BugScan
HBGary
Price: Starts at $19,500
HBGary's BugScan ferrets out application holes that expose your network to dangerous exploits, adding quality assurance to your development process.
The binary code analyzer is a plug-and-play 1U Dell box running Windows Server 2003. It connects to the network through an Ethernet interface, or directly to a laptop or PC using a crossover cable--which HBGary recommends for preventing network compromises; there's no encryption for protecting data in transit. By typing BugScan's IP address into your browser, you get a Web-based interface for login and options, such as scanning compiled binary code, configuring user accounts and limiting the number of scans allowed per user.
BugScan provides an enlightening yet frightening experience. It works as advertised to sniff out flaws, such as signed/unsigned conversions, buffer overflows and insecure C library calls. For instance, BugScan can find an MS-RPC DCOM hole (of Blaster worm fame), a Debian hsftp format string glitch and Trillian buffer overflows.
HBGary's BugScan audits code for security holes, adding a layer of QA to your app development.
Scanning our sample code--a commercial program--we found upwards of 600 bugs, ranging from potentially dangerous buffer overflows to poor random number generation. BugScan can't repair these holes, but it defines numerous bugs and offers direction by providing standard fix recommendations, including length-specific C library calls and commands, such as 'strncpy' versus 'strcpy' and 'snprintf' versus 'sprintf,' to prevent buffer overflows.
While easy to use, BugScan sports Spartan Web-based admin and reporting interfaces. You'll see an analysis queue that's merely an ordered list of which binaries remain to be scanned. There's no automated way to check the progress of the current operation, and there's no notice when the scan is completed. Scanning large binaries is enough of a chore without having to check back on progress until the scan finishes.
BugScan can't generate reports, but it can be configured to e-mail you a link for grabbing a set of XML results that don't include line breaks. These results can be exported to other formats, including Microsoft Excel or Crystal Reports. The reporting interface would be better if it gave users more control over the view. For instance, allowing users to change the number of bugs that are listed per page, similar to setting per-page results in search applications, would mean loading fewer Web pages for scrolling the entire results. BugScan lists a standard five bugs per page, so with 600 bugs found, you'll need to move through 120 Web pages. The initial results page could also list the bug occurrence offset numbers (a grid-like number used to locate the code reference) alongside the specific bug listing. BugScan requires that users click on specific bugs to get another page that scrolls down to the offset numbers at the bottom right corner.
HBGary offers excellent phone support--you'll speak directly to the people who designed and programmed BugScan. Fortunately, BugScan's packaged documentation is adequate, because its HTML help documentation is abysmal: two paragraphs on an unformatted page.
BugScan can easily replace in-house quality assurance tools, which require development. HBGary provides an excellent tool for companies focused on rooting out risks and maintaining secure project code.
About the Author
Alex Handy is a contributor to Information Security magazine.
This review orginally appeared in Information Security magazine.
