Does the book cover any tests that can be done using some sort of tool that can analyze byte code or source code? Does the book show how to use vulnerability assessment software on a java program or web application?
Ted North wrote:
Does the book cover any tests that can be done using some sort of tool that can analyze byte code or source code?
The JCG book consists of guidelines that are meant for a programmer to read. Guidelines differ from rules in that, sound automated analysis is not always possible. For example, a tool may not be able to determine programmer intent by inspecting bytecode or source code.
The CERT Oracle Secure Coding Standard for Java (AW, 2012) from the same group of authors consists of rules that are amenable to static analysis and useful if you intend to build secure and reliable Java based software. In fact, some of the rules have been adopted by these tools and converted to checkers / detectors.
Does the book show how to use vulnerability assessment software on a java program or web application?
Tool support is out of scope for the JCG book - such information is eternally changing and tool updates are frequent. The JCG book explains through example insecure and secure code but does not intend to provide a "security testing" strategy.
Ah, Thank-you for the reply. It is excellent to receive an interesting reply from a knowledgeable author.
I think I understand what you are typing. There is no security testing help using static analysis tools or vulnerability scanners via tutorials in the book but the guidelines in the book make up some of the logic of these tools. I guess I could make my own scanner with this information.
Thank-you again sir for the reply. It means a great deal to me.