Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

250

which is specifying security requirements and guidance for SBSA/SBBR class systems:  https://developer.arm.com/docs/den0086/latest 




Tool NameDescriptionLicense
Static analysisCoverity

This tool finds defects and security vulnerabilities in custom source code written in C, C++, Java, C#, JavaScript and more

Coverity Scan is a free static-analysis cloud-based service for the open source community

Commercial

SonarQubeSonarQube (formerly Sonar)[1] is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilitiesGNU LGPL

VeracodeVeracode provides multiple security analysis technologies on a single platform, including static analysisdynamic analysis, mobile application behavioral analysis and software composition analysis. Evaluated by AT&T

FortifyUsed by AT&T

Helix QACHelix QAC is the most accurate static code analyzer for C and C++.

CodeSonarCodeSonar performs a unified dataflow and symbolic execution analysis that examines the computation of the entire program.

MISRAMISRA and the associated tools. Should we conform with MISRA standard?
Dynamic analysisIBM Security AppScanEvaluated by AT&TCommercial

Fortify WebInspectUsed by AT&TCommercial

VeraCodeVeracode provides multiple security analysis technologies on a single platform, including static analysisdynamic analysis, mobile application behavioral analysis and software composition analysis.Commercial

angrangr is a platform-agnostic binary analysis framework. It performs
  • Disassembly and intermediate-representation lifting
  • Program instrumentation
  • Symbolic execution
  • Control-flow analysis
  • Data-dependency analysis
  • Value-set analysis (VSA)
  • Decompilation


Valgrind Valgrind tool suite provides a number of debugging and profiling tools.GPLv2

KLEEKLEE is a symbolic virtual machine built on top of the LLVM compiler infrastructure, and available under the UIUC open source license.

LLVM/Clang Sanitizers

It is a fast memory error detector. It consists of a compiler instrumentation module and a run-time library. The tool can detect the following types of bugs:



FlowDroid (Java)FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool, it could be leveraged to scan Java Bytecode.
Pen testMetasploit FrameworkThe Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.BSD

OWASP Zed Attack Proxy (ZAP)OWASP ZAP is an open-source web application security scanner. Apache

AutosploitAutoSploit attempts to automate the exploitation of remote hosts.

ArmitageArmitage is a graphical cyber attack management tool for the Metasploit.

cisco-global-exploiterCisco Global Exploiter (CGE), is an advanced, simple and fast security testing tool .

BURP suite


Postman

Browser plugin (Randy Stricklin to add details as to how to integrate with CI/CD


Fuzzing testOSS-FuzzOSS-Fuzz conducts continuous fuzzing of open source softwares.Apache

AFL

American fuzzy lop is a fuzzer that employs genetic algorithms in order to efficiently increase code coverage of the test cases.

https://github.com/mirrorer/afl

Apache
Vulnerability analysisJFrog XRayUsed by AT&T. For container, npm, RPM, and debian etc artifacts vulnerability scanCommercial

CoreOS ClairClair is an open source project for the static analysis of vulnerabilities in application containers (currently including appcand docker).Apache

CybellumCybellum V-Ray ™. Gives full component visibility and risk assessment, based on automated vulnerability detection.

GrammaTech CodeSonarSource code and binary level static analysis

ClamAVAnti-virusOpen source

NMAP

Discover hosts and services on a computer network by sending packets and analyzing the responses.Modified GPLv2

OpenVASThe OpenVAS scanner is a comprehensive vulnerability assessment system that can detect security issues in all manner of servers and network devices.

WiresharkWireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Nessus ProfessionalNessus helps the security pros on the front lines quickly and easily identify and fix vulnerabilities - including software flaws, missing patches, malware, and misconfigurations.

John the RipperJohn the Ripper is a free password cracking software tool.
Stress TestSlowHTTPTest

SlowHTTPTest is a highly configurable tool that simulates some Application Layer Denial of Service attacks by prolonging HTTP connections in different ways.

Apache

MoonGen with DPDK

Fast and flexible packet generator for 10 Gbit/s Ethernet and beyond. MoonGen uses hardware features for accurate and precise latency measurements and rate control.

MIT

Pktgen with DPDKPktgen is a traffic generator powered by Intel's DPDK at 10Gbit wire rate traffic with 64 byte frames.
Full stack test

Lynis

OpenSCAP

Lynis is a free and open source security and auditing tool.

OpenSCAP is used by OPNFV for security scan

Kali Linux is a Linux distribution containing 300+ penetration tool. This distribution can be used for testing external attacks on Akraino systems.


TODO: For a complete system test we may need to define a test diagram similar to this https://insights.sei.cmu.edu/sei_blog/07092018_testingtools_scanlon_figure2_2.png which should encompass all our tests and describe tests hierarchy and test strategy.

GPLv3

GPLv2

Platform

Currently, there are no open source tools for a platform security verification available on for Arm platforms.  Arm released an initial security guidance document  provides Server Base Security Guide (SBSG) for review:

View file
nameDEN0086-SBSG-alpha01.pdf
height




Release

Incident Response Plan

...