[Java-project] Static code analyzer

Jeff Williams jeff.williams at owasp.org
Sat Oct 31 15:18:54 EDT 2009

This type of message is inappropriate for OWASP lists. Please refrain from
using OWASP for commercial purposes.  Thanks,




Jeff Williams, Chair

The OWASP Foundation



From: java-project-bounces at lists.owasp.org
[mailto:java-project-bounces at lists.owasp.org] On Behalf Of Sudheendra Hangal
Sent: Saturday, October 31, 2009 12:39 PM
To: java-project at lists.owasp.org
Subject: [Java-project] Static code analyzer


John and Jim,
I'm a co-founder of a company called Magic Lamp Software that builds 
advanced tools for detecting security vulnerabilities like the OWASP Top-10
as well as for enforcing compliance to standards like PCI for payment cards
-- this goes 
beyond LAPSE and has been used for commercial software audits at banks,
e-commerce websites, software infrastructure vendors, etc. Our results are 
typically better than Fortify's, e.g. on open source Java benchmarks such as
(i.e. more bugs, fewer false positives).

We'll follow up with you separately and provide more information.

Sudheendra Hangal
Co-founder, Magic Lamp Software


Message: 1
Date: Fri, 30 Oct 2009 13:57:07 -0700
From: John Towell <jtowell at agiletechgroup.com>
Subject: [Java-project] Static code analyzer.
To: java-project at lists.owasp.org
       <18e422d0910301357y5f09124am23cdd64dd02d4d23 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

I was wondering if anyone knew of an up to date tool to analyze static Java
code for security concerns.  We are looking for something similar to.


Although this project seems to have been abandoned, last time it was touched
looks to be 2006.   We would be interested in a defined ruleset for
Checkstyle/PMD/FindBugs as an alternative.  I have looked at those tools and
cannot find anything related to security.  Let me know if you have any
information in this area.


-John Towell
-------------- next part --------------
An HTML attachment was scrubbed...


Message: 2
Date: Fri, 30 Oct 2009 16:20:31 -0600
From: JIM BIRD <jimbird at shaw.ca>
Subject: Re: [Java-project] Static code analyzer.
To: John Towell <jtowell at agiletechgroup.com>
Cc: java-project at lists.owasp.org
Message-ID: <f318ea582f26e.4aeb124f at shaw.ca>
Content-Type: text/plain; charset="iso-8859-1"

Findbugs has only primitive security checks. I am not aware of any other
open source solutions. Options for commercial static analysis tools include:
- Fortify: www.fortify.com
- IBM (now including technology from the Ounce Labs acquisition) the product
portfolio is often being reorganized, IBM's static analysis tools are
somewhere under the Rational brand or you can find the Ounce Labs technology
directly at www.ouncelabs.com
- Coverity Prevent: www.coverity.com
- Klocwork - offers an inexpensive tool for individual Java developers,
Solo: www.klocwork.com

Sudheendra Hangal

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/java-project/attachments/20091031/3482dcb7/attachment.html 

More information about the Java-project mailing list