Back to Posts

Share this post

Announcing ECG’s Closed Beta

Posted by: voidsec

Reading Time: 4 minutes

After a lot of effort and a long month of alpha testing, today I’m proud to announce the launch of ECG’s closed beta.

What is ECG? (tl;dr)

ECG is a TCL static source code analysis tool. It is the first commercial solution able to detect real and complex security vulnerabilities in TCL/ADP source-code.

Want to know more about ECG? Visit ECG’s main website!

What is TCL?

TCL is a high-level, general-purpose, interpreted, dynamic programming language. It was designed with the goal of being very simple but powerful. It is commonly used embedded into C applications, for rapid prototyping, scripted applications, GUIs, and testing. TCL interpreters are available for many operating systems, allowing TCL code to run on a wide variety of systems. Because TCL is a very compact language, it is used on embedded systems platforms, both in its full form and in several other small-footprint versions.

How and why ECG was born?

(the scanner you didn’t know you needed)

The main idea behind ECG was born after weeks of TCL source code security assessment. Since at that time there wasn’t any tool available on the market (nor in the open source community) able to scan TCL/ADP (and its implementation in Open ACS, NaviServer and AOLserver) source code for vulnerabilities, I ended up loading the entire repository inside Sublime; grep matching and searching for known dangerous function calls and possible server misconfigurations.

The workload was huge, more than 1.500.000 lines of code. After the code review ended, I discovered that TCL web or stand-alone application were more common than I was thinking.

A simple Shodan search, returned more than 12.000 results for AOLserver.


AOLserver is AOL’s open source web server. AOLserver is multithreaded, Tcl-enabled, and used for large scale, dynamic web sites. AOLserver was the first HTTP server program to combine multithreading, a built-in scripting language, and the pooling of persistent database connections. AOLserver is a key component in the Open Architecture Community System (OpenACS) which is an advanced open-source toolkit for developing web applications.

With that in mind, all the gathered knowledge and the effort made in the past weeks long code review, I began thinking of a way to speed-up future TCL source code review. In the meantime, I was also thrilled by the opportunity of creating a tool enabling companies still relaying on TCL language to scan their code for vulnerabilities.

Why is called ECG?

The first version of ECG was like a big python script with embedded regex in order to “grep and match” known dangerous function calls. It’s internal name was in fact Extended Code Grepper (ECG).
I borrowed the main idea from another existing tool: Visual Code Grepper (VCG) made by NCC.

How ECG evolved from its first version?

From its first version ECG evolved a lot; from a simple “code grepper”, all the following functionalities has been implemented:

  • Created a database of almost hundred check of dangerous function calls and vulnerabilities for:
    • TCL language
    • Open ACS
    • AOLserver
    • NaviServer
  • Ability to generate a list of procedures and sub-routines per file
  • Ability to generate a list of parameters per file
  • Generate a list of imported packages
  • Scan for hard-coded secrets
  • Scan for comments

ECG’s 3 most unique features

  1. Unmatched Bug Detection: the first and the only solution able to detect real and complex security vulnerabilities in TCL/ADP source-code.
  2. Outstanding Performance: in-depth source-code security analysis in minutes instead of hours (or days) for continuous testing.
  3. Low False Positive: highly accurate analysis results to focus on meaningful findings without wasting time.

What you get with a free trial?

  • Scan 1 application (unlimited Line of Code), get the first 3 unique reported vulnerabilities.
  • A human Security Analyst will filter out scanner’s false positive and assemble the report.
  • Scan for the entire database of security issues (hundreds checks).
  • 1 day access to ECG SaaS (once out of closed beta).

Got Impressed By Our Features? Request a Free Trial

Want to know more about ECG? Visit ECG’s main website!

Back to Posts