|
My idiot brother-in-law forwarded one that he got...and asked me if he should be concerned!  The fact that he even asked speaks to either his guilt or stupidity, probably both. 
"Go forth into the source" - Neal Morse
|
|
|
|
|
OriginalGriff wrote: Hindi
You figured it out? Impressive.
"It is easy to decipher extraterrestrial signals after deciphering Javascript and VB6 themselves.", ISanti[ ^]
|
|
|
|
|
I'm not young, and I've had quite a few Hindi friends over the years - I can't speak it, or even really understand it, but I've heard enough to recognise the "flow" if you know what I mean.
Sent from my Amstrad PC 1640
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
Any recommendations on code scanners that check for security vulnerabilities? In particular the Top 10 OWASP vulnerabilities?
I have never used one before so I'm not even sure what I'm looking for. Something that can scan code, preferably in Visual Studio, and can find security vulnerabilities.
Any experience you can share would be helpful.
Thanks.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
1. post a question on Q&A
2. post your code as a reply
many people will scan, critique and perhaps even improve it.
100% free.
This internet thing is amazing! Letting people use it: worst idea ever!
|
|
|
|
|
If you post it as a solution at SO, you will get a whole load more critique!
(Though most of it will be from people who know a lot less than the OP does, I suspect)
Sent from my Amstrad PC 1640
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
I see what you did there. 
I am not the one who knocks. I never knock.
In fact, I hate knocking.
|
|
|
|
|
So there really aren't static code analysis tools that I know of that will really do what you're asking, as most OWASP vulnerabilities are based on a running configuration.
The freeware that I'd recommend for someone that isn't familiar wil security scanning is the OWASP utility ZAP:
OWASP Zed Attack Proxy Project - OWASP
There are, of course, other utilities, but if you have access to security professionals that are accustomed to running vulnerability scans, I would highly suggest making use of their expertise. If not, ZAP is definitely better than nothing, but needs to be run against an operating site. You can use it against a site running on IISExpress on your local machine.
"Never attribute to malice that which can be explained by stupidity."
- Hanlon's Razor
|
|
|
|
|
I see. So, maybe OWASP is not the right term for what I need. I'll look into static code analysis.
Thanks.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
No, that's correct. OWASP is the organization that is dedicated to web security, and their top 10 are based on the most common vulnerabilities seen in the wild.
The problem is that, generally, vulnerabilities can be difficult to identify from static (not currently executing) code. Some are obvious, like SQL injection, but most are not so easy to identify unless an application is actively executing, like MitM attacks or exploits that are based on malformed packets. You won't see these until they are used against your application, which is exactly what ZAP does.
"Never attribute to malice that which can be explained by stupidity."
- Hanlon's Razor
|
|
|
|
|
Got it. That makes sense.
Thanks. Very helpful.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
|
It looks like Black Duck helps you manage which Open Source projects you are using in your code. I didn't see anything that said it can scan your own code looking for issues. Perhaps I missed it?
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
we use AppScan and Klocwork, for our static scans.
|
|
|
|
|
|
If you're using .NET, for static analysis you can take a look at PumaScan[^] or Security Code Scan[^]. Both are open source. Security Code Scan has better support for .NET Core.
OWASP maintains a list of code analysis tools here[^].
|
|
|
|
|
Thanks. 
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
Is a hurricane report just a rough draft?
Sent from my Amstrad PC 1640
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
well blow me down, that one was almost sensible.
This internet thing is amazing! Letting people use it: worst idea ever!
|
|
|
|
|
Eye don't know weather you are under a lot of stress but it appears that a low pressure environment would be swell for you.
Socialism is the Axe Body Spray of political ideologies: It never does what it claims to do, but people too young to know better keep buying it anyway. (Glenn Reynolds)
|
|
|
|
|
I eye'd that comment and saw it could be improved just a bit cycloned it, below,
Cloned for this FIFY:OriginalGriff wrote: Is a hurricane report just a rough draft?
| Ravings en masse^ |
|---|
| "The difference between genius and stupidity is that genius has its limits." - Albert Einstein | | "If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
Nice to see you re-gale us with this thought, you may see a surge in up votes leading to a flood of rep points.
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
I don't want to cloud the argument, but I fear it'll be a cold day in hale before I agree to that.
/ravi
|
|
|
|
|
I can't see what precipitated that response, are you cirrus?
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
No, of course not. Darn, you stole my thunder.
/ravi
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
