1. Ajay Mandal
  2. PowerBuilder
  3. Wednesday, 18 September 2019 20:41 PM

Hi All,

Looking for feedback from the community. We have a medical records application built on PowerBuilder platform. As part of our compliance requirement we need to audit the codes to make sure there are no security  or coding vulnerabilities in the application. 

Question:

1. Are there any free code scanning applications, that can review the codes and identify security vulnerability or coding anomalies  that works with PowerBuilder? Even if it is paid one we can consider it depending on the cost.

thank you for your feedback!

Christophe Dufourmantelle Accepted Answer Pending Moderation
  1. Wednesday, 26 August 2020 03:55 AM
  2. PowerBuilder
  3. # 1
3
Votes
Undo

Hi everyone,

 

For information, we just added a new set of features in Visual Expert, to Audit PowerScript based applications.

This will scan code for security vulnerabilities, maintainability issues and bugs.

It will also cover Oracle and SQL Server code.

You can read more in this announcement,

and subscribe to the beta program - the beta version will be available in a few days.

 

Regards,

Christophe

Comment
Christophe,

I submitted a request for for the beta program last weekend. Can you give me an estimate of when it will be released?

Raymond
  1. Raymond Longoria
  2. Thursday, 10 September 2020 06:15 AM
Hi Raymond,



The beta has been released today.

https://www.visual-expert.com/EN/visual-expert-blog/posts-2020/code-inspection-beta.html



The VE team should contact you shortly.
  1. Christophe Dufourmantelle
  2. Thursday, 10 September 2020 15:52 PM
There are no comments made yet.
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Thursday, 19 September 2019 19:00 PM
  2. PowerBuilder
  3. # 2
2
Votes
Undo

Hi Jeff;

   The C++ code can be retrieved as follows:

1) Create a Machine Code compile "Project" object.

2) Run the MS project to create a C++ EXE and/or DLL's

3) The IDE will write the C++ code to your MS-Windows default TEMP folder as XXXXX.C named files.

4) If you open an XXXX.C file, you will see the PB object class that it represents.

For example:

HTH

Regards ... Chris

Comment
Chris,

I followed your instructions for retrieving the C++ files and I did not get the XXXX.C files.

I setup the Project object with Machine Code selected. I noticed the C# Model Generator button was disabled. What did I do wrong?
  1. Raymond Longoria
  2. Monday, 14 September 2020 08:43 AM
What version & build of PB are you using?
  1. Chris Pollach @Appeon
  2. Monday, 14 September 2020 18:37 PM
version 2019 build 2170
  1. Raymond Longoria
  2. Tuesday, 15 September 2020 06:30 AM
There are no comments made yet.
Ajay Mandal Accepted Answer Pending Moderation
  1. Thursday, 19 September 2019 02:53 AM
  2. PowerBuilder
  3. # 3
0
Votes
Undo

Thanks everyone for your feedback. It is much appreciated!

Comment
There are no comments made yet.
Ajay Mandal Accepted Answer Pending Moderation
  1. Thursday, 19 September 2019 02:51 AM
  2. PowerBuilder
  3. # 4
0
Votes
Undo

Thanks Chris, our feedback is very helpful!

Comment
There are no comments made yet.
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Thursday, 19 September 2019 01:37 AM
  2. PowerBuilder
  3. # 5
2
Votes
Undo

Hi Ajay;

  Most people don't know this but, yes you can scan PB Apps for security vulnerabilities. This requires the PB developers to think C/C++. So let's answer your question in  parts....

A) Security Vulnerabilities Scanning Software.

    There are lots of products out there that can do this. Check out the following open source products.

B) One good free C/C++ tool is FlawFinder as one example. It's "open source" BTW.

C) Any PB App can be compiled into Machine Code. Which in PB's case is C++. Not only can products like FlawFinder scan Apps resulting  machine code EXE, you can also capture the generated C++ source code from the actual PB IDE compilation. The generated C++ source is in essence a 100% reflection of the original PowerScript. So any vulnerabilities found in the C++ source can be directly traced back to your Apps PowerScript coding.

HTH

Regards ... Chris

Comment
>>you can also capture the generated C++ source code from the actual PB IDE compilation



Really? How?
  1. Jeff Kandt
  2. Thursday, 19 September 2019 17:40 PM
There are no comments made yet.
Roland Smith Accepted Answer Pending Moderation
  1. Thursday, 19 September 2019 00:42 AM
  2. PowerBuilder
  3. # 6
2
Votes
Undo

Another issue to watch for is use of InfoMaker or other query tools.

What you can do is make all tables select only and then at application startup it would somehow gain full update access. The exact method would depend on your database. Tables with sensitive data could have default access be none with with a view that returns only the non-sensitive columns.

Comment
There are no comments made yet.
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Wednesday, 18 September 2019 23:42 PM
  2. PowerBuilder
  3. # 7
0
Votes
Undo

Hi Ajay, I'm not aware of any free tools that does this kind of scan for PowerScript.

Comment
There are no comments made yet.
Ajay Mandal Accepted Answer Pending Moderation
  1. Wednesday, 18 September 2019 22:37 PM
  2. PowerBuilder
  3. # 8
0
Votes
Undo

Hi Olan,

thanks for your response, it gives me some ideas ,however we still need to do entire audit of codes. so still looking for a tool that will allow scanning of PowerBuilder application code!

thanks,

Ajay

Comment
There are no comments made yet.
Olan Knight Accepted Answer Pending Moderation
  1. Wednesday, 18 September 2019 22:11 PM
  2. PowerBuilder
  3. # 9
0
Votes
Undo

Most security issues arise from access to the data, and that means the database is the primary concern for security.

Having a secure password policy on your application will prevent most issues, but you can never prevent a disgruntled employee from access data with malicious intent. What you CAN do is to track all user id/login activity, and follow basic security principles:
- remove the logon when a employee leaves
- change pwd every X number of days, usually 90
- require decent pwds with a minimally complex structure


JM2¢W,

Olan

Comment
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.