Pavan, Refer below URL to know various Code review tools (Static Code Analysis Tools) http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
You may refer security tube, youtube or various other websites for demonstrations on these kinds of tools or utilities. Let me tell you another important aspect in secured SDLC practises. You shall use any automated static analysis tools to find bugs/vulnerabilities in development phase and validate the same by manual review. Few corporates call this process as Malicious code review process or simply code review process. When I say manual review, you shall be applying/implementing manual test cases same as that for most of the vulnerabilities that you test for in Application Security Testing in Testing phase. In both of the environments (Dev and Test) you shall be having a link to application/service respectively. So, you will have more scope in development environment to find / dig more vulnerabilities compare to security testing in Testing phase. Having said these, I also would like to tell you that the objectives for security engineers will be varying depending on the type of environmental access you will be given. More than all these is the legal restrictions when you work in outsourced companies. The point to which am coming now is: You will be instructed not to apply penetration techniques while the application is under development and everyone shall follow corporate policies. And finally you will end up in running automated scans, simple verifications of existence of vulnerabilities/bugs and reporting of the same. Thats it. Regards Sandeep Thakur -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
