PPT-Software Security with Static Code Analysis Using CAT.NET

Andreas Fuchsberger Information Security Technologist Microsoft Agenda Code AnalysisCode Inspection Motivation Static Code Analysis History Current technologies CATNET How CATNET works Installation. http://www.imagix.com Imagix products are used for reverse-engineering, quality analysis and documentation of software in applications ranging from deep space communication and air traffic control systems, to billing and management information systems, to safety critical automotive systems, communication devices and medical instrumentation. Oleg . Girko. , Alexey Lastovetsky. School of Computer Science & Informatics. University College Dublin. Dublin, Ireland. GridRPC and collective mapping. GridRPC limitations. Individual mapping. Client-server communication only. Presented by Justin Samuel. For UW CSE 504, Spring ‘10. Instructor: Ben Livshits. Finding Security Vulnerabilities in Java Applications with Static Analysis. V. Benjamin Livshits and Monica S. Lam. 1. The Software Security Problem . Chih. Hung Wang. Reference:. 1. B. Chess and J. West, Secure Programming with Static Analysis, Addison-Wesley, 2007.. 2. R. C. . Seacord. , Secure Coding in C and C++, Addison-Wesley, 2006.. Elena Rudovol. February, 13, 2014. . What is static testing?. Static . Testing.  . do not execute code. . It . manually. checks . work documents . to . find . errors in early stage. .. Review work documents:. Security. Robert A. Martin. 20 March 2013. © 2012 The MITRE Corporation. All rights reserved.. Today Everything’s Connected. When this Other System gets subverted through an un-patched vulnerability, a mis-configuration, or an application weakness…. Gabriele Garzoglio. ( garzoglio@fnal.gov ). Computing Division, Fermilab, Batavia, IL. SCOPE.. GOALS. . LESSONS LEARNED.. This work defines a process to assess the security issues of a software artifact. The goals of the process are to identify the technical risks associated with the application and the impact of these technical risks. The focus is on studying the security issues within the code itself, rather than with the operations of the software. . 2018-11-14. What is Static Analysis?. Basic Static Analysis. : coding standard checking, metrics, compiler warnings and style checks. Advanced Static Analysis. : symbolic execution/interpretation of source code, whole program analysis to perform software analysis. Security. E. xample . rules, test scenarios, file format, and documentation . are normally unmarked . and openly . accessible. Verification the development and deliverables meet security requirements is currently undefined.. Chapter 2: Malware Analysis in Virtual Machines. Chapter 3: Basic Dynamic Analysis. Chapter 1: Basic Static Techniques. Static analysis. Examine payload without executing it to determine function and maliciousness. John Mitchell. CS 155. Spring 2018. Outline. Introduction: static vs dynamic analysis. Static analysis. Program execution using state descriptions. Security examples: static analysis to find vulnerabilities. Guillaume P. Brat Arnaud J. Venet. g. uillaume.p.brat@nasa.gov . arnaud.j.venet. @nasa.gov. Carnegie Mellon University. NASA . Ames Research . Center. Roadmap. Static analysis for flight-critical systems. Overview. Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.. Chih. Hung Wang. Reference:. 1. B. Chess and J. West, Secure Programming with Static Analysis, Addison-Wesley, 2007.. 2. R. C. . Seacord. , Secure Coding in C and C++, Addison-Wesley, 2006.. 1. Capabilities and Limitations of Static Analysis.