[Owasp-leaders] Question on Static Analysis

John Steven John.Steven at owasp.org
Fri Nov 20 10:53:53 EST 2009


James,

In my opinion? Absolutely. Look at the guidance given by the Websphere
deployment and security guides alone. Even if you were a 'lowly
deployment/configuration manager', you could sweep through those
guides using only grep + xpath do a great static analysis as part of
other deployment readiness / security criteria and identify a bevy of
weaknesses / misconfigurations that would result in vulnerable
applications.

Cigital already does this as part of its code reviews, both in terms
of manual support and in the form of automation. (Again, in my
opinion) It is not ours to fight the tide of the frameworks and
toolkits but rather be instructive about how to best use them.

-jOHN

On Fri, Nov 20, 2009 at 9:34 AM, McGovern, James F. (eBusiness)
<James.McGovern at thehartford.com> wrote:
> Noodling the value proposition of static analysis and wonder if vendors in
> this space are doing the right thing. For example, Gary McGraw was one of
> the first to point out insecure APIs within Java such as readLine not having
> a parameter to indicate max read. Is there merit in vendors figuring out how
> to perform same function within commercial products? For example, there are
> insecure APIs in IBM MQ/Series, Struts, Spring, etc.
>
> Is there merit in collecting this type of information as a new OWASP
> project?
>
> ************************************************************
> This communication, including attachments, is for the exclusive use of
> addressee and may contain proprietary, confidential and/or privileged
> information.  If you are not the intended recipient, any use, copying,
> disclosure, dissemination or distribution is strictly prohibited.  If you
> are not the intended recipient, please notify the sender immediately by
> return e-mail, delete this communication and destroy all copies.
> ************************************************************
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


More information about the OWASP-Leaders mailing list