RATS - Rough Auditing Tool for Security. Welcome to RATS - Rough Auditing Tool for Security RATS - Rough Auditing Tool for Security - is an open source tool developed and maintained by Secure Software security engineers. Secure Software was acquired by Fortify Software, Inc. RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies.
It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. As its name implies, the tool performs only a rough analysis of source code. Yasca - Scovetta.com. Yasca is a source code analysis tool that I started writing in 2007.
It could best be described as a "glorified grep script" plus an aggregator of other open-source tools. Yasca can scan source code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, and other languages. Yasca can integrate easily with other tools, including: FindBugs PMD JLint JavaScript Lint PHPLint CppCheck ClamAV RATS Pixy Yasca is designed to be very flexible and easy to extend.
Graudit - Just Another Hacker. FindBugs™ - Find Bugs in Java Programs. PMD. Jlint. Cppcheck. JSLint, The JavaScript Code Quality Tool. JavaScript Lint. Is there a static code analyzer [like Lint] for PHP files. PHP-sat: PHP static analysis tool. Track your dependencies with PHP_Depend - Manuel Pichler. To provide a flexible and extendable software, it is a good OO practice to reduce the dependencies between implementing classes.
This could be achieved by developing against abstractions which means both, abstract classes and interfaces. By using abstractions instead of real implementation in the application you provide some sort of contract, that could be used by others to hook into the application with their own classes that fulfill the contract. Except the extensibility of an application a good abstraction reduces the risk of breaks in multiple subsystems when something was changed in a single package. But how to get rid of all these dependencies, doing this by hand will become an impossible job, at least for larger projects. At this point a tool should be used to assist the development process. PHP_Depend is an adaption of the established Java development tool JDepend. PHP_Depend calculates the following metrics by counting classes, interfaces and dependencies. _CodeSniffer. _Parser. Token_get_all. Xdebug - Debugger and Profiler Tool for PHP.
Xhprof. Troelskn's php-tracer-weaver at master - GitHub. Documentation. Documentation. Xdebug allows you to log all function calls, including parameters and return values to a file in different formats.
Those so-called "function traces" can be a help for when you are new to an application or when you are trying to figure out what exactly is going on when your application is running. The function traces can optionally also show the values of variables passed to the functions and methods, and also return values. In the default traces those two elements are not available. There are three output formats. One is meant as a human readable trace, another one is more suited for computer programs as it is easier to parse, and the last one uses HTML for formatting the trace. Below are the results with different settings of the xdebug.collect_params setting.
Besides the xdebug.collect_params settings there is another number of settings that affect the output of trace files. On the "collect_return=1" tab the return values of all the function calls are also visible. Xdebug.auto_trace. Pixy: XSS and SQLI Scanner for PHP. PhpCallGraph - A Static Call Graph Generator for PHP. PHP Code Analysis Plugin for Eclipse. Phpsecaudit - Spike Developer Zone. PHPLint. Current version: 2.0_20140331 PHPLint is a validator and documentator for PHP 4 and PHP 5 programs.
PHPLint extends the PHP language through transparent meta-code that can drive the parser to a even more strict check of the source. PHPLint is not simply a checker: it implements a new, strong typed, language implemented over the PHP language. You can build your programs from scratch with PHPLint in mind, or you can check and fix existing programs, or you can follow the quick-and-dirty PHP programming way and then add the PHPLint meta-code later once the program is finished.
Whatever is the strategy you choose, PHPLint makes your programs safer, more secure, well documented and with drastically less bugs. A new 2.0 version of PHPLint, completely rewritten from scratch, is nearly complete. Documentation: FeaturesTutorialReference ManualSupport for phpDocumentorDocumentator Reference ManualFAQ (Frequently Asked Questions)License.
Ratproxy - semi automated audit tool for web 2.0. w3af - Web Application Attack and Audit Framework. SecCom Labs » Exploit-Me. Exploit-Me is a suite of tools and applications designed to help with application security testing. The Exploit-Me Firefox plugin series was originally introduced at the SecTor conference in Toronto. The slides for the presentation are available for download. Along with this SecTor is making the audio of the talk available. Exploit-Me Mobile (Mobile Application) Exploit-Me Mobile (EMM) is an open source project demonstrating common mobile application vulnerabilities in the iOS and Android platforms. Download the whitepaper now! SkipfishDoc - skipfish - Project documentation - Project Hosting on Google Code. Written and maintained by: <Michal Zalewski>, <Niels Heinen> and <Sebastian Roschke> Copyright 2009 - 2012 Google Inc, rights reserved.
Released under terms and conditions of the Apache License, version 2.0. Web Application Security Testing. List of tools for static code analysis. Dynamic program analysis. Examples of Tools[edit] Most performance analysis tools use dynamic program analysis techniques.
[citation needed] Historical examples[edit] Open source software testing tools. Code coverage. Code coverage was among the first methods invented for systematic software testing.
The first published reference was by Miller and Maloney in Communications of the ACM in 1963.[1] Coverage criteria[edit] To measure what percentage of code has been exercised by a test suite, one or more coverage criteria are used. Coverage criteria is usually defined as a rule or requirement, which test suite needs to satisfy.[2] EMMA: a free Java code coverage tool.