Agnitio Security Code Review Tool v2.1 released

[Nytro]

Agnitio Security Code Review Tool v2.1 released

OCTOBER 24, 2011 | WRITTEN BY SECURITY NINJA

Hi everyone,

I wanted to write a blog post today to let you all know that I've released Agnitio v2.1 today. I did plan to release this version a few weeks ago but a combination of life and bugs/last minute feature changes delayed the release, better late than never though!

I’ve made a lot of changes for this release so I wanted to make extra sure that everything worked before I released it. Interestingly Agnitio passed all of its QA tests in the first test run but the Data Migration Tool was a different story! The DMT is used to migrate users existing data into the new Agnitio checklist database. It’s probably not the best way to perform an upgrade and it certainly needs some work but for now it works! Agnitio currently puts the new checklist database into the program files directory alongside the other Agnitio files which can cause a bit of problem because of the default file permissions on the Program Files directory.

The program files directory in Windows 7 has better (the definition of better requires me look at it as a security professional and not as someone writing code!) default permissions/restrictions than previous versions of Windows I believe which causes a problem when using Agnitio or the DMT as a standard user. The user obviously needs to be able to read data from the checklist database and of course write reviews or changes to the database. I tried a few different approaches to rectifying this and I’ve settled on a solution which probably isn’t ideal but it does mean standard users can use Agnitio on Windows 7. The DMT will need to be run as an administrator to migrate the data but after that administrator privileges aren’t needed anymore. You will need to make a few permission changes regardless of the operating system you are using so please make sure you read the Agnitio v2.1 User Guide (included as part of the installation) before you attempt to use the new version or migrate your data.

I’m currently working on a better solution to this with a new contributor so I’d expect to have a nicer solution to this problem when the next version of Agnitio is released!

So what’s new in v2.1? I have listed all of the changes in this release below:

Windows x64 support (thanks to Steven van der Baan).

Decompile Android .apk files so you can analyse the source code and AndroidManifest.xml file. This uses tools like JAD so you will need to have Java installed on your machine to decompile the Android .apk files.

C# and Java rules from the OWASP Code Crawler tool imported into the Agnitio database and linked to the relevant checklist questions.

New checklist items for mobile application security code reviews. These checklist items were created to address items in the OWASP top 10 mobile risks project that weren’t covered by existing checklist items.

Application profiles can now be configured as either “Web” or “Mobile”. This will determine which checklist items from the database are used to create the checklist for the application being reviewed.

Create new checklist items. You will be able configure the relevant principle of secure development for the new checklist item as well as deciding whether this is a question for “Web”, “Mobile” or “Both” types of applications.

Modify existing checklist items. This was supposed to be included in v2.0 but a last minute change I made at 7am in a Las Vegas hotel room broke this functionality. You can now modify the text, the principle and type columns for questions in the checklist database.

I made a lot of small changes in addition to the ones above; I’ve listed some of the more obvious ones below:

Only one answer allowed per checklist item (thanks to Steven van der Baan).

Fixed a bug on the security code review tab where checklist items with no answers are highlighted in red and never “un-highlighted” (thanks to Steven van der Baan).

Added a language checkbox for Objective-C on the profile creation and view profile tabs.

Checklists are now sorted by principle and not by the question number.

I did have two issues which I couldn’t get fixed but I decided to release v2.1 now because it has already taken longer than I’d planned! The two issues will only affect x64 users and I will make sure they are fixed as part of v2.2:

Android .apk decompile functionality will fail to decompile .apk files on Windows x64.

Data Migration Tool (for upgrades from v2.0) is not supported on x64 at the moment. You can use the Data Migration Tool on x86 versions of Windows to migrate your v2.0 data.

I think I’ve included all of the new features and changes in this blog post so all that’s left for me to do now is give you link to download v2.1:

Agnitio v2.1

I have started to plan what will be included in v2.2 but I’ve not started working on it yet. I have a few cool ideas in mind for v2.2 which I think you will all like. I’ve released 5 versions of Agnitio over the past 11 months which has eaten up a lot of my spare time and I don’t really enjoy working on one thing for a long time. I will be taking a couple of weeks away from the project before I start work on v2.2 to rest my poor overworked brain I don’t expect to release v2.2 until sometime after Christmas partly because of the break I’m taking from the project but mainly because of the amount of work that I will need to do to implement the cool changes I want to make!

As always I’d love to hear what you think of the latest version of Agnitio so get in touch via Twitter, email or leave a comment on this blog post.

SN

Download:

https://sourceforge.net/projects/agnitiotool/files/v2.1/

Sursa: https://www.securityninja.co.uk/application-security/agnitio-security-code-review-tool-v2-1-released/