.

Java Source Code Review

<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Aug 24, 2010 2:49 am

Java Source Code Review

I have to do a Java source code review in the next time and wanted to ask if anyone has some experience with this and can give hints/ recommendations on what to look for etc.
Since I'll probably have to do most without the help of any static analysis tools, I'm looking for manual approaches.
Any help is much appreciated.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Aug 24, 2010 5:31 am

Re: Java Source Code Review

I will have to do the same thing next week!

That being said, can you give me more info about the code you will review?

I know Java very well as well as frameworks, architecture etc. But depending of the size of the application, this could be a very long task...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Aug 24, 2010 8:18 am

Re: Java Source Code Review

Ok, here are a few resources:

OWASP Code Review Guide:
http://www.lulu.com/product/paperback/owasp-code-review/4458615

List of things to look for (while quite basic):
http://www.sans.org/security-training/secure-code-review-java-web-apps-1192-mid

OWASP Top 10 vulnerabilities (very good reading!!)
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

It depends if you are reviewing a web application, an applet, a stand alone application, etc. But in my opinion, without spending a week writting on the subject, I would look for:


1) Input validation: Proper server-side validation of all inputs, including drop-down menus, and hidden fields

2) SQL queries: Check if the framework uses Object Relational Mapping (ORM) like Hibernate, prepared statements or stored procedures.

3) Database connections: How the database credentials are stored, database user having "least privileges", encrypted connection

4) AJAX and Web Services: Look at these two very well. Again, validate all inputs, fuzz them. Do you need to sign your web services?

5) Java frameworks for web applications like Spring MVC or MyFaces do a great job filtering bad characters for you. However, you should test different character encoding nevertheless.

6) Spend some time reviewing session management mechanism: login, logout, change password, etc.

7) Basically, review the OWASP Top 10 vulnerabilities and make sure there are none in your code.

8 ) Check they don't copy sensitive data from prod to dev, for example client's account, personal address, etc

9) Is the repository secure?

10) You can also check for proper separation of layers: Model-View-Controller, 3-Tier like Presentation-Service-data layers, Service Oriented Architecture, etc

11) If 2 systems trust each other, make sure they are who they say they are (look for possibnle MitM)

I have to go, but I will add more later.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

secureseve

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Apr 08, 2010 10:40 pm

Location: DMZ

Post Tue Aug 24, 2010 10:06 am

Re: Java Source Code Review

Nice review H1t M0n3y. I have a similar task and that was an interesting read!
http://twitter.com/mikesantillana
eLearnSecurity Team Member.

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software