[Owasp-board] Armorize CodeSecure Trial Account

Jeff Williams jeff.williams at owasp.org
Wed Dec 5 17:09:24 UTC 2007

Hi Jordan,


Thanks for setting up the trial account.  I had no problem setting up the account and getting my code analyzed.  I did find the use of the term “classpath” a bit confusing, since I think what you really mean is “sourcepath”.  I think using these terms consistently with the “java” and “javac” executables would make sense.


I ran the tool against several sample applications that I know are full of security holes. Here is a bit of feedback on my experience:


1)      The tool found only XSS holes, despite the fact that the test applications contain vulnerabilities across a wide range of other security areas.


2)      I found the data flow tracing far too verbose.  Having 14 full tracebacks to the same problem in the report is a massive distraction.  Each of the tracebacks is also too verbose, resulting in an absolute ton of data to sift through.  If doGet is redirected to doPost (a common practice), I don’t need two separate traces for each problem.


3)      The tool made some serious basic mistakes.  Here’s one example: it seems to consider request.getRemoteUser() tainted. This represents a fundamental misunderstanding about Java EE.  This is especially concerning since getRemoteUser() is a security relevant method, but for authentication, not input validation.


4)      The writeup for XSS contains a significant amount of text directly copied from OWASP and other web sites in violation of the license and without attribution.


Thank you again for setting up the trial.  I appreciate the opportunity to learn more about your technology.  Please don’t hesitate to contact me with any questions about the above.




Jeff Williams, Chair

The OWASP Foundation <http://www.owasp.org/> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20071205/9c3a52d9/attachment-0002.html>

More information about the Owasp-board mailing list