[Owasp-board] Armorize CodeSecure Trial Account

Wed Dec 5 19:14:09 UTC 2007

Hi Jordan,

Thanks for setting up the trial account.  I had no problem setting up the account and getting my code analyzed.  I did find the use of the term “classpath” a bit confusing, since I think what you really mean is “sourcepath”.  I think using these terms consistently with the “java” and “javac” executables would make sense.

I ran the tool against several sample applications that I know are full of security holes. Here is a bit of feedback on my experience:

1)      The tool found only XSS holes, despite the fact that the test applications contain vulnerabilities across a wide range of other security areas.

2)      I found the data flow tracing far too verbose.  Having 14 full tracebacks to the same problem in the report is a massive distraction.  Each of the tracebacks is also too verbose, resulting in an absolute ton of data to sift through.  If doGet is redirected to doPost (a common practice), I don’t need two separate traces for each problem.

3)      The tool made some serious basic mistakes.  Here’s one example: it seems to consider request.getRemoteUser() tainted. This represents a fundamental misunderstanding about Java EE.  This is especially concerning since getRemoteUser() is a security relevant method, but for authentication, not input validation.

4)      The writeup for XSS contains a significant amount of text directly copied from OWASP and other web sites in violation of the license and without attribution.

Thank you again for setting up the trial.  I appreciate the opportunity to learn more about your technology.  Please don’t hesitate to contact me with any questions about the above.

--Jeff

Jeff Williams, Chair

The OWASP Foundation <http://www.owasp.org/> 

410-707-1487

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20071205/7e95cb2d/attachment-0002.html>