[Java-project] Static code analyzer

Sudheendra Hangal hangal at cs.stanford.edu
Sat Oct 31 12:39:02 EDT 2009

John and Jim,
I'm a co-founder of a company called Magic Lamp Software that builds
advanced tools for detecting security vulnerabilities like the OWASP Top-10
as well as for enforcing compliance to standards like PCI for payment cards
-- this goes
beyond LAPSE and has been used for commercial software audits at banks,
e-commerce websites, software infrastructure vendors, etc. Our results are
typically better than Fortify's, e.g. on open source Java benchmarks such as
(i.e. more bugs, fewer false positives).

We'll follow up with you separately and provide more information.

Sudheendra Hangal
Co-founder, Magic Lamp Software

> Message: 1
> Date: Fri, 30 Oct 2009 13:57:07 -0700
> From: John Towell <jtowell at agiletechgroup.com>
> Subject: [Java-project] Static code analyzer.
> To: java-project at lists.owasp.org
> Message-ID:
>        <18e422d0910301357y5f09124am23cdd64dd02d4d23 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> I was wondering if anyone knew of an up to date tool to analyze static Java
> code for security concerns.  We are looking for something similar to.
> http://suif.stanford.edu/~livshits/work/lapse/<http://suif.stanford.edu/%7Elivshits/work/lapse/>
> Although this project seems to have been abandoned, last time it was
> touched
> looks to be 2006.   We would be interested in a defined ruleset for
> Checkstyle/PMD/FindBugs as an alternative.  I have looked at those tools
> and
> cannot find anything related to security.  Let me know if you have any
> information in this area.
> Thanks,
> -John Towell
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.owasp.org/pipermail/java-project/attachments/20091030/cd15b042/attachment-0001.html
> ------------------------------
> Message: 2
> Date: Fri, 30 Oct 2009 16:20:31 -0600
> From: JIM BIRD <jimbird at shaw.ca>
> Subject: Re: [Java-project] Static code analyzer.
> To: John Towell <jtowell at agiletechgroup.com>
> Cc: java-project at lists.owasp.org
> Message-ID: <f318ea582f26e.4aeb124f at shaw.ca>
> Content-Type: text/plain; charset="iso-8859-1"
> Findbugs has only primitive security checks. I am not aware of any other
> open source solutions. Options for commercial static analysis tools include:
> - Fortify: www.fortify.com
> - IBM (now including technology from the Ounce Labs acquisition) the
> product portfolio is often being reorganized, IBM's static analysis tools
> are somewhere under the Rational brand or you can find the Ounce Labs
> technology directly at www.ouncelabs.com
> - Coverity Prevent: www.coverity.com
> - Klocwork - offers an inexpensive tool for individual Java developers,
> Solo: www.klocwork.com

Sudheendra Hangal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/java-project/attachments/20091031/233c5f9e/attachment.html 

More information about the Java-project mailing list