This week Dave Rook (AKA Security Ninja released a new security review tool; Agnitio. In the interest of full disclosure for this review, Dave is a friend and mentor through the Infosec Mentors program. I have been using Agnitio for a couple of weeks now and I have found it to be an interesting and effective tool in the code review process as well as a convenient information repository. Code reviews are often performed in an inconsistent way, depending heavily on the reviewer; Agnitio provides a framework for adding more consistency to these reviews.
Agnitio is a fairly simple tool with a lot of depth. You begin by creating a profile(shown below), which contains basic information about your application including languages used, data sensitivity classification and stored information types. After saving an application profile, you can move onto a security code review. This is the real meat of Agnitio.
Agnitio presents a 66 question checklist covering the nine principals of secure development. With so much application security information typically focused on vulnerabilities, it's refreshing to see clearly broken down security action items for developers. You can answer a review question with "Yes", "No", or "N/A". Answering N/A to a question requires an explanation. I would argue that no could require this as well.
After all of the questions have been answered, you can save your review and export pretty reports. I can't help thinking how helpful these reports could have been in the past when I've inherited applications with little to no security documentation. Agnitio can serve several different purposes depending on the user's job function. As a developer, a centralized, detailed security checklist is helpful in all phases of creating the application. Future versions will include customizable checklists which will allow for more project/company specific code reviews.
Agnitio is also a learning resource. Reading through the code review checklist serves as a more detailed breakdown of secure coding principles. Most developers know their software needs secure communications, for example, but the specific implementation is not always obvious. Agnitio lets a developer know what they need to be thinking about and lays a groundwork for sensible application security related communication between developers.
Overall, I have enjoyed the opportunity to play with Agnitio these past few weeks. I'm excited to see what lies ahead for Agnitio. A few of the features I've heard about have the potential to be very cool. I would recommend Agnitio to anyone with an interest in application security and writing stronger code.