File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Java Coding Guidelines AND Automated Testing Tools AND Vulnerability Scanners Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java Coding Guidelines AND Automated Testing Tools AND Vulnerability Scanners" Watch "Java Coding Guidelines AND Automated Testing Tools AND Vulnerability Scanners" New topic
Author

Java Coding Guidelines AND Automated Testing Tools AND Vulnerability Scanners

Ted North
Ranch Hand

Joined: Jan 02, 2012
Posts: 193
    
    1

Hello authors of Java Coding Guidelines,

Does the book cover any tests that can be done using some sort of tool that can analyze byte code or source code? Does the book show how to use vulnerability assessment software on a java program or web application?



Thank-you for reading.

Regards,

Ted
Dhruv Mohindra
Author
Greenhorn

Joined: Dec 08, 2009
Posts: 11
    
    5
Hi Ted,

Ted North wrote:
Does the book cover any tests that can be done using some sort of tool that can analyze byte code or source code?


The JCG book consists of guidelines that are meant for a programmer to read. Guidelines differ from rules in that, sound automated analysis is not always possible. For example, a tool may not be able to determine programmer intent by inspecting bytecode or source code.

The CERT Oracle Secure Coding Standard for Java (AW, 2012) from the same group of authors consists of rules that are amenable to static analysis and useful if you intend to build secure and reliable Java based software. In fact, some of the rules have been adopted by these tools and converted to checkers / detectors.


Does the book show how to use vulnerability assessment software on a java program or web application?


Tool support is out of scope for the JCG book - such information is eternally changing and tool updates are frequent. The JCG book explains through example insecure and secure code but does not intend to provide a "security testing" strategy.


You know what I did last summer - Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs.
Ted North
Ranch Hand

Joined: Jan 02, 2012
Posts: 193
    
    1

Dhruv,

Ah, Thank-you for the reply. It is excellent to receive an interesting reply from a knowledgeable author.

I think I understand what you are typing. There is no security testing help using static analysis tools or vulnerability scanners via tutorials in the book but the guidelines in the book make up some of the logic of these tools. I guess I could make my own scanner with this information.

Thank-you again sir for the reply. It means a great deal to me.

Respectfully,

Ted

 
wood burning stoves
 
subject: Java Coding Guidelines AND Automated Testing Tools AND Vulnerability Scanners