- From: Jeff Williams @ Aspect <jeff.williams@aspectsecurity.com>
- Date: Thu, 16 Oct 2003 22:19:00 -0400
- To: "lupin" <lupin9809@hotmail.com>, <secprog@securityfocus.com>
lupin, You might consider PMD (http://pmd.sourceforge.net/) which does some signfiicant checking on Java programs. Although it is not focused on security problems, it is useful in finding thread safety, error handling, dead code, and other problems that *might* represent a security issue. In addition, you can craft your own rules by accessing the abstract syntax tree. This will allow you to write a number of rules, but is not ideal for finding all instances of certain calls, since you will not have full symbol table information available. For your JSP's, you might consider running them through a precompiler to translate them into Java before analyzing them. Look for a tool called jspc from your web app server provider. --Jeff Jeff Williams Aspect Security http://www.aspectsecurity.com ----- Original Message ----- From: lupin To: secprog@securityfocus.com Sent: Wednesday, October 15, 2003 8:32 AM Subject: Source code audit tool Hi, I looking for a source code auditing tool in order to find vulnerabilities in WEB applications as early as possible in the developement cycle. I would like to scan some JSP/servelts WEB application developped within WebSphere. My questions are: - Can we find some security vulnerabilty with a source code audit of java code? (Like for c/c++) - If yes, Is there a tool in order to do that automaticly? I've found the following applications: - Sanctum AppScan - SPI Dynamics WebInspect - Kavado Scando - OWASP Webscarab (open source) Yes, they check the WEB application overall security but not directly in the source code! Thank you in advance for your help. Marc
Received on Friday, 17 October 2003 07:46:39 UTC