File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Java Coding Guidelines: automated screening Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java Coding Guidelines: automated screening" Watch "Java Coding Guidelines: automated screening" New topic
Author

Java Coding Guidelines: automated screening

Joel Neely
Greenhorn

Joined: Sep 03, 2013
Posts: 6
    
    1
Given the growing power of tools such as FindBugs and PMD, how well do you think the range of secure coding concerns can be instrumented by static analysis of source or bytcode?
David Svoboda
Author
Greenhorn

Joined: Oct 21, 2013
Posts: 13
    
    5

Fairly well, but they could do better. Static analysis tools such as FindBugs tend to flag problems which are easy to diagnose. While many coding rules are easy to diagnose automatically, some are quite difficult or impossible. For instance, determining if a Java object variable might be null can require in-depth whole program analysis, and a perfect analysis is not technically feasible now. (and probably will never be). Some tools instead use heuristics (eg if we check that this variable is null 5 times out of 6, than that 6th one is probably an error).

[Java Coding Guidelines] and [The CERT Oracle Secure Coding Standard for Java ] are from the [CERT Secure Coding Initiative]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Java Coding Guidelines: automated screening