Easier Security Code Reviews with Agnitio

agnitio_screenshot2

These days, creating secure applications is of the utmost importance, and as crackers improve their skills, security is becoming more and more challenging. Developers who are responsible for this area are only as good as the tools available to them. If this is you, and you work on Windows, then you might want to have a look at Agnitio. This security review tool assists you in conducting manual security reviews, and provides code review metrics and reporting for static analysis.

Agnitio’s lone developer is a man who takes security *very* seriously, David Rook. He recently received a Microsoft Security MVP award, and his expert Security Ninja blog has been nominated for five awards, including the Computer Weekly IT Security blog award. I had the distinct pleasure of talking with David about the Agnitio project.

How did the project get started?

Two main reasons really, firstly my application security team was growing fast and I needed to make sure that our security code review process was structured and exactly the same regardless of who completed the review. This was achieved by creating a checklist that covers the root causes of common web application vulnerabilities. The decision to have a checklist driven approach was influenced by the Checklist Manifesto book and the fact that checklists help engineers, doctors and pilots do their jobs better so why can’t it do the same for security code reviewers? What I also wanted to do was to understand that humans can be good code reviewers but only with the right help, guidance and tools. Agnitio is designed to make the most use of the limited time that humans are “useful” for code reviews. Humans get tired, emotional and distracted so Agnitio is there to try and keep them on track with the guidance they need when they need it the most – during the review itself.

The second reason was to deal with a bit of laziness on my behalf initially I suppose. I hated the report creation part of code reviews, the need to make sure we had audit trails and metrics so I wanted to make all of these things happen automatically. Basically what I can now say is that if you use Agnitio to do your security code reviews you get your audit trails, integrity checks, reports and metrics automatically without any additional work on top of completing the review itself.

Have you contributed to open source before?

I hadn’t actually, what better way to start than making your own project?

Do you have plans for the project, such as expanding the functionality or growing the dev team?

I have lots and lots of ideas in mind for future versions of Agnitio. I plan to increase the amount of rules for the code analysis module to include languages such as PHP and Java on top of the Android and iOS rules that I added in v2.0. Some of the other changes I have in mind are having dynamic checklists so that users aren’t stuck using one checklist – if you are reviewing an application that is Java using Spring and Microsoft SQL Server you get a checklist that focuses on specific issues associated with that stack for example. I love the user suggested changes and my list of user suggested changes include things like notes per checklist question in the review rather than one overall notes box and the ability to compare/access previous review results for an application whilst you are doing a new review.

Growing the dev team is something I have in mind. We have demand for adding lots of new functionality in the Windows version, people want a Linux version and we have even had a request for an Android tablet version. I’d certainly encourage people to get in touch if they think they can help with anything associated with taking Agnitio forward.

agnitio_screenshot
Why do you personally contribute to open source?

Mainly because I’ve worked in companies where application security budgets were non existent and even where budgets are available commercial application security tools are out of reach for most people. I wanted to make a solution that anyone could pickup and use regardless or their application security understanding and budget.

How can people help you? What are your main needs right now?

One of the things I really need right now is for people who use Agnitio to tell me what they see as the biggest problems with the tool. I’d love to know what the users would like to change or add to the tool to address issues they have and really push the project forward. If anyone wants to contribute more than ideas I’m always looking for people to help write code or even test Agnitio when I’m close to releasing a new version, especially people using non English versions of Windows!

Agnitio is a very useful and well developed tool, and has a very bright future ahead. We encourage you to check it out!

To download Agnitio: http://sourceforge.net/projects/agnitiotool

Tags: ,

0 comments