W3C home > Mailing lists > Public > www-html-editor@w3.org > October to December 2003

Re: Source code audit tool

From: Kenneth R. van Wyk <ken@vanwyk.org>
Date: Wed, 15 Oct 2003 16:47:27 -0400
To: secprog@securityfocus.com
Message-Id: <200310151647.27954.ken@vanwyk.org>

On Wednesday 15 October 2003 13:52, lupin wrote:
> I know those tools too, but they are scanning only C/C++ source code and
> I'm looking for a tool which scan Java code. (or/and JSP)

In doing the research for our book (Secure Coding, O'Reilly, 2003), my 
co-author and I looked around quite a bit for different static code scanning 
tools.  We didn't find any that could scan Java code, unfortunately.  
However, a list of links to various other tools is available via our book's 
web site at http://www.securecoding.org/companion/tools.php.

> The goal is to have a tool which validate taht the code we wrote is secure.

That's a tall order to fill.  Static code checkers only detect known flaws in 
the implementation of your software.  They can't validate the absence of 
flaws in the code.  Further, they can't detect architectural, design, or 
operational flaws in the way that the application is deployed.

As the previous poster said, though, they're still useful for detecting "low 
hanging fruit" like buffer overflows and such.  But not in Java...  ;-\


Ken van Wyk
Received on Wednesday, 15 October 2003 17:07:45 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:08:51 UTC