[Owasp-testing] Contributing to the Code review Guide - Please Read. 80)

Dinis Cruz dinis at ddplus.net
Thu Jan 18 10:37:15 EST 2007


Well, what you need is to tweak that statement a bit to make it correct:

"The moment you see native methods (which leave the Java security manager
and memory protection), you know you found an area that might contain
potential Buffer Overflows, or other C++ type vulnerabilities."

And I will add

"In the .Net Framework this is even more problematic due to the high usage
of unmanaged COM objects (Note to Dinis: Put here details about his 'Buffer
Overflows on the .Net Framework' Research)"

:)

Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?
http://www.owasp.org


On 1/18/07, Eoin <eoinkeary at gmail.com> wrote:
>
> Hi,
> Someone has be putting "helpful" comments in some sections of the Code
> review guide, such as:
> http://www.owasp.org/index.php/Native_Methods
>
> "The moment you start writing native methods you leave the Java security
> manager and memory protection faculties. Don't do it."
>
> Firstly this is not helpful to anyone involved in code review.
> Secondly if we are performing a code review on a native method code block
> this advice is too late and useless.
> Thirdly, sometimes native methods need to be used for legacy reasons.
>
> The guide is to show what to look for in code review, This helpful advice
> is firstly aimed at the developer and hence no good for a code reviewer.
>
> thanks,
> Eoin
>
>
>
> --
> Eoin Keary OWASP - Ireland
> http://www.owasp.org/local/ireland.html
> http://www.owasp.org/index.php/OWASP_Testing_Project
> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>


--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070118/203fb8fd/attachment.html 


More information about the Owasp-testing mailing list