Tools
- RATS – http://www.fortify.com/
- Graudit – http://www.justanotherhacker.com
- OWASP Code Crawler – http://www.owasp.org
- PyDBG – Paimei: reverse engineering framework, includes http://code.google.com/p/paimei”>Paimei: reverse engineering framework, includes <a href="http://pedram.redhive.com/PyDbg/: PIDA, pGRAPH
- Immunity Debugger – http://www.immunityinc.com/products-immdbg.shtml: scriptable GUI and command line debugger
- IDAPython – http://d-dome.net/idapython/: IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro
- PyEMU – http://code.google.com/p/pyemu/: fully scriptable IA-32 emulator, useful for malware analysis
- pefile – http://code.google.com/p/pefile/: read and work with Portable Executable (aka PE) files
- libdasm – pydasm: Python interface to the http://dkbza.org/pydasm.html”>pydasm: Python interface to the <a href="http://www.nologin.org/main.pl?action=codeView&codeId=49& x86 disassembling library
- PyDbgEng – http://pydbgeng.sourceforge.net/: Python wrapper for the Microsoft Windows Debugging Engine
- uhooker – http://oss.coresecurity.com/projects/uhooker.htm: intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory
- diStorm64 – http://www.ragestorm.net/distorm/: disassembler library for AMD64, licensed under the BSD license
- python-ptrace – http://bitbucket.org/haypo/python-ptrace/wiki/Home: debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python
- OpenSAMM – Software Assurance Maturity Model – http://www.opensamm.org/
More
- Scrap Static Tools, just “Fix your code”? (Cigital) – http://www.cigital.com/justiceleague/2011/02/23/scrap-static-tools-just-fix-your-code/
- “Software [In]security: Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal)” by Gary McGraw and John Steven (InformIT; 2011.01.31) – http://www.informit.com/articles/article.aspx?p=1680863
- book: “Software Security: Building Security In” by Gary McGraw (Addison-Wesley Professional – Software Security Series; 2006.01.23) – http://www.informit.com/store/product.aspx?isbn=0321356705 – 448 pages
- “Static_Analysis_Deployment_Pitfalls” by Flash Sheridan (ISSRE; 2010) – http://pobox.com/~flash/Static_Analysis_Deployment_Pitfalls.pdf [PDF]
- Human fallibility – static analysis tools (at Developmentality blog) – http://developmentality.wordpress.com/2010/02/09/human-fallibility-static-analysis-tools/
- Fabric project home – http://www.cs.cornell.edu/projects/fabric/index.html – a new programming language that incorporates security from the start.
- ” ‘Fabric’ To Weave Security Into Code” by Bill Steele (Dr.Dobb’s; 2010.10.20) – http://www.drdobbs.com/java/227900404
- “New Programming Language Weaves Security Into Code” (SlashDot; 2010.10.25) – http://developers.slashdot.org/article.pl?sid=10/10/25/2134247
