[Owasp-testing] [Owasp-codereview] Code Review project and Code-Scanning-Tool(s)

Eoin eoinkeary at gmail.com
Fri Jan 19 06:36:51 EST 2007


This is a very good idea Jim.
I think we should have an Applet section to address these concerns.
Do you want to do it?
I shall put a chapter in the wiki for you if you are game?
Eoin



On 19/01/07, Jim Manico <jim at manico.net> wrote:
>
> I have a little chat with Jeff Williams and he feels that Java Applets are
> relevant. So, I'm game to move all my thinking in that direction.
>
> However, I think we should split the code review guide into 2 separate
> language-specific Java categories - one for applets and another for
> server-side J2EE.
>
> When deploying applets, you are essentially dropping live source code into
> an untrusted environment and suddenly you have a huge list of new concerns:
>
> 1) don't depend on applet input validation (verify at server)
> 2) do not store sensitive business logic in applets
> 3) assume all applet classes can be decompiled into source no matter what protections you take
> 4) do not store sensitive information in applet static
> 5) Assume that all private applet methods can be circumvented
> Whereas J2EE concerns are radically different since we are talking about code deployed in a trusted environment only exposed to the outside world via ports 80/443 - so any treatise on J2EE code auditing might start at web.xml so we understand the exposed endpoints - not to mention that the primary applet concerns are no longer so relevant regarding server side J2EE programming....
>
> ...
>
> Anyhow, I'm sorry if I'm going in the wrong direction or if you disagree, I'm just trying hard to keep the conversation going.
>
> - Jim
>
>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>


-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070119/b6381f75/attachment-0001.html 


More information about the Owasp-testing mailing list