Open Source Static Analysis Tools for Security Testing of Java Web Applications

Posted by Unknown 0 komentar
Open Source Static Analysis Tools for Security Testing of Java Web Applications | The focus of our analysis, which is summarized in this document, was to evaluate the use of Open Source Java test tools in the context of Java web application security. Most of the tools discussed here are not designed for this purpose. Thus, we want to emphasize that the tools listed and discussed in this document should not be considered inferior or inappropriate. We do not assess the value of any tool in general or in comparison with others. Most of the tools discussed might be suitable for their intended purpose and application context.

The target group of this documentation should have a fundamental understanding of the security problems of web applications. Please find corresponding references in the Related work section. Moreover, a basic understanding of static analysis tools for Java is necessary, since we only provide a brief introduction to the section ‘basics of static analyzers’ in section Executive summary.

This document summarizes our analysis of Open Source tools which we have selected and examined to evaluate their characteristics for enabling security tests for Java web applications. In the context of our work, we focused on static analysis tools only. Thus, in the following we always refer to Java and static analysis when we speak about testing tools. The following material and references should be useful for Java software developers with security concerns. Please note that we present the current status of our analysis in July 2006. The most important result of our analysis is the fact that there are no Open Source tools for static analysis with sufficient support for security tests. Even though there are several commercial1 tools in this sector, such as Fortify Tools [5], CodeAssure [6], or Coverity Prevent [7], Open Source projects simply do not provide corresponding bug detectors and rules for security. Consequently, we focused on the extensibility of Open Source tools for our analysis. Our purpose was to examine whether the selected tools provide sufficient methods for implementing security tests. Please note, when we speak about Open Source tools, we refer to all projects which provide their tools and their sources freely to the public. Although there are no Open Source static analyzers which provide sufficient support for security tests, this analysis focused on Open Source tools, because these are cost-cutting and freely available. Download free Open Source Static Analysis Tools for Security Testing of Java Web Applications.pdf here

0 komentar:

Post a Comment