Scanning tool looks to wipe out vulnerable code

A new of piece software promises to provide an instant audit of source code, notifying developers of insecure coding practices and vulnerabilities.

CodeScan, developed by CodeScan Labs and released by Security-Assessment.com, analyses source code looking for vulnerabilities such as Cross-site scripting, SQL injection and input filtering.

To process the source files, CodeScan attempts to emulate a Web server by interpreting the source code. The processing starts at the main or global function of the source file, and traces the execution flow into and between functions and other routines. Variable assignments are then tracked, allowing CodeScan to build a picture of what has happened to a variable in its lifetime.

"By tracking the assignment of possible user input, CodeScan can make intelligent decisions about whether the input is used in a dangerous way," said Drazen Drazic, general manager Security-Assessment.com Australia.

He said most of the CodeScan rules are based around the detection of functions that are used with user-supplied input that has not being "filtered or sanitized".

CodeScan traces the possible values of variables as part of its vulnerability detection engine. During the life of a variable, values may be passed through functions that can perform 'filtering' of user-supplied input. CodeScan attempts to rank these functions and gives them a 'filter score'.

According to Drazic, CodeScan comes with information on the most commonly used syntax terms for each language with a predetermined filter score. Filter scores range between 0 and 100.

"Reported results with a low value or a value of zero are more likely to be vulnerable than those results with a higher value. This filtering allows the user to make a good judgement about whether a reported vulnerability could be exploited by a malicious user, and is used to reduce the number of false positives reported," he said.

The current version is for ASP with PHP to follow. Drazic said Java and .Net versions were also in development.

Security-Assessment.com, the sister company of CodeScan Labs, is the distributor and also the reseller of CodeScan in Australia. Drazic said it is currently looking at developing a reseller channel and is in discussions with a few organizations.

Licences are subscription-based and priced on the number of seats. There is also a package for consultants.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Howard Dahdah

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?