[Owasp-testing] [Owasp-codereview] Contributing to the Code review Guide - Please Read. 80)

Jim Manico jim at manico.net
Thu Jan 18 14:45:46 EST 2007


That was me, Eoin. There are betting ways that Native Methods any they
should not ever be used by web programmers. Corba is safer. I stand by
my originial statment  that Native Methods should never be used in Web
Applications and if found in cod review it should be flagged and
immediately rolled away from.

- Jim

Dinis Cruz wrote:
> Well, what you need is to tweak that statement a bit to make it correct:
>
> "The moment you see native methods (which leave the Java security manager
> and memory protection), you know you found an area that might contain
> potential Buffer Overflows, or other C++ type vulnerabilities."
>
> And I will add
>
> "In the .Net Framework this is even more problematic due to the high
> usage
> of unmanaged COM objects (Note to Dinis: Put here details about his
> 'Buffer
> Overflows on the .Net Framework' Research)"
>
> :)
>
> Dinis Cruz
> Chief OWASP Evangelist, Are you a member yet?
> http://www.owasp.org
>
>
> On 1/18/07, Eoin <eoinkeary at gmail.com> wrote:
>>
>> Hi,
>> Someone has be putting "helpful" comments in some sections of the Code
>> review guide, such as:
>> http://www.owasp.org/index.php/Native_Methods
>>
>> "The moment you start writing native methods you leave the Java security
>> manager and memory protection faculties. Don't do it."
>>
>> Firstly this is not helpful to anyone involved in code review.
>> Secondly if we are performing a code review on a native method code
>> block
>> this advice is too late and useless.
>> Thirdly, sometimes native methods need to be used for legacy reasons.
>>
>> The guide is to show what to look for in code review, This helpful
>> advice
>> is firstly aimed at the developer and hence no good for a code reviewer.
>>
>> thanks,
>> Eoin
>>
>>
>>
>> -- 
>> Eoin Keary OWASP - Ireland
>> http://www.owasp.org/local/ireland.html
>> http://www.owasp.org/index.php/OWASP_Testing_Project
>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
>
>
> -- 
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-codereview
>   

-- 
Best Regards,
Jim Manico
GIAC GSEC Professional, Sun Certified Java Programmer
jim at manico.net
808.652.3805

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070118/161e218f/attachment.html 


More information about the Owasp-testing mailing list