I was sitting in #webappsec today when zn- made the comment that he really wanted something to check code for security vulnerabilities as code was being checked into source control. Then if something was found it could refuse the code or do whatever the group had decided to do with it. This got me thinking a bit about it. The company I work for does an extremely basic check of this nature for things like inline SQL in web code. If the code has something that matches its pattern, then it checks the code in and notifies engineering management of the issue. Now this isn't the most robust check in the world, so how could this be improved?
The Web Application Security Consortium has an article up about using security frameworks in web development. It refers to a few different frameworks such as The Java Validation Library and Microsoft's anti-xss library. So it brings up an interesting idea. How would someone do some scripting on their source control server that would run the checked in code against these libraries? What would be the issues that you would run into. At home I use Subversion on UNIX. How would I check code developed for the Microsoft platform against there anti-xss library from my UNIX host? Would it be possible? Or would the library be totally unusable for the purpose of doing automated code audits. I admit, I don't know much about either of these libraries at this time, but it would be REALLY cool to be able to call some method that runs the code through a security framework for potential issues. I think I might be playing around with this some in the future. If nothing else, I need another couple of units at school to graduate and this might make a good project to play with.
