There are a few commercial tools (e.g. Ounce Labs, Fortify, Parasoft) for
this that are coming along nicely. We use these as a part of our reviews,
and they can definitely help speed a security review in the hands of a
security expert.
A few things that are very important in these tools:
1) Easy Set Up -- Gather all the source code together, get libraries,
binaries, handle dependencies, etc...
2) Knows Your Libraries -- I don't see how a tool can say anything about
your security unless it knows what all the libraries your program calls
actually do.
3) Customizable -- You should be able to teach it about the common custom
libraries you use within your organization. E.g. tell it where the logging
and encryption calls are.
4) Hooked In -- The tool should be hooked into your development environment
AND your bug tracking system.
5) Warnings -- I'd say the majority of security problems in code cannot be
absolutely identified with an automated solution. So the tool should be
designed to facilitate human review by a security expert (and not focus on
eliminating false alarms).
--Jeff
Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com
----- Original Message -----
From: "Mads Rasmussen" <mads (at) opencs.com (dot) br [email concealed]>
To: <secprog (at) securityfocus (dot) com [email concealed]>
Sent: Thursday, May 05, 2005 10:37 AM
Subject: tools for analyzing java code
>
> Anyone knows any tools to analyze security problems with java code?
>
> I have come across some, like
>
> Lint4j (open source)
> http://www.jutils.com/index.html
>
> CodePro Analytix
> http://www.instantiations.com/codepro/download.asp
>
> Jtest
> http://www.parasoft.com/jsp/products/home.jsp?product=Jtest&itemId=14
>
> Parasoft's Jtest that mainly does coding style analysis but appears to
> have some security checks (50+).
>
> I would like to hear from anyone who has experience with these tools or
> anyone who might know better ways to analyze java code from a security
> perspective.
>
> Regards,
>
> Mads Rasmussen
> Security Consultant
> Open Communications Security
>
>
There are a few commercial tools (e.g. Ounce Labs, Fortify, Parasoft) for
this that are coming along nicely. We use these as a part of our reviews,
and they can definitely help speed a security review in the hands of a
security expert.
A few things that are very important in these tools:
1) Easy Set Up -- Gather all the source code together, get libraries,
binaries, handle dependencies, etc...
2) Knows Your Libraries -- I don't see how a tool can say anything about
your security unless it knows what all the libraries your program calls
actually do.
3) Customizable -- You should be able to teach it about the common custom
libraries you use within your organization. E.g. tell it where the logging
and encryption calls are.
4) Hooked In -- The tool should be hooked into your development environment
AND your bug tracking system.
5) Warnings -- I'd say the majority of security problems in code cannot be
absolutely identified with an automated solution. So the tool should be
designed to facilitate human review by a security expert (and not focus on
eliminating false alarms).
--Jeff
Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com
----- Original Message -----
From: "Mads Rasmussen" <mads (at) opencs.com (dot) br [email concealed]>
To: <secprog (at) securityfocus (dot) com [email concealed]>
Sent: Thursday, May 05, 2005 10:37 AM
Subject: tools for analyzing java code
>
> Anyone knows any tools to analyze security problems with java code?
>
> I have come across some, like
>
> Lint4j (open source)
> http://www.jutils.com/index.html
>
> CodePro Analytix
> http://www.instantiations.com/codepro/download.asp
>
> Jtest
> http://www.parasoft.com/jsp/products/home.jsp?product=Jtest&itemId=14
>
> Parasoft's Jtest that mainly does coding style analysis but appears to
> have some security checks (50+).
>
> I would like to hear from anyone who has experience with these tools or
> anyone who might know better ways to analyze java code from a security
> perspective.
>
> Regards,
>
> Mads Rasmussen
> Security Consultant
> Open Communications Security
>
>
[ reply ]