initsecret/awesome-source-auditing

A curated list of source auditing resources.

Awesome Source Auditing

🚧 Work in Progress 🚧

A curated list of source auditing resources.

• Introduction
  • Guides
• Manual Reference
  • Cheatsheets
    • Sanity Checks
    • Comprehensive Lists
    • Tool Suggestions
  • Best Practices
  • Vulnerability Lists
• Automation
  • Automated Searching
  • Static Analysis Tools
  • Simple Fuzzers
• Practice
  • War Games / CTFs
• Other Awesome Lists
• Thanks
• Contribute

Introduction

Guides

• CTF Field Guide - Auditing Source Code - this was my first introduction to source auditing, I highly recommend watching the lectures.
• OWASP Code Review Guide - this guide is quite large but it might be helpful to mentally index it and keep the link handy.

Manual Reference

Cheatsheets

Sanity Checks

• Kudelski Security's Auditing code for crypto flaws: the first 30 minutes
• Kudelski Security's Auditing Rust Crypto: The First Hours

Comprehensive Lists

• iSECPartners LibTech-Auditing-Cheatsheet - awesome checklist, albeit slightly outdated (I forked it with the intention of modernizing it, feel free to chime in with your thoughts here.)

Tool Suggestions

• Security assessment techniques for Go projects - awesome blog post, so good that this is the only Go resource on this page!

Best Practices

• Pornin's Constant-Time Crypto - the definitive source for constant-time crypto.
• veorq's Cryptocoding - the definitive source cryptocoding recommendations.

Vulnerability Lists

• OWASP Top Ten
• 2020 CWE Top 25
• CWE Views:
  • CWE VIEW: Weaknesses Introduced During Design
  • CWE VIEW: Weaknesses Introduced During Implementation
  • CWE VIEW: Weaknesses in Software Written in C
  • CWE VIEW: Weaknesses in Software Written in C++
  • CWE VIEW: Weaknesses in Software Written in Java
• Bugs You'll Probably Only Have in Rust

Automation

Automated Searching

• Sourcetrail - source explorer that makes it easy to understand and navigate large code bases.
• Semgrep - static analysis tool that makes it really easy to search code.
• CodeQL - static analysis tool that is much more powerful than semgrep, but also harder to use.
• Joern - looks like an open-source alternative to CodeQL (I haven't had a chance to play with it yet).

Static Analysis Tools

• Basic Sanitizers:
  • AddressSanitizer​
  • MemorySanitizer
  • UndefinedBehaviorSanitizer
  • ThreadSanitizer
• clang static analyzer - easy to use, and might be a good second step after the sanitizers.
• cppcheck - simple static analysis tool for C/C++.
• RATS - seems a outdated but you might still be able to get something out of it (I haven't even compiled it, so no warranties here.)
• slither - the goto static analysis tool for solidity.
• Creating an LLVM Sanitizer from Hopes and Dreams - tutorial on how to write a new LLVM sanitizer.

Simple Fuzzers

• clang libfuzzer - a standard no-frills fuzzing engine
• AFL - a standard no-frills fuzzing engine
• Rust Fuzz Book - instructions on how to fuzz rust projects.

Practice

War Games / CTFs

• The Ethernaut
• Cryptopals
• exploit.education

Other Awesome Lists

• Awesome Security

Thanks

• I used dar5hak/generator-awesome-list to generate the template for this repo.

Contribute

Contributions welcome! Read the contribution guidelines first.