Ancient History

The first code scanner built to look for security problems in code was Cigital's ITS4 <http://www.cigital.com/its4/>.^[4] Since ITS4's release in early 2000, the idea of detecting security problems by looking over source code with a tool has come of age. Much better approaches exist and are being rapidly commercialized.

^[4] ITS4 is actually an acronym for "It's The Software Stupid Security Scanner," a name we invented much to the dismay of our poor marketing people. That was back in the day when Cigital was called Reliable Software Technologies.

ITS4 and its counterparts RATS <http://www.securesoftware.com> and Flawfinder <http://www.dwheeler.com/flawfinder/> are extremely simplethe tools scan through a file (lexically), looking for syntactic matches based on a number of simple "rules" that might indicate possible security vulnerabilities. One such rule might be "use of strcpy() should be avoided," which can be applied by looking through the software for the pattern "strcpy" and alerting the user when and where it is found. This is obviously a simple-minded approach that is often referred to with the derogatory label "glorified grep."^[5]

^[5] For the non-UNIX geeks in the audience, grep is a command-line UNIX utility for finding lexical patterns.

The best thing about ITS4 and company was that creating them involved gathering and publishing a preliminary set of software security rules all in one place. When we released the tool (as open source), our hope was that the world would participate in helping to gather and improve the ruleset. Though over 15,000 people downloaded ITS4 in the first year it was out, we never received even one rule to add to its knowledge base. The world did not end, however, and a number of prominent commercial efforts to build up and evolve rulesets were undertaken. Appendix B describes a very basic set of software security rules (those included in ITS4) to serve as part of a minimum set of security rules that every static analysis tool should cover.

Worth mentioning is the fact that ITS4 and friends were never intended to be "push the button, see the bug" kinds of tools. The basic idea was instead to turn an impossible problem (remembering all those rules while doing manual code review) into a really hard one (figuring out whether the things flagged by the tool matter or not). Simple tools like ITS4 help you carry out a source code security review, but they certainly don't do it for you. The same can be said for modern tools, though they definitely make things much easier than the first-generation tools did.