From: Kenneth R. van Wyk (kenvanwyk.org)
Date: Wed Oct 15 2003 - 15:47:27 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday 15 October 2003 13:52, lupin wrote:
> I know those tools too, but they are scanning only C/C++ source code and
> I'm looking for a tool which scan Java code. (or/and JSP)

In doing the research for our book (Secure Coding, O'Reilly, 2003), my
co-author and I looked around quite a bit for different static code scanning
tools. We didn't find any that could scan Java code, unfortunately.
However, a list of links to various other tools is available via our book's
web site at http://www.securecoding.org/companion/tools.php.

> The goal is to have a tool which validate taht the code we wrote is secure.

That's a tall order to fill. Static code checkers only detect known flaws in
the implementation of your software. They can't validate the absence of
flaws in the code. Further, they can't detect architectural, design, or
operational flaws in the way that the application is deployed.

As the previous poster said, though, they're still useful for detecting "low
hanging fruit" like buffer overflows and such. But not in Java... ;-\

Cheers,

Ken van Wyk

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]