How to Find Security Vulnerabilities in Source Code

The original, and still the best, method for finding security vulnerabilities in source code is to read and understand the source code.

Source code security vulnerabilities will vary between languages and platforms.

Items to look for in C code include:

Potential vulnerability	Function calls to examine for vulnerabilities
Buffer overflows	gets(), scanf(), sprintf(), strcat(), strcpy()
Format string vulnerabilities	printf(), fprintf(), vprintf(), snprintf(), vsnprintf(), syslog()
Race conditions	access(), chown(), chgrp(), chmod(), mktemp(), tempnam(), tmpfile(), tmpnam()
Random number acquisition vulnerabilities	rand(), random()
Shell metacharacter vulnerabilities	exec(), popen(), system()

Automated Source Code Security Vulnerability Scanners

There are intelligent tools available to help you examine large amounts of source code for security vulnerabilities.

The Boop ToolkitUtilizes abstraction and refinement to determine the reachability of program points in a C program

Tool	Description
Flawfinder	Examines source code and reports possible security vulnerabilities
RATS from Secure Software Solutions	Scans C, C++, PERL, PHP and Python source code for potential security vulnerabilities.
PScan	A limited problem scanner for C source files
BOON	Buffer Overrun detectiON
MOPS	MOdelchecking Programs for Security properties
Cqual	A tool for adding type qualifiers to C
MC	Meta-Level Compilation
SLAM	Microsoft
ESC/Java2	Extended Static Checking for Java version 2
Splint	Secure Programming Lint
Blast	Berkeley Lazy Abstraction Software Verification Tool
Uno	Simple tool for source code analysis
PMD	Scans Java source code and looks for potential problems
C++ Test	Unit testing and static analysis tool

For more information regarding source code scanners, read Source Code Scanners for Better Code in the Linux Journal.

For more information regarding secure programming, read the Secure Programming for Linux and Unix HOWTO.