Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] assuring security of code

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] assuring security of code


Chronological Thread 
  • From: Patrick Radtke <>
  • To: Tom Barton <>
  • Cc: Grouper Dev <>
  • Subject: Re: [grouper-dev] assuring security of code
  • Date: Fri, 07 Sep 2012 11:52:38 -0700

On 9/7/12 11:21 AM, Tom Barton wrote:
From time to time we've discussed on grouper-dev conference calls the
desire to incorporate some sort of code-level security assessment into
the grouper release process. One potential source of info on tools that
might be useful in that role is OWASP, specifically:

https://www.owasp.org/index.php/Phoenix/Tools#Java_static_analysis.2C_security_frameworks.2C_and_web_application_security_tools


Does anyone have experience with any of these or other similar tools, or
any advice or lessons that we'd be smart to take into account?

I've used a number of the static analysis tools on that list. I found them useful for discovering bugs or showing areas that need better testing/etc, but I didn't find them useful for finding security specific issues.

We evaluated using hdiv on a project but found it:
1. did a lot more than we wanted
2. didn't mention compatibility with Spring 3, only Spring 2.
3. may make debugging more difficult

We opted to use OWASP CSRF Guard project which was much easier to use in the common cases but has issues in more complex scenarios.

OWASP advice is generally for web based attacks and likely wouldn't help with application specific code-level security issues. I've found the advice provided by them to be quite helpful. The tools they provide range from helpful (Zed attack proxy) to poorly documented and explained, but overall I feel our webapps are much more secure from reading through the site and following the advice.

We've found developer and deployer awareness of security issues goes a long ways to eliminating them. Once we became 'aware' it was trivial to find security issues in legacy applications.

-Patrick



Archive powered by MHonArc 2.6.16.

Top of Page