W3C home > Mailing lists > Public > www-html-editor@w3.org > October to December 2003

Re: Source code audit tool

From: Jeff Williams @ Aspect <@>
Date: Thu, 16 Oct 2003 22:19:00 -0400
Message-ID: <066301c39455$07f00f90$2201a8c0@intranet.aspectsecurity.com>
To: "lupin" <lupin9809@hotmail.com>, <secprog@securityfocus.com>


You might consider PMD (http://pmd.sourceforge.net/) which does some
signfiicant checking on Java programs.  Although it is not focused on
security problems, it is useful in finding thread safety, error handling,
dead code, and other problems that *might* represent a security issue.

In addition, you can craft your own rules by accessing the abstract syntax
tree. This will allow you to write a number of rules, but is not ideal for
finding all instances of certain calls, since you will not have full symbol
table information available.

For your JSP's, you might consider running them through a precompiler to
translate them into Java before analyzing them. Look for a tool called jspc
from your web app server provider.


Jeff Williams
Aspect Security

----- Original Message ----- 
From: lupin
To: secprog@securityfocus.com
Sent: Wednesday, October 15, 2003 8:32 AM
Subject: Source code audit tool


I looking for a source code auditing tool in order to find vulnerabilities
in WEB applications as early as possible in the developement cycle.

I would like to scan some JSP/servelts WEB application developped within

My questions are:

- Can we find some security vulnerabilty with a source code audit of java
code? (Like for c/c++)

- If yes, Is there a tool in order to do that automaticly?

I've found the following applications:
- Sanctum AppScan
- SPI Dynamics WebInspect
- Kavado Scando
- OWASP Webscarab (open source)

Yes, they check the WEB application overall security but not directly in the
source code!

Thank you in advance for your help.

Received on Friday, 17 October 2003 07:46:39 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:08:51 UTC