[Owasp-testing] [Owasp-codereview] Code Review project and Code-Scanning-Tool(s)

Jim Manico jim at manico.net
Fri Jan 19 06:44:34 EST 2007


Sure thing, Eoin. I'm game.

- Jim

Eoin wrote:
> This is a very good idea Jim.
> I think we should have an Applet section to address these concerns.
> Do you want to do it?
> I shall put a chapter in the wiki for you if you are game?
> Eoin
>
>
>
> On 19/01/07, Jim Manico <jim at manico.net> wrote:
>>
>> I have a little chat with Jeff Williams and he feels that Java
>> Applets are
>> relevant. So, I'm game to move all my thinking in that direction.
>>
>> However, I think we should split the code review guide into 2 separate
>> language-specific Java categories - one for applets and another for
>> server-side J2EE.
>>
>> When deploying applets, you are essentially dropping live source code
>> into
>> an untrusted environment and suddenly you have a huge list of new
>> concerns:
>>
>> 1) don't depend on applet input validation (verify at server)
>> 2) do not store sensitive business logic in applets
>> 3) assume all applet classes can be decompiled into source no matter
>> what protections you take
>> 4) do not store sensitive information in applet static
>> 5) Assume that all private applet methods can be circumvented
>> Whereas J2EE concerns are radically different since we are talking
>> about code deployed in a trusted environment only exposed to the
>> outside world via ports 80/443 - so any treatise on J2EE code
>> auditing might start at web.xml so we understand the exposed
>> endpoints - not to mention that the primary applet concerns are no
>> longer so relevant regarding server side J2EE programming....
>>
>> ...
>>
>> Anyhow, I'm sorry if I'm going in the wrong direction or if you
>> disagree, I'm just trying hard to keep the conversation going.
>>
>> - Jim
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
>
>

-- 
Best Regards,
Jim Manico
GIAC GSEC Professional, Sun Certified Java Programmer
jim at manico.net
808.652.3805



More information about the Owasp-testing mailing list