[Owasp-board] FW: Armorize CodeSecure Trial Account

Jeff Williams jeff.williams at owasp.org
Tue Dec 25 17:46:33 UTC 2007



Thanks for letting me try your technology.  Not sure if you saw this note I sent a few weeks back.  Let me know if you have any questions.




From: Jeff Williams [mailto:jeff.williams at owasp.org] 
Sent: Wednesday, December 05, 2007 2:14 PM
To: 'Forssman Jordan'
Cc: 'owasp-board at lists.owasp.org'
Subject: RE: Armorize CodeSecure Trial Account


Hi Jordan,


Thanks for setting up the trial account.  I had no problem setting up the account and getting my code analyzed.  I did find the use of the term “classpath” a bit confusing, since I think what you really mean is “sourcepath”.  I think using these terms consistently with the “java” and “javac” executables would make sense.


I ran the tool against several sample applications that I know are full of security holes. Here is a bit of feedback on my experience:


1)      The tool found only XSS holes, despite the fact that the test applications contain vulnerabilities across a wide range of other security areas.


2)      I found the data flow tracing far too verbose.  Having 14 full tracebacks to the same problem in the report is a massive distraction.  Each of the tracebacks is also too verbose, resulting in an absolute ton of data to sift through.  If doGet is redirected to doPost (a common practice), I don’t need two separate traces for each problem.


3)      The tool made some serious basic mistakes.  Here’s one example: it seems to consider request.getRemoteUser() tainted. This represents a fundamental misunderstanding about Java EE.  This is especially concerning since getRemoteUser() is a security relevant method, but for authentication, not input validation.


4)      The writeup for XSS contains a significant amount of text directly copied from OWASP and other web sites in violation of the license and without attribution.


Thank you again for setting up the trial.  I appreciate the opportunity to learn more about your technology.  Please don’t hesitate to contact me with any questions about the above.




Jeff Williams, Chair

The OWASP Foundation <http://www.owasp.org/> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20071225/2af2fefb/attachment-0002.html>

More information about the Owasp-board mailing list