Enterprise Architecture: From Incite comes Insight...: Secure Coding Practices

Sunday, August 26, 2007

Secure Coding Practices

Many security practitioners are starting to embrace the notion of Secure Coding practices where they use tools from vendors such as Coverity, Ounce Labs, Fortify Software and others.

The interesting thing is that they treat the notion of dead code detection almost as a second class citizen. Maybe the first action item should be for those vendors to figure out how to put into the same box, code coverage tools...

Listed below are several tools that can help (of course, we should assume open source and spell out when closed):

For Java:

http://hansel.sourceforge.net/ Instruments classes in ClassLoader, integrates with JavaUnit
http://www.jcoverage.com/ Ant task, line and branch coverage
http://cobertura.sourceforge.net/ Instruments class files, Ant tasks
http://www.cenqua.com/clover/ Free for use on open source projects, integrates well with common Java IDEs
NoUnit @ http://nounit.sourceforge.net/ - OpenSource (GNU)
Quilt @ http://quilt.sourceforge.net/ - OpenSource, JavaUnit, Ant, instrumenting ClassLoader
Gretel @ http://sourceforge.net/projects/gretel - [old version of Hansel?]
The "Java Test Coverage Tool" @ http://www.semanticdesigns.com/Products/TestCoverage/JavaTestCoverage.html - ClosedSource, Instruments Source, displays results superimposed on browsable source. US$200 as of 8/1/2004.
JBlanket (Software Information) @ http://csdl.ics.hawaii.edu/Tools/JBlanket/ - a tool for assessing and improving method coverage of unit test cases. It is integrated with JUnit and Ant.

MutationTesting: (which isn't really CodeCoverage, but it's related)

JesTer @ http://jester.sourceforge.net/ - changes your code, and then runs your tests. (If arbitrary changes to the code don't break the tests, then is your code sufficiently tested?)

for .NET (DotNet):

Clover.NET @ http://www.cenqua.com/clover.net/ - ClosedSource (but free for use on OpenSource projects), C# and VB.NET, statement, method and branch coverage, from command line, Visual Studio, and NAnt (preliminary mono support)
NCover @ http://ncover.sourceforge.net/ - OpenSource, path coverage, NUnit, NAnt
CoverageEye?.NET @ http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=881a36c6-6f45-4485-a94e-060130687151 - uses a COM component to leverage the .NET profiling API
"DevPartner? Studio Professional Edition" @ http://www.compuware.com/products/devpartner/1563_ENG_HTML.htm - $$$
"Perform Code Coverage Analysis with .NET to Ensure Thorough Application Testing", an MSDN article on building "A custom code coverage tool" @ http://msdn.microsoft.com/msdnmag/issues/04/04/CodeCoverageAnalysis/default.aspx
"C# Test Coverage Tool" @ http://www.semanticdesigns.com/Products/TestCoverage/CSharpTestCoverage.html - ClosedSource. Instruments Source, displays results superimposed on browsable source. US$250 as of 8/1/2004.

C/C++:

tcov = Sun Unix C profiler. See "tcov(1)" man page. It annotates (mangles) your source code to add instrumentation.
gcov = GNU C/C++ equivalent of "tcov".
Dynamic Code Coverage for Sun Solaris @ http://www.dynamic-memory.com/coverageanalysis.php
"C Test Coverage Tool" @ http://www.semanticdesigns.com/Products/TestCoverage/CTestCoverage.html - ClosedSource. Instruments Source, displays results superimposed on browsable source. US$400 as of 8/1/2004. ANSI, Microsoft Visual6 C, and GNU C dialects all supported.
"C++ Test Coverage Tool" @ http://www.semanticdesigns.com/Products/TestCoverage/CppTestCoverage.html - ClosedSource. Instruments Source, displays results superimposed on browsable source. US$500 as of 8/1/2004. ANSI and Microsoft Visual6 C++ dialects all supported.