Re: J2EE Application Security Code Review

["Dean H. Saxe" <dean () fullfrontalnerdity com>]

But tools will never help you find flaws in how the application is  
designed.  For instance, if the application stores passwords in a  
reversible encryption format or doesn't encrypt them at all, the tool  
will never identify such a flaw.  Tools can only get you so far.  A  
manual review, hopefully predicated by a threat model, is  
significantly more useful than using a tool alone.

Additionally, I like to use RegEx to do some directed searching for  
keywords that help me identify areas of the code to look at more  
deeply.  Password (and its variation), crypt, key, random, etc. are  
all useful terms to grep the code for.

-dhs

Dean H. Saxe, CEH
dean () fullfrontalnerdity com
"If liberty means anything at all, it means the right to tell people  
what they do not want to hear."
    -- George Orwell, 1945



On Oct 28, 2005, at 7:51 AM, Prashant Shirangare wrote:

> Hi Yousef,
>
> U can download findbug tool from below mentioned URL :
>
> http://sourceforge.net/project/showfiles.php?group_id=96405
>
> And more information about this tool is available on following URL :
>
> http://findbugs.sourceforge.net/
>
> Sample output of findbug is available on following URL:
>
> http://findbugs.sourceforge.net/commons-modeler.html
>
>
> Above tools will help u in detecting security issues in Java code ...
>
>
> Regards
> Prashant
>
> -----Original Message-----
> From: Yousef Syed [mailto:yousef.syed () gmail com]
> Sent: Friday, October 28, 2005 3:33 PM
> To: Web Application Security
> Subject: J2EE Application Security Code Review
>
> Hi,
> I've been tasked with performing a Code Review on for Security on a
> J2EE Application's code.
> Though I've taken part in numerous Code Reviews, I've never done one
> searching for Security issues.
>
> Can someone please advise me on what I should be looking for?
> Where can I get further information on the procedure that should be
> followed?
> Are there any Standards/Best Practices for Securing J2EE applications?
>
> Thanx,
> ys
>
> --
> Yousef Syed
>
>
> *********************************************************
> Disclaimer:
> The contents of this E-mail (including the contents of the enclosure 
> (s) or attachment(s) if any) are privileged and confidential  
> material of MBT and should not be disclosed to, used by or copied  
> in any manner by anyone other than the intended addressee(s).   In  
> case you are not the desired addressee, you should delete this  
> message and/or re-direct it to the sender.  The views expressed in  
> this E-mail message (including the enclosure(s) or attachment(s) if  
> any) are those of the individual sender, except where the sender  
> expressly, and with authority, states them to be the views of MBT.
>
> This e-mail message including attachment/(s), if any, is believed  
> to be free of any virus.  However, it is the responsibility of the  
> recipient to ensure that it is virus free and MBT is not  
> responsible for any loss or damage arising in any way from its use
>
> ********************************************************