[Owasp-testing] Contributing to the Code review Guide - Please Read. 80)
dinis at ddplus.net
Thu Jan 18 10:37:15 EST 2007
Well, what you need is to tweak that statement a bit to make it correct:
"The moment you see native methods (which leave the Java security manager
and memory protection), you know you found an area that might contain
potential Buffer Overflows, or other C++ type vulnerabilities."
And I will add
"In the .Net Framework this is even more problematic due to the high usage
of unmanaged COM objects (Note to Dinis: Put here details about his 'Buffer
Overflows on the .Net Framework' Research)"
Chief OWASP Evangelist, Are you a member yet?
On 1/18/07, Eoin <eoinkeary at gmail.com> wrote:
> Someone has be putting "helpful" comments in some sections of the Code
> review guide, such as:
> "The moment you start writing native methods you leave the Java security
> manager and memory protection faculties. Don't do it."
> Firstly this is not helpful to anyone involved in code review.
> Secondly if we are performing a code review on a native method code block
> this advice is too late and useless.
> Thirdly, sometimes native methods need to be used for legacy reasons.
> The guide is to show what to look for in code review, This helpful advice
> is firstly aimed at the developer and hence no good for a code reviewer.
> Eoin Keary OWASP - Ireland
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing