This presentation was by Dinis Cruz, and OWASP board member and he works for Ounce Labs, a producer of a source code analysis tool, but he said he was not speaking on behalf of either.  The presentation was entitled “Building a Tool for Security Consultants: A Story of a Customized Source Code Scanner”.  Everything was built on Open Source except for the scanning engine which is using Ounce.

About the Tool

Developed features while performing an assessment.  Only developing features that make sense.  Considered mature after 4 or 5 engagements with no feature additions necessary.  Tools job should be to give you “pointers” that you can follow.  Tool displays a chart of the flow from function to function.  Uses different colors to represent data sources and data sinks.  Can map just source to sink so you can easily figure out where tainted data arrives from and where it goes to.  Able to look for “insecure patterns” instead of finding 20 XSS or 10 SQL injection pages.  Able to display function calls ordered both ways: what functions are called by a function or functions that call a function.  Added a scripting editing environment.  Everything that is available via the GUI can be scripted.

There were no slides for this presentation and the whole thing was a demonstration of the tool and how it works, it’s features, etc.  I don’t know a whole lot about source code scanning and will tell you that a good chunk of this presentation was over my head, but Dinis was very enthusiastic about the tool and made it sound like it’s something totally awesome and very worth looking into.  He says that the tool is not “nice” and not “easy to use”, but once you get used to it, it is an extremely useful tool for source code analysis.