下面是一个Source Code Auditing tools的一个list[转于网络]
Name - [ language/s supported ] - web link:
.TEST - [ C#, VB.NET, MC++ ] -http://www.parasoft.com/jsp/products.jsp
ASTRéE - [ C ] -http://www.astree.ens.fr
Bandera - [ Java ] -http://bandera.projects.cis.ksu.edu/
BLAST - [ C ] -http://mtc.epfl.ch/software-tools/blast/
BOON - [ C ] -http://www.cs.berkeley.edu/~daw/boon/
C Code Analyzer (CCA) - [ C ] -http://www.drugphish.ch/~jonny/cca.html
C++test - [ C++ ] -http://www.parasoft.com/jsp/products.jsp
CCMetrics - [ C#, VB.NET ] -http://www.serviceframework.com/jwss/utility,ccmetrics,utility.aspx
Checkstyle - [ Java ] -http://checkstyle.sourceforge.net/
CodeCenter - [ C ] -http://www.ics.com/products/centerline/codecenter/features.html
CodeScan - [ .ASP, PHP ] -http://www.codescan.com/
CodeSecure - [ PHP, Java ] -http://www.armorize.com/corpweb/en/products/codesecure
CodeSonar - [ C, C++ ] -http://www.grammatech.com/products/codesonar/overview.html
CQual - [ C ] -http://www.cs.umd.edu/~jfoster/cqual
Csur - [ C ] -http://www.lsv.ens-cachan.fr/csur/
Dehydra - [ C++ ] -http://wiki.mozilla.org/Dehydra_GCC
DevInspect - [ C#, Visual Basic, JavaScript, VB Script] -http://www.spidynamics.com/products/devinspect/
DevPartner SecurityChecker - [ C#, Visual Basic ] -http://www.compuware.com/products/devpartner/securitychecker.htm
DoubleCheck - [ C, C++ ] -http://www.ghs.com/products/doublecheck.html
FindBugs - [ Java ] -http://findbugs.sourceforge.net/
FlawFinder - [ C, C++ ] -http://www.dwheeler.com/flawfinder/
Fluid - [ Java ] -http://www.fluid.cs.cmu.edu/
Frama-C - [ C ] -http://frama-c.cea.fr/
ftnchek - [ FORTRAN ] -http://www.dsm.fordham.edu/~ftnchek/
FxCop - [ .NET ] -http://code.msdn.microsoft.com/codeanalysis
g95-xml - [ FORTRAN ] -http://g95-xml.sourceforge.net/
ITS4 - [ C, C++ ] -http://www.cigital.com/its4/
Jlint - [ Java ] -http://artho.com/jlint/
JsLint - [ JavaScript ] -http://www.jslint.com/
Jtest - [ Java ] -http://www.parasoft.com/jsp/products.jsp
KlocWork / K7 - [ C, C++, Java ] -http://www.klocwork.com/products/k7_security.asp
LAPSE - [ Java ] -http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project
MOPS - [ C ] -http://www.cs.berkeley.edu/~daw/mops/
MSSCASI - [ ASP ] -http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en
MZTools - [ VB6, VBA ] -http://www.mztools.com/index.aspx/
Oink - [ C++ ] -http://www.cubewano.org/oink
Ounce - [ C, C++, Java, JSP, ASP.NET, VB.NET, C# ] -http://www.ouncelabs.com/accurate-complete-results.html
Perl-Critic - [ Perl ] -http://search.cpan.org/dist/Perl-Critic/
PLSQLScanner 2008 - [ PLSQL ] -http://www.red-database-security.com/software/plsqlscanner.html
PHP-Sat - [ PHP ] -http://www.program-transformation.org/PHP/PhpSat
Pixy - [ PHP ] -http://pixybox.seclab.tuwien.ac.at/pixy/index.php
PMD - [ Java ] -http://pmd.sourceforge.net/
PolySpace - [ Ada, C, C++ ] -http://www.polyspace.com/products.htm
PREfix & PREfast - [ C, C++ ] -http://support.microsoft.com/vst
Prevent - [ C, C++ ] -http://www.coverity.com/html/coverity-software-quality-products.html
PyChecker - [ Python ] -http://pychecker.sourceforge.net/
pylint - [ Python ] -http://www.logilab.org/project/pylint
QA-C, QA-C++, QA-J - [ C, C++, Java, FORTRAN ] -http://www.programmingresearch.com/PRODUCTS.html
QualityChecker - [ Visual Basic 6 ] -http://d.cr.free.fr/
RATS - [ C, C++, Perl, PHP, Python ] -http://www.fortify.com/security-resources/rats.jsp
RSM - [ C, C++, C#, Java ] -http://msquaredtechnologies.com/m2rsm/
Smatch - [ C ] -http://smatch.sourceforge.net/
SCA - [ ASP.NET, C, C++, C#, Java, JSP, PL/SQL, T-SQL, VB.NET, XML ] -http://www.fortifysoftware.com/products/sca/
Skavenger - [ PHP ] -http://code.google.com/p/skavenger/
smarty-lint - [ PHP ] -http://code.google.com/p/smarty-lint/
soot - [ Java ] -http://www.sable.mcgill.ca/soot/
Source Monitor - [ C#, VB.NET ] -http://www.campwoodsw.com/sm20.html
SPARK - [ Ada ] -http://www.praxis-his.com/sparkada/spark.asp
Spike PHP Security Audit Tool - [ PHP ] -http://developer.spikesource.com/projects/phpsecaudit/
Splint - [ C ] -http://www.splint.org/
SWAAT - [ PHP, ASP.NET, JSP, Java ] -http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
UNO - [ C ] -http://spinroot.com/uno/">
vil - [ C#, VB.NET ] -http://www.1bot.com/
Viva64 - [ C++ ] -http://www.viva64.com/
xg++ - [ C ] -http://www.stanford.edu/~engler/mc-osdi.pdf
YTKScan Java - [ Java ] -http://www.cam.org/~droujav/y2k/Y2KScan.html
支持php的有:
CodeScan - [ .ASP, PHP ] -http://www.codescan.com/
CodeSecure - [ PHP, Java ] -http://www.armorize.com/corpweb/en/products/codesecure
PHP-Sat - [ PHP ] -http://www.program-transformation.org/PHP/PhpSat
Pixy - [ PHP ] -http://pixybox.seclab.tuwien.ac.at/pixy/index.php
RATS - [ C, C++, Perl, PHP, Python ] -http://www.fortify.com/security-resources/rats.jsp
Skavenger - [ PHP ] -http://code.google.com/p/skavenger/
smarty-lint - [ PHP ] -http://code.google.com/p/smarty-lint/
Spike PHP Security Audit Tool - [ PHP ] -http://developer.spikesource.com/projects/phpsecaudit/
SWAAT - [ PHP, ASP.NET, JSP, Java ] -http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
另外还有一个Fortify -http://www.fortifysoftware.com [如果还有,请帮忙补充]
目前就php的Source Code Auditing tool基本都是静态分析的,而Source Code Auditing一直围绕着2个元素:变量和函数.也就是说这些tools不管是php开发的还是java开发的,也不管是不是基于php原代码的,他本身都对一些危险的函数和变量都对应的一个字典[特征字符串],这些tools都是通过查找这些字典,然后跟踪变量来分析代码.
但是随着程序员安全意识的提高,很多的程序员也知道了这些字典了,都有对应的过滤,所以那些传统的问题,很找在大型程序里出现了.所以只有通过扩大我们的字典才有更多的机会去找到应用程序的漏洞.我们的途径有:
* 分析和学习别人发现的漏洞或者exp,如大牛Stefan Esser发现的那些问题,rgod等以前发的那些exp
* 通过学习php手册或者官方文档了解php 一些函数的特性
* fuzz php的函数,找到新的有问题的函数[不一定非要溢出的]
* 分析php源代码,发现新的漏洞函数特性或者漏洞
* 有条件或者机会和开发者学习,找到他们实现某些常用功能的代码的缺陷或者容易忽视的问题
* 你有什么要补充的吗? :)