WebApp Sec mailing list archives
Re: Java Security Code Review Tool
From: "Dean H. Saxe" <dean () fullfrontalnerdity com>
Date: Thu, 3 Nov 2005 11:18:57 -0500
I have used CodeAssure from Secure Software. I like it, though it can take a LONG time to run (~4 hours on ~170KLOC recently on a reasonably powerful laptop with ample RAM). Admittedly, I don't have much else to compare it to.
Be aware that no tool is able to find all of the issues that a human is able to find. The ability of any tool to find the fewest false positives while also minimizing false negatives is dependent on your configuration of the tool. If you understand the limitations of the tools and follow up any automated review with manual code reviews you will get the best results. I find these tools to be most helpful in pointing me to code which requires further manual review.
Anyone who knows me knows of my love for regular expressions (RegEx). Carefully crafted RegEx code is also *extremely* helpful to point you in the right direction when doing a manual review just by searching for target strings (rand, crypt, password, class names, etc). Automated tools, directed searching with RegEx and manual reviews directed by the previous two and a threat model works best for me.
-dhs Dean H. Saxe, CEH dean () fullfrontalnerdity com"[U]nconstitutional behavior by the authorities is constrained only by the peoples' willingness to contest them"
--John Perry Barlow On Nov 3, 2005, at 3:00 AM, dharmeshmm () mastek com wrote:
Hi All, Has anybody evaluated any Java Security Code Review Tool ?I have come across FxCop and DevPartner which are particularly for .NET.Regards, Dharmesh.
Current thread:
- Java Security Code Review Tool dharmeshmm (Nov 03)
- Re: Java Security Code Review Tool Stephan (Nov 04)
- Re: Java Security Code Review Tool Dhruv Soi (Nov 10)
- Re: Java Security Code Review Tool Dean H. Saxe (Nov 04)
- Re: Java Security Code Review Tool Eoin Keary (Nov 07)
- <Possible follow-ups>
- RE: Java Security Code Review Tool Peine,Holger (Nov 11)
- RE: Java Security Code Review Tool Dhruv Soi (Nov 11)
- Re: Java Security Code Review Tool Stephan (Nov 04)