File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Java Coding Guidelines: automated screening Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java Coding Guidelines: automated screening" Watch "Java Coding Guidelines: automated screening" New topic

Java Coding Guidelines: automated screening

Joel Neely

Joined: Sep 03, 2013
Posts: 9
Given the growing power of tools such as FindBugs and PMD, how well do you think the range of secure coding concerns can be instrumented by static analysis of source or bytcode?
David Svoboda

Joined: Oct 21, 2013
Posts: 13

Fairly well, but they could do better. Static analysis tools such as FindBugs tend to flag problems which are easy to diagnose. While many coding rules are easy to diagnose automatically, some are quite difficult or impossible. For instance, determining if a Java object variable might be null can require in-depth whole program analysis, and a perfect analysis is not technically feasible now. (and probably will never be). Some tools instead use heuristics (eg if we check that this variable is null 5 times out of 6, than that 6th one is probably an error).

[Java Coding Guidelines] and [The CERT Oracle Secure Coding Standard for Java ] are from the [CERT Secure Coding Initiative]
I agree. Here's the link:
subject: Java Coding Guidelines: automated screening
It's not a secret anymore!