Grouper Developers Forum

[Patrick Radtke <>]

On 9/7/12 11:21 AM, Tom Barton wrote:
>  From time to time we've discussed on grouper-dev conference calls the
> desire to incorporate some sort of code-level security assessment into
> the grouper release process. One potential source of info on tools that
> might be useful in that role is OWASP, specifically:
>
> https://www.owasp.org/index.php/Phoenix/Tools#Java_static_analysis.2C_security_frameworks.2C_and_web_application_security_tools
>
>
> Does anyone have experience with any of these or other similar tools, or
> any advice or lessons that we'd be smart to take into account?

I've used a number of the static analysis tools on that list. I found 
them useful for discovering bugs or showing areas that need better 
testing/etc, but I didn't find them useful for finding security specific 
issues.

We evaluated using hdiv on a project but found it:
1. did a lot more than we wanted
2. didn't mention compatibility with Spring 3, only Spring 2.
3. may make debugging more difficult

We opted to use OWASP CSRF Guard project which was much easier to use in 
the common cases but has issues in more complex scenarios.

OWASP advice is generally for web based attacks and likely wouldn't help 
with application specific code-level security issues. I've found the 
advice provided by them to be quite helpful. The tools they provide 
range from helpful (Zed attack proxy) to poorly documented and 
explained, but overall I feel our webapps are much more secure from 
reading through the site and following the advice.

We've found developer and deployer awareness of security issues goes a 
long ways to eliminating them. Once we became 'aware' it was trivial to 
find security issues in legacy applications.

-Patrick