Price: Starts at $19,500

HBGary's BugScan ferrets out application holes that expose your network to dangerous exploits, adding quality assurance to your development process.

The binary code analyzer is a plug-and-play

    Requires Free Membership to View

1U Dell box running Windows Server 2003. It connects to the network through an Ethernet interface, or directly to a laptop or PC using a crossover cable--which HBGary recommends for preventing network compromises; there's no encryption for protecting data in transit. By typing BugScan's IP address into your browser, you get a Web-based interface for login and options, such as scanning compiled binary code, configuring user accounts and limiting the number of scans allowed per user.

BugScan provides an enlightening yet frightening experience. It works as advertised to sniff out flaws, such as signed/unsigned conversions, buffer overflows and insecure C library calls. For instance, BugScan can find an MS-RPC DCOM hole (of Blaster worm fame), a Debian hsftp format string glitch and Trillian buffer overflows.

HBGary's BugScan audits code for security holes, adding a layer of QA to your app development. Scanning our sample code--a commercial program--we found upwards of 600 bugs, ranging from potentially dangerous buffer overflows to poor random number generation. BugScan can't repair these holes, but it defines numerous bugs and offers direction by providing standard fix recommendations, including length-specific C library calls and commands, such as 'strncpy' versus 'strcpy' and 'snprintf' versus 'sprintf,' to prevent buffer overflows.

While easy to use, BugScan sports Spartan Web-based admin and reporting interfaces. You'll see an analysis queue that's merely an ordered list of which binaries remain to be scanned. There's no automated way to check the progress of the current operation, and there's no notice when the scan is completed. Scanning large binaries is enough of a chore without having to check back on progress until the scan finishes.

BugScan can't generate reports, but it can be configured to e-mail you a link for grabbing a set of XML results that don't include line breaks. These results can be exported to other formats, including Microsoft Excel or Crystal Reports. The reporting interface would be better if it gave users more control over the view. For instance, allowing users to change the number of bugs that are listed per page, similar to setting per-page results in search applications, would mean loading fewer Web pages for scrolling the entire results. BugScan lists a standard five bugs per page, so with 600 bugs found, you'll need to move through 120 Web pages. The initial results page could also list the bug occurrence offset numbers (a grid-like number used to locate the code reference) alongside the specific bug listing. BugScan requires that users click on specific bugs to get another page that scrolls down to the offset numbers at the bottom right corner.

HBGary offers excellent phone support--you'll speak directly to the people who designed and programmed BugScan. Fortunately, BugScan's packaged documentation is adequate, because its HTML help documentation is abysmal: two paragraphs on an unformatted page.

BugScan can easily replace in-house quality assurance tools, which require development. HBGary provides an excellent tool for companies focused on rooting out risks and maintaining secure project code.

About the Author
Alex Handy is a contributor to Information Security magazine.

This review orginally appeared in Information Security magazine.

This was first published in August 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.