Free Static Source analysis

From Noisebridge
Revision as of 12:06, 27 June 2010 by Aeonsf (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Knowledge of the masses static software analysis.


While the idea isn't new, http://asert.arbornetworks.com/2006/10/static-code-analysis-using-google-code-search/ , but taking it to the next level.

Phase 0:

Find best secure programmatic practices for major languages and discover public code repository search engines.

Phase 1:

Use queries to file bugs against found culprits.
Create queries for google code search
Store the results of the query in the following form
Project url
Url to offending file
Language
Offending lines of code
Date proposed vulnerability was discovered
Database entities required for review
Manual review required
Which OWASP Top 10 offender
Which OWASP secure programming practice not followed
Reviewer
Project URL
Project contact information
Create queries for github
Create queries for koders

Phase 2:

Write up simple automation code to product daily/weekly/annum metrics.
Create site to input vulnerabilities 
Create input forms and db backend
Create pages which show vulnerability
Create cute little pie charts summarizing overall data trends from manual entry vs. search engine automation

Phase 2.5:

Steal underwear

Phase 3:

?

Phase 4: Profit

Personal tools