
	Where results make sense

Topic: Rough Auditing Tool for Security

Related Topics

Financial audit

National Audit Office

Audit trails

Hong Kong Audit Bureau of Circulations

Central Supervisory and Auditing Commission

Audit telecommunication

Audit Bureau of Circulations

software audit

Information Systems Auditing

Self Auditing

Australian National Audit Office

Rough Auditing Tool for Security

In the News (Thu 24 Dec 09)

Northern Trust

Marvin Harrison

Peter Chernin

Gary Locke

Match Play

Penelope Cruz

Mickey Rourke

AR Rahman

Danny Boyle

Hugh Jackman

	RATS - Rough Auditing Tool for Security
		Secure Software was recently acquired by Fortify Software, Inc. RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.
		This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.
		RATS is authored, maintained, and distributed by Secure Software, Inc., which was recently acquired by Fortify Software, Inc. All bug reports, patches, database contributions, comments, etc. should be sent to rats@fortify.com.
	www.fortifysoftware.com /security-resources/rats.jsp (697 words)

	Wiretapped - Directory Index - Development
		ITS4 is a tool that statically scans C and C++ source code for potential security vulnerabilities.
		RATS, the Rough Auditing Tool for Security, is a security auditing utility for C, C++, Python, Perl and PHP code.
		Fenris is a multipurpose tracer, GUI debugger, stateful analyzer and partial decompiler intended to simplify bug tracking, security audits, code, algorithm, protocol analysis and computer forensics - providing a structural program trace, interactive debugging capabilities, general information about internal constructions, execution path, memory operations, I/O, conditional expressions and much more.
	www.wiretapped.net /indexes/development.html (1061 words)

	Treachery Unlimited - Security Tools (Auditing, Logging and Intrusion Detection)
		Treachery Unlimited - Security Tools (Auditing, Logging and Intrusion Detection)
		Auditing (Code, Host, Network and Password Audit Tools)
		Rough Auditing Tool for Security (RATS) Code Auditor
	www.treachery.net /tools (72 words)

	.:[ packet storm ]:. (Site not responding. Last check: )
		Proxychains is a command line tool for Linux and Solaris which allows TCP tunneling trough one or multiple (chained) HTTP proxies.
		RATS, the Rough Auditing Tool for Security, is a security auditing utility for C, C++, Python, Perl and PHP code.
		SQLAT is a suite of tools which could be useful for pen-testing a MS SQL Server.
	packetstormsecurity.org / - http://packetstorm.offensive-security.com/UNIX/security/index5.html (1129 words)

	Open Source Tools for Security and Control Assessment
		The Security Administrator's Tool for Analyzing Networks (SATAN) was one of the earliest vulnerability assessment tools, and was developed by security expert Wietse Venema to audit the susceptibility of various UNIX operating systems to known vulnerabilities.
		A host-based auditing tool is theoretically more comprehensive than a network-based vulnerability assessment tool simply because it has greater access to system information than a network-based tool.
		Auditing of the IS processes within an organization usually takes place with the help of checklists, questionnaires, interviews, and actual observation of the systems and controls that have been put in place.
	www.isaca.org /Content/ContentGroups/Journal1/20044/Open_Source_Tools_for_Security_and_Control_Assessment.htm (4176 words)

	Dr. Dobb's \| <h1>Static Analysis, Security Holes, & Networking Code</h1> \| September 28, 2005
		These tools check for code patterns that can be identified with a minimal amount of context and that may (or may not) indicate that there is something wrong with the code.
		At the top of the sophistication heap are those static-analysis tools that use either compiler-analysis techniques, theorem-proving techniques, or a combination of the two to focus on finding mistakes in the source code that will have disastrous effects at runtime—system crashes, back doors into the system, or memory corruption.
		To really find security holes, you need to be able to tell which pointers could point to that poisonous data, and which ones ultimately end up being consumed in a trusted manner.
	www.ddj.com /dept/security/184402016 (2590 words)

	Code review - Wikipedia, the free encyclopedia
		Code review is systematic examination (often as peer review) of computer source code intended to find and fix mistakes overlooked in the initial development phase, improving overall code quality.
		Code reviews can often find and remove common security vulnerabilities such as format string attacks, race conditions, and buffer overflows, thereby improving software security.
		Flawfinder and Rough Auditing Tool for Security (RATS) are two well-known examples of code reviewing software.
	en.wikipedia.org /wiki/Code_review (296 words)

	Dr. Dobb's \| Risk Analysis: Attack Trees & Other Tricks \| July 6, 2002
		Security audits that focus on code can find problems, but they don't tend to find the major flaws that only an architectural analysis can reveal.
		Although security tools encode a fair amount of knowledge on vulnerabilities that no longer must be kept in the analyst's head, an expert still does a much better job than a novice at taking a potential vulnerability location and manually performing the static analysis necessary to determine whether an exploit is possible.
		A security scanner cuts out only one quarter to one third of the time it takes to perform a source code analysis because the manual analysis is still required.
	www.ddj.com /184414879;jsessionid=UJELQHSEAZIMQQSNDLQCKH0CJUNN2JVN?_requestid=1119503 (4258 words)

	Weekly Security Tools Digest
		Auditing and Intrusion Monitoring tools include SnortSnarf, LIDS, BigBrother and John the Ripper.
		This version of Apache is principally a security fix release which closes a problem under the Windows and OS/2 ports that would segfault the server in response to a carefully constructed URL.
		In addition, the tool performs the necessary checks to enable files of arbitrary size to be processed using multiple queries if necessary.
	www.boran.com /security/sp/toolsdigest/2001/tools20010524.html (1753 words)

	Security and the Design of Secure Software (Site not responding. Last check: )
		Security is one of the functional qualities of software (Figure 1) and is related to the reliability quality characteristic in that software features that compromise security are often those same features the lead to unreliability.
		Security holes and vulnerabilities are often the result of incomplete/bad software design and implementation and thus occur as a sub-characteristic of reliability.
		Each module should be subjected to a code audit from a security perspective to verify that the security design is properly implemented and that security risks are not introduced through poor coding practices.
	cs.wwc.edu /~aabyan/FAS/book/node14.html (4118 words)

	Integrate static analysis into software development processes \| Automotive DesignLine
		The tool was developed as a replacement for a series of grep scans on source code used to detect security vulnerabilities as part of Cigital's consulting practice.
		The Rough Auditing Tool for Security (RATS) is another basic lexical analysis tool for C and C++, similar to ITS4 and Flawfinder.
		By requiring the tools' use, many faults that would otherwise lie dormant and not be detected until a code inspection is conducted, will now be caught earlier in the process, as the developer is developing the source code.
	www.automotivedesignline.com /193501499?cid=RSSfeed_automotivedesignline_autodlRSS (5357 words)

	Linux Online - Tools (Site not responding. Last check: )
		One obvious type of tool is a program to examine the source code to search for patterns of known potential security problems (e.g., calls to library functions in ways are often the source of security vulnerabilities).
		There are a number tools that try to give you insight into running programs that can also be useful when trying to find security problems in your code.
		These kinds of tools are very useful for doing regression testing, but since they essentially use a list of past specific vulnerabilities and common configuration errors, they may not be very helpful in finding problems in new programs.
	www.linux.org /docs/ldp/howto/Secure-Programs-HOWTO/tools.html (1145 words)

	IT Audit - The Institute of Internal Auditors (Site not responding. Last check: )
		Audit Serve provides audit and security services as well as consulting activities in areas including security, controls, systems, and software development audits and implementation.
		LT Auditor+ is used to secure the assets of banks, government agencies, and education and healthcare institutions.
		Audit Sentry is an integrated, software-based framework designed to reduce the cost and time associated with perfoming a risk-based audit by automating methodologies from planning to reporting.
	www.theiia.org /itaudit/index.cfm?act=ITAudit.reflibcategory&catid=7 (5932 words)

	Tools
		One obvious type of tool is a program to examine the source code to search for patterns of known potential security problems (e.g., calls to library functions in ways are often the source of security vulnerabilities).
		There are a number tools that try to give you insight into running programs that can also be useful when trying to find security problems in your code.
		These kinds of tools are very useful for doing regression testing, but since they essentially use a list of past specific vulnerabilities and common configuration errors, they may not be very helpful in finding problems in new programs.
	www.tldp.org /HOWTO/Secure-Programs-HOWTO/tools.html (1125 words)

	Secure Enterprise \| Review: Source-Code Assessment Tools Kill Bugs Dead
		All the tools we examined assume (exclusively, in some cases) a developer audience--which makes perfect sense because developers are writing the insecure code--but QA managers and engineering VPs who oversee the quality aspect of the application-development process will find these tools provide valuable insight.
		The general goal of such a security push is twofold: Ingrain security principles and risk reduction procedures into daily SDLC processes, and stop treating security as an after-the-fact (as in, after-the-application-is-done-being-developed) concern.
		Semantic analysis allows the tool to discard irrelevant occurrences of printf found in comments, variable names and similar function names and focus specifically on where printf() is in actual use and how it's being called.
	www.ouncelabs.com /secure_enterprise.html (7036 words)

	OWASP Application Security FAQ - OWASP (Site not responding. Last check: )
		The security benefits of this method are: the password is not sent in the mail; since the link is active for a short time, there is no harm even if the mail remains in the mailbox for a long time.
		Rough Auditing Tool for Security (RATS) is a tool that scans the source code for security flaws in C, C++, Python, Perl and PHP programs.
		The security risk with persistent cookies is that they are generally stored in a text file on the client and an attacker with access to the victim's machine can steal this information.
	www.owasp.org /index.php/OWASP_Application_Security_FAQ (8361 words)

	LiveAmmo Security Tools Directory (Site not responding. Last check: )
		LiveAmmo is the leading provider of advanced network and computer security training, and offers both online and instructor-lead classes pertaining to digital forensics, incident response, intrusion prevention and detection, penetration testing, reverse engineering, secure programming, systems hardening, vulnerability assessment, and wireless security.
		LiveAmmo's security instructors maintain a unique and cutting edge perspective for today's security risks and challenges, as the result of having completed many large scale projects for state and federal government agencies, as well as Fortune-class corporations - accept no substitute.
		LiveAmmo's audit team has the unique distinction of specializing in internal security controls, by applying proven risk assessment methodologies to identify and mitigate the myriad of threats associated with insider exploit and compromise.
	liveammo.com /LiveAmmo_Security_Tools_Directory_Secure_Programming.php (930 words)

	Seeking audit software download (Site not responding. Last check: )
		Nsauditor is a network security scanner that allows to audit and monitor network for possible vulnerabilities,checks methods that a hacker might use to attack it.
		ApexSQL Audit is a Audit Trail generation and reporting tool for MS SQL Server...
		Print Audit 4's print management software helps organizations get a grip on printing costs by showing them exactly how much is being printed, where, by whom and what.
	www.downseek.com /search?f=audit&p=6 (440 words)

	SecuriTeam™ - RATS, Rough Auditing Tool for Security
		SecuriTeam™ - RATS, Rough Auditing Tool for Security
		RATS, the Rough Auditing Tool for Security, is a security auditing utility for C and C++ code.
		The goal of this tool is not to definitively find bugs, but rather the current goal is to provide a reasonable starting point for performing manual security audits.
	www.securiteam.com /tools/5XP0N2A4AI.html (181 words)

	http://www.nwfusion.com/news/2004/0419codereview.html
		Rough Auditing Tool for Security ("Rats") maintained by Secure Software, also can be of help.
		Automated Error Prevention software tool, released earlier this year for uncovering security-related mistakes related to SQL and buffer overflows in the C and C++ coding process, are part of the trend toward automated security code reviews.
		Finally, start-up Ounce Labs next month May plans to ship Prexis, a tool designed for use by CIOs and chief security officers to evaluate C or C++ source code that developers produce.
	www.cs.virginia.edu /~evans/press/nwfusion.html (866 words)

	LukeMacken/SecurityLiveCD - Fedora Project Wiki
		To provide a fully functional livecd based on Fedora for use in security auditing, forensics research, and penetration testing.
		Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass.
		Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools.
	fedoraproject.org /wiki/LukeMacken/SecurityLiveCD (616 words)

	Rough_Auditing_Tool_for_Security - The Wordbook Encyclopedia (Site not responding. Last check: )
		Rough Auditing Tool for Security (RATS) is an automated code review tool, provided by Secure Software Inc.
		It scans C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.
		The tool performs a rough analysis of the source code.
	www.thewordbook.com /Rough_Auditing_Tool_for_Security (185 words)

	Tools for developing and testing software in the C programming language (Site not responding. Last check: )
		I did not write these tools, but they should be known to all C programmers.
		Sadly, similar tools are mostly not available for C++ and Java.
		Rough Auditing Tool for Security (for C, C++, Python, Perl and PHP code)
	www.math.utah.edu /~beebe/software/c-tools/index.html (157 words)

	Two Open Source Security Code Scanners - The Community's Center for Security
		David Wheeler, author of the Secure Programming HOWTO and the RATS development team from Secure Software Solutions today announced open source source code security flaw scanners.
		Rough Auditing Tool for Security, the code analysis effort by SSS, looks also to be promising.
		Further information on flawfinder can be found at http://www.dwheeler.com/flawfinder/ The Rough Auditing Tool for Security homepage is at http://www.securesw.com/rats/.
	www.linuxsecurity.com /content/view/109905 (534 words)

	Splint - Related Links
		Some commercial tools have been developed that focus on static checking, some can be used to check for conformance to various standards.
		Scientific Toolworks produces tools that analyze Ada, C, C++ and FORTRAN source code to reverse engineer and automatically document programms.
		Secure Coding: Principles and Practices, by Mark G. Graff and Kenneth R. van Wyk, O'Reilly, 2003.
	www.splint.org /links.html (936 words)

	SVBUG::Administrator's Page::Packages & Ports::r::rats-2.1 (Site not responding. Last check: )
		This is RATS, a rough auditing tool for security, developed by Secure Software Solutions.
		It is a tool for scanning source code (C, C++, Perl, and Python) and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.
		Manual inspection of your code is still necessary, but greatly aided with this tool.
	www.svbug.com /administrator/packages&ports/r/rats-2.1.html (100 words)

	Static Source Code Analysis
		Buffer overflow detection tool written as part of David Wagner's PhD dissertation, released in 2000 and no longer supported.
		Cqual is a type-based analysis tool that provides a lightweight, practical mechanism for specifying and checking properties of C programs.
		Security analysis tool by Brian Chess built on the Simplify theorem prover.
	www.nku.edu /~waldenj1/research/static_analysis.html (324 words)

Try your search on: Qwika (all wikis)