[Owasp-testing] [Owasp-codereview] Contributing to the Code review Guide - Please Read. 80)

Eoin eoinkeary at gmail.com
Thu Jan 18 17:52:08 EST 2007


Cool and I agree,
but its still out there and a fact of life. Describing the issues with
native methods in code and with the aid of some examples, it would be best
delivered so developers,given the choice would avoid this path.

On 18/01/07, Jim Manico <jim at manico.net> wrote:
>
>  That was me, Eoin. There are betting ways that Native Methods any they
> should not ever be used by web programmers. Corba is safer. I stand by my
> originial statment  that Native Methods should never be used in Web
> Applications and if found in cod review it should be flagged and immediately
> rolled away from.
>
> - Jim
>
> Dinis Cruz wrote:
>
> Well, what you need is to tweak that statement a bit to make it correct:
>
> "The moment you see native methods (which leave the Java security manager
> and memory protection), you know you found an area that might contain
> potential Buffer Overflows, or other C++ type vulnerabilities."
>
> And I will add
>
> "In the .Net Framework this is even more problematic due to the high usage
>
> of unmanaged COM objects (Note to Dinis: Put here details about his
> 'Buffer
> Overflows on the .Net Framework' Research)"
>
> :)
>
> Dinis Cruz
> Chief OWASP Evangelist, Are you a member yet?
> http://www.owasp.org
>
>
> On 1/18/07, Eoin <eoinkeary at gmail.com> <eoinkeary at gmail.com> wrote:
>
>
> Hi,
> Someone has be putting "helpful" comments in some sections of the Code
> review guide, such as:
> http://www.owasp.org/index.php/Native_Methods
>
> "The moment you start writing native methods you leave the Java security
> manager and memory protection faculties. Don't do it."
>
> Firstly this is not helpful to anyone involved in code review.
> Secondly if we are performing a code review on a native method code block
> this advice is too late and useless.
> Thirdly, sometimes native methods need to be used for legacy reasons.
>
> The guide is to show what to look for in code review, This helpful advice
> is firstly aimed at the developer and hence no good for a code reviewer.
>
> thanks,
> Eoin
>
>
>
> --
> Eoin Keary OWASP - Ireland
> http://www.owasp.org/local/ireland.html
> http://www.owasp.org/index.php/OWASP_Testing_Project
> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
>
>
> --
>
> ------------------------------
>
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.orghttp://lists.owasp.org/mailman/listinfo/owasp-codereview
>
>
> --
> Best Regards,
> Jim Manico
> GIAC GSEC Professional, Sun Certified Java Programmer
> jim at manico.net808.652.3805
>
>


-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070118/f5bbf9e8/attachment.html 


More information about the Owasp-testing mailing list