Java Code Review Template

From: Jian Hui Wang (jhwang@gosecure.ca)
Date: Thu Mar 03 2005 - 21:39:31 EST

Next message: jkowall: "Re: HP BL30's and VLAN's"
Previous message: Jian Hui Wang: "Re: Webhits.dll arbitrary file retrieval Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) Hi, all,

Do you have any ideas about the Java code review for security issues?

1) what to review?
The first things on my mind are input validation and error message handling. But except for that, anything I could pay attention too? OWASP top ten? Any special issues for Java?

2) how to review?
I also tried to follow OWASP test framework Part I, but it seems not so workable since the time is limited.

I know the automated tool like PMD, checkstyle can do some job, but they seem more for pretty programming. Any tools do your recommend?

3) how much time?
For the time, how many lines that you can review for a day?

Any answer about these questions will be highly appreciated.

Jian Hui Wang, M.Sc, CSE, CCSE, CCNA

Security Analyst

Gosecure Inc.

Venez consulter notre portail SecInfo pour les dernières nouvelles en sécurité:

http://www.gosecure.ca/SecInfo/index.html

Next message: jkowall: "Re: HP BL30's and VLAN's"
Previous message: Jian Hui Wang: "Re: Webhits.dll arbitrary file retrieval Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:17 EDT