• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Java Secure Development Assessment

 
Ranch Hand
Posts: 99
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Hi All,

What attributes within a Java code should be checked for manual security assessment? Can any one of you point me in the direction?

Scope is to evaluate a web application and assess the code quality.

Appreciate your inputs.

BR
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The Java code is only one part of the security of a web app. If you only look at that, you're likely to miss possible attacks. XSS and SQL injection are the biggies when it comes to web apps, but plenty more threats are out there. Maybe start by reading some of the material at https://coderanch.com/how-to/java/SecurityFaq#web-apps.
 
girish rateshwar
Ranch Hand
Posts: 99
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Thanks. Certainly helpful.

Would any off the shelf products help speed up the analysis?

Cheers

 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

girish rateshwar wrote:Would any off the shelf products help speed up the analysis?


In the long run, maybe.

Open source tools like PMD/FindBugs can identify a handful of security issues. (A very small handful.) The commercial off the shelf products for security tend to be expensive and complex. They might help in the long run, but are unlikely to save you time on your first analysis.

Some people do security of testing of Java applications as their full time job. Paying them to test would certainly save you time. But it wouldn't save you money and wouldn't develop the in house expertise I think you are trying to build.

One way to make a checklist is to look at the OWASP Top 10 and see if you have any of those issues. That will get you thinking about not just the Java code, but the application design as a whole.
 
Author
Posts: 53
7
MySQL Database Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

girish rateshwar wrote:
Hi All,

What attributes within a Java code should be checked for manual security assessment? Can any one of you point me in the direction?

Scope is to evaluate a web application and assess the code quality.

Appreciate your inputs.

BR



A good standard for application security verification is the OWASP Application Security Verification Standard.
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
 
reply
    Bookmark Topic Watch Topic
  • New Topic