August 24, 2010 at 7:49 am #5495UNIXParticipant
I have to do a Java source code review in the next time and wanted to ask if anyone has some experience with this and can give hints/ recommendations on what to look for etc.
Since I’ll probably have to do most without the help of any static analysis tools, I’m looking for manual approaches.
Any help is much appreciated.
August 24, 2010 at 10:31 am #34740caissydParticipant
I will have to do the same thing next week!
That being said, can you give me more info about the code you will review?
I know Java very well as well as frameworks, architecture etc. But depending of the size of the application, this could be a very long task…
August 24, 2010 at 1:18 pm #34741caissydParticipant
Ok, here are a few resources:
OWASP Code Review Guide:
List of things to look for (while quite basic):
OWASP Top 10 vulnerabilities (very good reading!!)
It depends if you are reviewing a web application, an applet, a stand alone application, etc. But in my opinion, without spending a week writting on the subject, I would look for:
1) Input validation: Proper server-side validation of all inputs, including drop-down menus, and hidden fields
2) SQL queries: Check if the framework uses Object Relational Mapping (ORM) like Hibernate, prepared statements or stored procedures.
3) Database connections: How the database credentials are stored, database user having “least privileges”, encrypted connection
4) AJAX and Web Services: Look at these two very well. Again, validate all inputs, fuzz them. Do you need to sign your web services?
5) Java frameworks for web applications like Spring MVC or MyFaces do a great job filtering bad characters for you. However, you should test different character encoding nevertheless.
6) Spend some time reviewing session management mechanism: login, logout, change password, etc.
7) Basically, review the OWASP Top 10 vulnerabilities and make sure there are none in your code.
8 ) Check they don’t copy sensitive data from prod to dev, for example client’s account, personal address, etc
9) Is the repository secure?
10) You can also check for proper separation of layers: Model-View-Controller, 3-Tier like Presentation-Service-data layers, Service Oriented Architecture, etc
11) If 2 systems trust each other, make sure they are who they say they are (look for possibnle MitM)
I have to go, but I will add more later.
August 24, 2010 at 3:06 pm #34742secureseveParticipant
Nice review H1t M0n3y. I have a similar task and that was an interesting read!
- You must be logged in to reply to this topic.