focus your energies in a particular direction. You will still need to customize the checklists to tailor fit your code base. For example, if you wish to perform a secure code review on Java, then you can google for the Java Secure Code Cheat sheet to help you get started. But, if you are also using Struts framework, then you would need to tailor that checklist to include areas where vulnerabilities or bugs are commonly found when programmers code in Struts.

    Tools to assist in this endeavor include static code analyzers which I’ve provided details about in an earlier forum response, so please consult that.

    Methodologies to assist you should include the OWASP Application Security Verification Standard (ASVS) Project: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
    These tasks would need to be blended into your existing SDLC in order to mitigate risk and lower costs associated with coding vulnerabilities.

    I hope this is helpful to you.
    Sunny

    #46664

    cybermo
    Participant

    Thanks for sharing.

    #47043

    RunningMan
    Participant

    Nice info.

    #68687

    Haroon Mansoori
    Participant

    Anyone knows info/links for cheat sheet and tools for .Net/C# (Microsoft Platform)?

    #74348

    ProgrammerE
    Participant

    some problems can be solved with scanners, but human intuition is needed as well.

    #90722

    swadams
    Participant

    I’m trying to become a web application security analyst and have talked to someone already in the industry who told me it’s important to know how to use a static scanner. Does Cybrary have a course on code scanning? I haven’t been able to find it.

    #92161

    s3crafcp
    Participant

    Thanks for sharing!

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel