Java Source Code Review

Viewing 3 reply threads
  • Author
    Posts
    • #5495
      UNIX
      Participant

      I have to do a Java source code review in the next time and wanted to ask if anyone has some experience with this and can give hints/ recommendations on what to look for etc.
      Since I’ll probably have to do most without the help of any static analysis tools, I’m looking for manual approaches.
      Any help is much appreciated.

    • #34740
      caissyd
      Participant

      I will have to do the same thing next week!

      That being said, can you give me more info about the code you will review?

      I know Java very well as well as frameworks, architecture etc. But depending of the size of the application, this could be a very long task…

    • #34741
      caissyd
      Participant

      Ok, here are a few resources:

      OWASP Code Review Guide:
      http://www.lulu.com/product/paperback/owasp-code-review/4458615

      List of things to look for (while quite basic):
      http://www.sans.org/security-training/secure-code-review-java-web-apps-1192-mid

      OWASP Top 10 vulnerabilities (very good reading!!)
      http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

      It depends if you are reviewing a web application, an applet, a stand alone application, etc. But in my opinion, without spending a week writting on the subject, I would look for:

      1) Input validation: Proper server-side validation of all inputs, including drop-down menus, and hidden fields

      2) SQL queries: Check if the framework uses Object Relational Mapping (ORM) like Hibernate, prepared statements or stored procedures.

      3) Database connections: How the database credentials are stored, database user having “least privileges”, encrypted connection

      4) AJAX and Web Services: Look at these two very well. Again, validate all inputs, fuzz them. Do you need to sign your web services?

      5) Java frameworks for web applications like Spring MVC or MyFaces do a great job filtering bad characters for you. However, you should test different character encoding nevertheless.

      6) Spend some time reviewing session management mechanism: login, logout, change password, etc.

      7) Basically, review the OWASP Top 10 vulnerabilities and make sure there are none in your code.

      8 ) Check they don’t copy sensitive data from prod to dev, for example client’s account, personal address, etc

      9) Is the repository secure?

      10) You can also check for proper separation of layers: Model-View-Controller, 3-Tier like Presentation-Service-data layers, Service Oriented Architecture, etc

      11) If 2 systems trust each other, make sure they are who they say they are (look for possibnle MitM)

      I have to go, but I will add more later.

    • #34742
      secureseve
      Participant

      Nice review H1t M0n3y. I have a similar task and that was an interesting read!

Viewing 3 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?