But tools will never help you find flaws in how the application is
designed. For instance, if the application stores passwords in a
reversible encryption format or doesn't encrypt them at all, the tool
will never identify such a flaw. Tools can only get you so far. A
manual review, hopefully predicated by a threat model, is
significantly more useful than using a tool alone.
Additionally, I like to use RegEx to do some directed searching for
keywords that help me identify areas of the code to look at more
deeply. Password (and its variation), crypt, key, random, etc. are
all useful terms to grep the code for.
-dhs
Dean H. Saxe, CEH
dean@fullfrontalnerdity.com
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Oct 28, 2005, at 7:51 AM, Prashant Shirangare wrote:
Hi Yousef,
U can download findbug tool from below mentioned URL :
http://sourceforge.net/project/showfiles.php?group_id=96405
And more information about this tool is available on following URL :
http://findbugs.sourceforge.net/
Sample output of findbug is available on following URL:
http://findbugs.sourceforge.net/commons-modeler.html
Above tools will help u in detecting security issues in Java code ...
Regards
Prashant
-----Original Message-----
From: Yousef Syed [mailto:yousef.syed@gmail.com]
Sent: Friday, October 28, 2005 3:33 PM
To: Web Application Security
Subject: J2EE Application Security Code Review
Hi,
I've been tasked with performing a Code Review on for Security on a
J2EE Application's code.
Though I've taken part in numerous Code Reviews, I've never done one
searching for Security issues.
Can someone please advise me on what I should be looking for?
Where can I get further information on the procedure that should be
followed?
Are there any Standards/Best Practices for Securing J2EE applications?
Thanx,
ys
--
Yousef Syed
*********************************************************
Disclaimer:
The contents of this E-mail (including the contents of the enclosure
(s) or attachment(s) if any) are privileged and confidential
material of MBT and should not be disclosed to, used by or copied
in any manner by anyone other than the intended addressee(s). In
case you are not the desired addressee, you should delete this
message and/or re-direct it to the sender. The views expressed in
this E-mail message (including the enclosure(s) or attachment(s) if
any) are those of the individual sender, except where the sender
expressly, and with authority, states them to be the views of MBT.
This e-mail message including attachment/(s), if any, is believed
to be free of any virus. However, it is the responsibility of the
recipient to ensure that it is virus free and MBT is not
responsible for any loss or damage arising in any way from its use
********************************************************
