[ajug-members] Java source analyzer for security holes, memory leaks etc?

Mon Jul 23 08:05:47 EDT 2007

Fortify SCA is the gold standard here.  www.fortify.com

Users or Fortify or any source scanning tool must understand both the  
advantages and disadvantages of an automated approach.  First, these  
tools do a good job of finding bugs.  Bugs are defined as problems at  
the time of implementation, such as integer overflows, failure to  
close resources appropriately, etc.  SQL Injection and cross-site  
scripting are also found quite effectively by Fortify.  However, bugs  
only make up ~50% of all software security issues in any code-base.

The other issues to identify and fix are flaws, these are the  
architectural level problems that come from the design of the  
software.  Issues such as poor cryptography (home grown, weak keys,  
weak key storage), authentication bypass, authorization problems such  
as privilege escalation, etc.  These issues will never be found by  
Fortify or any code scanning tools and must be found through design  
reviews mechanisms such as threat modeling or a manual code review.

What's the point?  At best, scanning tools find 50% of all issues in  
any code base.  And that is only if there are no false negatives and  
there is 100% code coverage, both of which are quite unlikely to occur!

Gary McGraw (cigital.com among others) calls any scanning tool a  
"badnessometer" because it will only tell you how much your code  
sucks and not that your code is secure (the same can be said about  
automated penetration testing with a tool like SPI Dynamics  
WebInspect, as well as manual pen testing to a lesser degree).  Using  
any scanning tool in the absence of other techniques is a sure-fire  
way to get a false sense of security.  If you intend to go down this  
path I urge you to look at how Fortify or other scanning tools fit  
into an SDLC built with security in mind and not just as a bolt-on  
attachment to the SDLC to meet some regulatory requirement.

-dhs

Dean H. Saxe, CISSP, CEH
dean at fullfrontalnerdity.com
"To announce that there must be no criticism of the president, or  
that we are to stand by the president right or wrong, is not only  
unpatriotic and servile, but is morally treasonable to the American  
public."
     -- Theodore Roosevelt

On Jul 23, 2007, at 6:40 AM, Curt Smith wrote:

> Greetings,
>
> Does anyone have a tip for a java (j2ee) source analyzer that would be
> run during nightly builds etc that would find security holes or memory
> leaks?   I'd guess there's tools that would find the forgotten
> conn.close() and resultset.close(), but more thorough and extensive
> scanning is also desired.
>
> Thanks,   Curt Smith
>
> _______________________________________________
> ajug-members mailing list
> ajug-members at ajug.org
> http://www.ajug.org/mailman/listinfo/ajug-members
>