[Owasp-testing] [Owasp-codereview] Contributing to the Code review Guide - Please Read. 80)

Jim Manico jim at manico.net
Thu Jan 18 17:53:10 EST 2007


Eoin,

You are right on, as usual. I just wanted to get the ball rolling - I'll
be sure to add more complete commentary moving forward.

Sweet,
Jim

Eoin wrote:
> Cool and I agree,
> but its still out there and a fact of life. Describing the issues with
> native methods in code and with the aid of some examples, it would be
> best
> delivered so developers,given the choice would avoid this path.
>
> On 18/01/07, Jim Manico <jim at manico.net> wrote:
>>
>>  That was me, Eoin. There are betting ways that Native Methods any they
>> should not ever be used by web programmers. Corba is safer. I stand
>> by my
>> originial statment  that Native Methods should never be used in Web
>> Applications and if found in cod review it should be flagged and
>> immediately
>> rolled away from.
>>
>> - Jim
>>
>> Dinis Cruz wrote:
>>
>> Well, what you need is to tweak that statement a bit to make it correct:
>>
>> "The moment you see native methods (which leave the Java security
>> manager
>> and memory protection), you know you found an area that might contain
>> potential Buffer Overflows, or other C++ type vulnerabilities."
>>
>> And I will add
>>
>> "In the .Net Framework this is even more problematic due to the high
>> usage
>>
>> of unmanaged COM objects (Note to Dinis: Put here details about his
>> 'Buffer
>> Overflows on the .Net Framework' Research)"
>>
>> :)
>>
>> Dinis Cruz
>> Chief OWASP Evangelist, Are you a member yet?
>> http://www.owasp.org
>>
>>
>> On 1/18/07, Eoin <eoinkeary at gmail.com> <eoinkeary at gmail.com> wrote:
>>
>>
>> Hi,
>> Someone has be putting "helpful" comments in some sections of the Code
>> review guide, such as:
>> http://www.owasp.org/index.php/Native_Methods
>>
>> "The moment you start writing native methods you leave the Java security
>> manager and memory protection faculties. Don't do it."
>>
>> Firstly this is not helpful to anyone involved in code review.
>> Secondly if we are performing a code review on a native method code
>> block
>> this advice is too late and useless.
>> Thirdly, sometimes native methods need to be used for legacy reasons.
>>
>> The guide is to show what to look for in code review, This helpful
>> advice
>> is firstly aimed at the developer and hence no good for a code reviewer.
>>
>> thanks,
>> Eoin
>>
>>
>>
>> -- 
>> Eoin Keary OWASP - Ireland
>> http://www.owasp.org/local/ireland.html
>> http://www.owasp.org/index.php/OWASP_Testing_Project
>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
>>
>>
>> -- 
>>
>> ------------------------------
>>
>> _______________________________________________
>> Owasp-codereview mailing list
>> Owasp-codereview at lists.owasp.orghttp://lists.owasp.org/mailman/listinfo/owasp-codereview
>>
>>
>>
>> -- 
>> Best Regards,
>> Jim Manico
>> GIAC GSEC Professional, Sun Certified Java Programmer
>> jim at manico.net808.652.3805
>>
>>
>
>

-- 
Best Regards,
Jim Manico
GIAC GSEC Professional, Sun Certified Java Programmer
jim at manico.net
808.652.3805



More information about the Owasp-testing mailing list