- From: Kenneth R. van Wyk <ken@vanwyk.org>
- Date: Wed, 15 Oct 2003 16:47:27 -0400
- To: secprog@securityfocus.com
On Wednesday 15 October 2003 13:52, lupin wrote: > I know those tools too, but they are scanning only C/C++ source code and > I'm looking for a tool which scan Java code. (or/and JSP) In doing the research for our book (Secure Coding, O'Reilly, 2003), my co-author and I looked around quite a bit for different static code scanning tools. We didn't find any that could scan Java code, unfortunately. However, a list of links to various other tools is available via our book's web site at http://www.securecoding.org/companion/tools.php. > The goal is to have a tool which validate taht the code we wrote is secure. That's a tall order to fill. Static code checkers only detect known flaws in the implementation of your software. They can't validate the absence of flaws in the code. Further, they can't detect architectural, design, or operational flaws in the way that the application is deployed. As the previous poster said, though, they're still useful for detecting "low hanging fruit" like buffer overflows and such. But not in Java... ;-\ Cheers, Ken van Wyk
Received on Wednesday, 15 October 2003 17:07:45 UTC