Secure Coding mailing list archives

Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog


From: jim at manico.net (James Manico)
Date: Wed, 6 Jan 2010 16:36:09 -0500

Hello Matt,

Java EE still has NO support for escaping and lots of other important
security areas. You need something like OWASP ESAPI to make a secure app
even remotely possible. I was once a Sun guy, and I'm very fond of Java and
Sun. But JavaEE 6 does very little to raise the bar when it comes to
Application Security.

- Jim

On Tue, Jan 5, 2010 at 3:30 PM, Matt Parsons <mparsons1980 at gmail.com> wrote:

From what I read it appears that this Java EE 6 could be a few rule
changers.   It looks like to me, java is checking for authorization and
authentication with this new framework.   If that is the case, I think that
static code analyzers could change their rule sets to check what normally
is
a manual process in the code review of authentication and authorization.
Am I correct on my assumption?

Thanks,
Matt


Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
mailto:mparsons1980 at gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting






-----Original Message-----
From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org]
On Behalf Of Kenneth Van Wyk
Sent: Tuesday, January 05, 2010 8:59 AM
To: Secure Coding
Subject: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security
made simple ! | Core Security Patterns Weblog

Happy new year SC-Lers.

FYI, interesting blog post on some of the new security features in Java EE
6, by Ramesh Nagappan.  Worth reading for all you Java folk, IMHO.

http://www.coresecuritypatterns.com/blogs/?p=1622


Cheers,

Ken

-----
Kenneth R. van Wyk
SC-L Moderator


_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________




-- 
-- 
Jim Manico, Application Security Architect
jim.manico at aspectsecurity.com | jim at manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security?
Securing your applications at the source
http://www.aspectsecurity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://krvw.com/pipermail/sc-l/attachments/20100106/40c0954c/attachment.htm>


Current thread: