[Owasp-board] Armorize CodeSecure Trial Account
jeff.williams at owasp.org
Wed Dec 5 19:14:09 UTC 2007
Thanks for setting up the trial account. I had no problem setting up the account and getting my code analyzed. I did find the use of the term “classpath” a bit confusing, since I think what you really mean is “sourcepath”. I think using these terms consistently with the “java” and “javac” executables would make sense.
I ran the tool against several sample applications that I know are full of security holes. Here is a bit of feedback on my experience:
1) The tool found only XSS holes, despite the fact that the test applications contain vulnerabilities across a wide range of other security areas.
2) I found the data flow tracing far too verbose. Having 14 full tracebacks to the same problem in the report is a massive distraction. Each of the tracebacks is also too verbose, resulting in an absolute ton of data to sift through. If doGet is redirected to doPost (a common practice), I don’t need two separate traces for each problem.
3) The tool made some serious basic mistakes. Here’s one example: it seems to consider request.getRemoteUser() tainted. This represents a fundamental misunderstanding about Java EE. This is especially concerning since getRemoteUser() is a security relevant method, but for authentication, not input validation.
4) The writeup for XSS contains a significant amount of text directly copied from OWASP and other web sites in violation of the license and without attribution.
Thank you again for setting up the trial. I appreciate the opportunity to learn more about your technology. Please don’t hesitate to contact me with any questions about the above.
Jeff Williams, Chair
The OWASP Foundation <http://www.owasp.org/>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board