[Owasp-testing] [Owasp-codereview] Code Review project and Code-Scanning-Tool(s)

Jim Manico jim at manico.net
Thu Jan 18 21:58:20 EST 2007


I have a little chat with Jeff Williams and he feels that Java Applets
are relevant. So, I'm game to move all my thinking in that direction.

However, I think we should split the code review guide into 2 separate
language-specific Java categories - one for applets and another for
server-side J2EE.

When deploying applets, you are essentially dropping live source code
into an untrusted environment and suddenly you have a huge list of new
concerns:

1) don't depend on applet input validation (verify at server)
2) do not store sensitive business logic in applets
3) assume all applet classes can be decompiled into source no matter what protections you take
4) do not store sensitive information in applet static
5) Assume that all private applet methods can be circumvented 

Whereas J2EE concerns are radically different since we are talking about code deployed in a trusted environment only exposed to the outside world via ports 80/443 - so any treatise on J2EE code auditing might start at web.xml so we understand the exposed endpoints - not to mention that the primary applet concerns are no longer so relevant regarding server side J2EE programming....

...

Anyhow, I'm sorry if I'm going in the wrong direction or if you disagree, I'm just trying hard to keep the conversation going.

- Jim


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070118/faaa932e/attachment.html 


More information about the Owasp-testing mailing list