We are quite limited really in terms of free or commercial tools specifically available to test the PL/SQL code we deploy for security vulnerabilities such as SQL Injection. There are two types of tools that could exist; static analysis tools or dynamic tools. Slavik's Fuzzor is a dynamic tool. That means you install it and run it against the code in the database and you basically "see" if you can make the code error by sending large amounts of pseudo random input to the procedures/functions/packages being tested.
The tool is configurable, FREE on the GPL3 license and very easy to use. We must exercise caution here:
Do not run this tool on a production database or any database you would like to keep. It should be run on a specific test system only as its purpose is to dynamically test code by running it
This is a great tool that can be run to test the code you have written internally in your organisations or to test third party vendor code. It is very easy to use and the reports are easy to understand. This release version of the tool is now available from Sentrigo's website and involves a simple registration process to get it. There has been a couple of major changes since I last talked about the tool in a post titled "A PL/SQL Fuzzer / Fuzzor". http://www.slaviks-blog.com/2009/02/04/updated-fuzzor/ - (broken link) Slavik summarises these as :
* Better functionality when working with types (objects, tables, PL/SQL records, etc.)
* A feature to generate automatic Hedgehog security rules from the scanning results. For example, if you find a vulnerability, but you are unable to fix it (ie, you don’t own the code, the code is wrapped or you require lengthy QA cycles) you can now automatically protect the vulnerable code by installing Hedgehog Standard and importing the generated rules.
I’ve also revised the report to be much more concise and readable.
The Fuzzor is available from the download page.
