Fortify SCA

Fortify® Source Code Analysis (SCA) is the most widely used and effective solution to find and fix software vulnerabilities at the root cause early in the development cycle. Its advanced features help developers identify and resolve issues with less effort, while enabling security leads to review and prioritize more code in less time.

It supports a wide variety of languages, frameworks and operating systems and delivers depth and accuracy in its results. It can be tuned to be comprehensive when completeness is needed or extremely targeted for day-to-day use. Fortify SCA makes triage, audits and remediation fast and effective for any organization.

Fortify SCA's comprehensive source code analysis engine detects a wide variety of vulnerabilities using specialized analyzers:

•  Data Flow Analyzer tracks tainted input across application architecture tiers and programming language boundaries,
•  Semantic Analyzer detects use of vulnerable functions or procedures and understands the context of their use,
•  Control Flow Analyzer accurately tracks sequencing of operations to detect improper coding constructs,
•  Configuration Analyzer finds vulnerabilities in interactions between configurations, and
•  Code Structural Analysis identifies vulnerabilities or problems arising from code structures.

It uses various analysis techniques such as Buffer Overflow Analysis, Deviation Analysis, Infeasible Path Analysis, etc.

Fortify SCA supports a wide variety of development environments, languages, platforms and frameworks to enable security reviews in mixed software development and production environments:

LANGUAGES	ASP.NET, C/C++, C#, COBOL, Classic ASP/VB6, ColdFusion, Java, JavaScript, JSP, .NET, PL/SQL, PHP, T-SQL, XML
PLATFORMS	Windows, Solaris, Linux, Mac OS X, HP-UX, AIX
FRAMEWORKS	J2EE/EJB, Struts, Hibernate
IDEs	Microsoft Visual Studio, Eclipse, WebSphere Application Developer, IBM Rational Application Developer and RSA

For more information, visit http://www.fortify.com/products/detect/in_development.jsp

PREfast

PREfast is a static analysis tool that identifies defects in C/C++ programs. It uses your existing build structure and works by intercepting your native compiler. Intra-procedural analysis identifies defects in the C/C++ source files.

Users commonly run PREfast over a section of code, view results, make fixes, and then run PREfast again. It is recommended that you divide your build into small (10 MB or less) sections, and run PREfast on each section.

PREfast displays a log of the code defects encountered. Each line entry in the log shows a description of the type of defect, a PREfast warning number, the source location, and function where the defect occurred.

The following defect message indicates that PREfast warning 501 occurred in function main, where PREfast found an HRESULT cast to a BOOL at line 21 of the source program test1.cpp.

Casting HRESULT to BOOL   501   c:\prefast\test\test1.cpp(21)   main

To execute PREfast, use whatever build command you normally use at the command line, prefaced by the word prefast. Follow the build command with command-specific arguments, as shown in the following command:

prefast

PREfast recognizes three standard build commands:

•  cl cl-arguments

Compiles and runs PREfast on an individual file and prints the PREfast results textually.

E.g. prefast cl /c test.c

•  nmake nmake-arguments

Performs an Nmake and runs PREfast on all compiled files and prints the PREfast results textually. Any nmake-arguments are passed as arguments to Nmake.

E.g. prefast nmake /f pfw_build.mak 

•  build build-arguments

Performs an Nmake and runs PREfast on all compiled files and prints the PREfast results textually. Any build-arguments are passed as arguments to build.

E.g. prefast build /cefZ 

You can use one of four PREfast-specific commands to customize PREfast:

HELP	Opens the PREfast user guide.
LIST	Writes the defect log to the console.
RESET	Removes all existing defects from the defect log.
VIEW	Displays the user interface for the PREfast defect log.

Purify

Purify is a memory debugger program used by software developers to detect memory access errors in programs, especially those written in C or C++.

Purify allows dynamic verification, a process by which a program discovers errors that occur when the program runs, much like a debugger. Static verification or static code analysis, by contrast, involves detecting errors in the source code without ever compiling or running it, just by discovering logical inconsistencies.

When a program is linked with Purify, corrected verification code is automatically inserted into the executable by parsing and adding to the object code, including libraries. That way, if a memory error occurs, the program will print out the exact location of the error, the memory address involved, and other relevant information. Purify also detects memory leaks. By default, a leak report is generated at program exit but can also be generated by calling the Purify leak-detection API from within an instrumented application.

The errors that Purify discovers include array bounds reads and writes, trying to access unallocated memory, freeing unallocated memory (usually due to freeing the same memory for the second time), as well as memory leaks (allocated memory with no pointer reference). It is essential to note that most of these errors are not fatal (at least not at the site of the error), and often when just running the program there is no way to detect them, except by observing that something is wrong due to incorrect program behavior. Hence Purify helps enormously by detecting these errors and telling the programmer exactly where they occur. Because Purify works by instrumenting all the object code, it detects errors that occur inside of third-party or operating system libraries. These errors are often caused by the programmer passing incorrect arguments to the library calls, or by misunderstandings about the protocols for freeing data structures used by the libraries. These are often the most difficult errors to find and fix.

With Purify's just-in-time (JIT) debugging, you can use your debugger to investigate errors even when you run your application from outside the debugger. You can have Purify automatically attach a debugger to your application when selected types of Purify messages are reported, or have Purify ask you if you want to start a debugger at the time of the error. You can also use JIT debugging to start your debugger when it encounters a watch-point message. Purify stops just before the watch-point.

Ref: http://www-01.ibm.com/software/awdtools/purify/support/doc.html

BoundsChecker

DevPartner for Visual C++ detects and analyzes runtime errors, pinpoints performance bottlenecks and verifies test coverage in order to increase code quality and reduce development and testing time through increased productivity. The tool suite integrates seamlessly with Visual Studio for maximum usability within the development environment. BoundsChecker is a memory checking tool used for C++ software development with Microsoft Visual C++. It is part of the DevPartner for Visual C++ BoundsChecker Suite.


BoundsChecker’s error detection technology provides developers with a clear, detailed analysis of programming errors in unmanaged Visual C++ code. It automatically monitors the runtime behavior of the code—how it accesses memory, how it calls APIs and how it uses COM interfaces and methods. Without any special compilation or build steps, developers and testers can automatically locate errors in static, stack and heap memory, and can detect and diagnose memory and resource leaks. This technology enables Visual C++ native application developers to:
*   Locate a large variety of memory and resource problems including leaks, overrun errors and pointer problems;
*   Rapidly sort errors and leaks by size, frequency and type to identify and prioritize critical problems;
*   Check for errors in any native application or component, including proprietary and third-party components and libraries—even when the original source code is unavailable;
*   Detect thread deadlocks, potential deadlocks and other synchronization problems;
*   Locate incorrect usage or failed API calls in any native application component, DLL or EXE, including Win32, ActiveX, DirectX, ODBC, Winsock, Internet APIs and more.


Ref: http://www.compuware.com/products/devpartner/visualc.htm