By Romain Tuesday, January 22 2008 - 20:46 UTC - Tools - Permalink
Months ago, I was talking about and doing some small tests with the php source code security analyzer that I was able to find on the web.
I was able to quickly test the new Fortify SCA 5.0 which is handling PHP application now. I can tell you that I am really exciting about this tool. First of all, it beats from far all the tools I've tested previously (for PHP), which is fair since it's a commercial tool.
But what I'm really excited about now is that I will be able to make more tests on my test suites, compare with my security metrics & basic security analyzer, looking at the behavior of SCA tools when the source code is obfuscated, and so on. You're on the good track Fortify, now, open an API and I will be able to make an hybrid tool...
Since I also have some plan of testing real PHP applications with both testing approaches (static/dynamic), I'd like to see the difference of application coverage, vulnerability finding and false-positive rates (yeah, the last one is obvious, but still interesting).
I'm also glad to see that vendors are taking PHP as a serious language and not only for script kiddies.
Comments
I'm pretty sure that Brian Chess, Jacob West, and their research team would be willing to talk about an open API; you'll just need to convince their dev team.
.
Vendors should be taking PHP seriously (and not even including Facebook and other major sites that use it) because a large majority of web applications are written in PHP
http://www.sitepoint.com/reports/re...
I know there is another company that developed mature PHP SCA for code security, take a look at their website: www.armorize.com
I'm not sure what you're looking for as far as "open an API and I will be able to make an hybrid tool..."? Something you can't do with a 'custom rule'? If you give me one example of what you're trying to find... I'll be happy to whip up a rule for you.
g...
gjhinc,
the problem with the static analysis tools is that when you find a problem, you are never sure it's a true-positive; it may be a problem that will never happen on your platform (or the platform where the code is supposed to run on).
so, the idea of the hybrid/analysis, is to provide both static and dynamic analysis.
Why do I think that Fortify should open an API for "doing more complex analysis"? Well, first of, you cannot create a static analysis right now with the tool, but also, the rules (even they are the best on the market for rules afaik), you cannot combine them together, in order to solve complex problem that relies on mutliple stats (let's say; this case happen if this CF-rule is validated then, test this DF-rule to be validated).