ITS4 <http://www.cigital.com/its4/> and its counterparts RATS and Flawfinder provided an early set of software security rules built into very basic static analysis tools. See Chapter 4 for more on static analysis tools and their use.

The rules shown here are enforced in ITS4 by essentially greping through source code looking for simple patterns—an approach filled with potential false positives. Not surprisingly, most of these rules are about APIs in UNIX- or Windows-based systems. What follows is a complete list of the kinds of rules that were built into ITS4. RATS added several hundred more rules of a very similar nature.^[1]

The rules shown here were taken from Cigital’s extensive knowledge base of software security rules. ...