Penetration Testing mailing list archives
Re: java source code audit
From: cwright () bdosyd com au
Date: 4 Oct 2007 21:35:52 -0000
Buy - (and I should not have to state read): Binder, Robert V, (2004) "Testing Object-Orientated Systems, Models Paterns and tools" Addison Wesley. It is not a small book (1,200 pages) and it is highly technical. It does make a good start. Less than this styandard of testing, and frankly you are wasting the clients time. Following this you can then find a number of good papers (see Science Direct and the IEEE on Java issues). You are doing a source code audit. This is the first comment. The main issue is code testing - white box code testing. This is a completely separate issue to Pen Testing. If you get a copy of the book above, look at Ch10 (Classes) - there are detailed sections on test models, procedures etc. For instance Pp 427-432 covers "Combinational Function Test" specificis in a fair amount of detail and in enough for you to create a test model from this. Do you know how to create effective recursive function tests? From what is listed in regards of XSS and SQL I would assume not? At least being that this is a white box test, SQL injection and XSS are not actually valid fault models in source testing. The issue of client of their own - not a web client is not relivant in the manner you think. So where to start? Well, first, create a flattened view of an othogonal composition for the classes. You can derive type concatenation from this - this will allow you to detail the class hierarchy, class scope statechart and finally the flattened statechart.
From here you can detail unspecified event/state pairs, create a response matrix and work out the guarded and implicit transitions. This will lead to a canonical response matrix detailing all responses for illegal events and state machine faults.
And so on and so forth. Regards, Dr Craig S Wright GSE (Compliance) ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- java source code audit Guillermo Caminer (Oct 03)
- Re: java source code audit Robin Sheat (Oct 03)
- Re: java source code audit David M. Zendzian (Oct 04)
- Re: java source code audit Brian Toovey (Oct 03)
- Message not available
- Re: java source code audit Brian Toovey (Oct 04)
- Re: java source code audit SD List (Oct 05)
- Message not available
- Re: java source code audit Robin Sheat (Oct 03)
- Re: java source code audit AdityaK (Oct 04)
- RE: java source code audit Debasis Mohanty (Oct 04)
- <Possible follow-ups>
- Re: java source code audit nmonkee (Oct 04)
- Re: java source code audit cwright (Oct 04)