Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byRosamond Ryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Introducing Yasca Michael Scovetta Yasca Project Owner Michael.Scovetta@gmail.com 27 January 2009

2 OWASP 2 Agenda  What is Yasca?  Architecture  Plug-ins  Reporting  Demonstration  Questions?

3 OWASP 3 What is Yasca? (Yet Another Source Code Analyzer)  Yasca is an open-source tool for scanning source code for security, performance, and non-conformance to best practices.  It includes other best-of-breed open-source tools (e.g. J-Lint, PMD, and FindBugs), as well as custom plug-ins.  It is written in command-line PHP, and tested on Windows and Linux.

4 OWASP 4 What is Yasca? (Yet Another Source Code Analyzer)  File Types Scanned:  Java, JSP  C/C++  PHP  ASP, Visual Basic  COBOL  HTML, JavaScript, CSS

5 OWASP 5 Architecture  Yasca is both an engine and a framework for conducting file analyses.  The engine takes a set of files and passes each one to every included plug-in, parses its output and creates a report. Plug-in Report Generator Yasca /tmp/my_source_code Output

6 OWASP 6 Plug-ins  Major plug-ins included in Yasca distribution:  PMD  FindBugs  J-Lint and antiC  Grep (custom-written)  Additional plug-ins are included, written as PHP scripts.  Easy to write new plug-ins (<< 5 minutes)

7 OWASP 7 Plug-ins  Sample Plug-in: name = String Equals Vs '==' file_type = java grep = /([\!=]=\s*\")/ category = Code Quality: Incorrect Usage of == or != severity = 2 description = Using the == or != operators should never be used to compare String content. This is because of how Java allocates String objects, and can be illustrated with the following example: System.out.println("foo" == new String("foo")); If you run this code, you will see that the output is false. References TODO END;

8 OWASP 8 Reporting  A number of different reports are available:  CSV  XML  Detailed HTML  Simple HTML  Sample:

9 OWASP 9 Demonstration

10 OWASP 10 Questions?

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Actuate Corporation © 2010 THE BIRT COMPANY THE BIRT COMPANY THE BIRT COMPANY THE BIRT COMPANY THE BIRT COMPANY THE BIRT COMPANY THE BIRT COMPANY THE.

1 Actuate Corporation © 2010 THE BIRT COMPANY THE BIRT COMPANY THE BIRT COMPANY THE BIRT COMPANY THE BIRT COMPANY THE BIRT COMPANY THE BIRT COMPANY THE.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.

DT211/3 Internet Application Development Active Server Pages & IIS Web server.
ManageEngine TM Applications Manager 8 Monitoring Custom Applications.

ManageEngine TM Applications Manager 8 Monitoring Custom Applications.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
University of Southern California Center for Systems and Software Engineering 1 © USC-CSSE Unified CodeCounter (UCC) with Differencing Functionality Marilyn.

University of Southern California Center for Systems and Software Engineering 1 © USC-CSSE Unified CodeCounter (UCC) with Differencing Functionality Marilyn.
Executable XML Present by 吳昆澤. Outline  Introduction  Simkin  Jelly  o:XML  Conclusion.

Executable XML Present by 吳昆澤. Outline  Introduction  Simkin  Jelly  o:XML  Conclusion.
Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.

Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.
Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.

Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.
Java Server Pages Russell Beale. What are Java Server Pages? Separates content from presentation Good to use when lots of HTML to be presented to user,

Java Server Pages Russell Beale. What are Java Server Pages? Separates content from presentation Good to use when lots of HTML to be presented to user,
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Static Analysis for Dynamic Assessments Greg Patton | September 2014.

Static Analysis for Dynamic Assessments Greg Patton | September 2014.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ITM352 Javascript and Dynamic Web Pages: Client Side Processing.

ITM352 Javascript and Dynamic Web Pages: Client Side Processing.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google