Cigital developed ITS4 to help automate source code review for security. ITS4 is a simple tool that statically scans C and C++ source code for potential security vulnerabilities. It is a command-line tool that works across Unix and Windows platforms.
ITS4 scans source code, looking for function calls that are potentially dangerous. For some calls, ITS4 tries to perform some code analysis to determine how risky the call is. In each case, ITS4 provides a problem report, including a short description of the potential problem and suggestions on how to fix the code.
ITS4 and its source code are provided here to the security community for any use that does not compete with Cigital's consulting practice.
ITS4 extended abstract (presented at ACSAC)
[ PS or PDF ]