For static analysis to check for best practices, there aren't any free tools that come to mind that give you easily digestible info without usually doing some manual reversing and a lot of extra knowledge. HBGary once created a tool called FingerPrint that provided some of this extra info but that tool disappeared. I extracted out a lot of what it does into YARA signatures: http://0xdabbad00.com/2011/01/09/fingerprinting-using-yara/
The original purpose of HBGary's tool was for fingerprinting malware, but what it really was doing was just extracting out info from malware author's build environments that could be learned from the executables they created.
Other things you would want to check for though are:
- Are the executables code signed?
- When run, look in ProcessExplorer (for Windows) to see if it runs with DEP/ASLR/CFG/x64 and ensure every DLL it loads has ASLR and CFG.
- Run with wireshark on and ensure any network traffic is HTTPS.
There are thousands of ways for all these checks to give incorrect information with regard to whether the developers follow best practices or not, but if you do enough steps they'll add up to a decently accurate understanding.
The original purpose of HBGary's tool was for fingerprinting malware, but what it really was doing was just extracting out info from malware author's build environments that could be learned from the executables they created.
Other things you would want to check for though are: - Are the executables code signed? - When run, look in ProcessExplorer (for Windows) to see if it runs with DEP/ASLR/CFG/x64 and ensure every DLL it loads has ASLR and CFG. - Run with wireshark on and ensure any network traffic is HTTPS.
There are thousands of ways for all these checks to give incorrect information with regard to whether the developers follow best practices or not, but if you do enough steps they'll add up to a decently accurate understanding.