[Owasp-board] FW: Armorize CodeSecure Trial Account
jeff.williams at owasp.org
Tue Dec 25 17:46:33 UTC 2007
Thanks for letting me try your technology. Not sure if you saw this note I sent a few weeks back. Let me know if you have any questions.
From: Jeff Williams [mailto:jeff.williams at owasp.org]
Sent: Wednesday, December 05, 2007 2:14 PM
To: 'Forssman Jordan'
Cc: 'owasp-board at lists.owasp.org'
Subject: RE: Armorize CodeSecure Trial Account
Thanks for setting up the trial account. I had no problem setting up the account and getting my code analyzed. I did find the use of the term “classpath” a bit confusing, since I think what you really mean is “sourcepath”. I think using these terms consistently with the “java” and “javac” executables would make sense.
I ran the tool against several sample applications that I know are full of security holes. Here is a bit of feedback on my experience:
1) The tool found only XSS holes, despite the fact that the test applications contain vulnerabilities across a wide range of other security areas.
2) I found the data flow tracing far too verbose. Having 14 full tracebacks to the same problem in the report is a massive distraction. Each of the tracebacks is also too verbose, resulting in an absolute ton of data to sift through. If doGet is redirected to doPost (a common practice), I don’t need two separate traces for each problem.
3) The tool made some serious basic mistakes. Here’s one example: it seems to consider request.getRemoteUser() tainted. This represents a fundamental misunderstanding about Java EE. This is especially concerning since getRemoteUser() is a security relevant method, but for authentication, not input validation.
4) The writeup for XSS contains a significant amount of text directly copied from OWASP and other web sites in violation of the license and without attribution.
Thank you again for setting up the trial. I appreciate the opportunity to learn more about your technology. Please don’t hesitate to contact me with any questions about the above.
Jeff Williams, Chair
The OWASP Foundation <http://www.owasp.org/>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board