Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Java Coding Guidelines AND Automated Testing Tools AND Vulnerability Scanners

 
Ted North
Ranch Hand
Posts: 201
1
Java Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello authors of Java Coding Guidelines,

Does the book cover any tests that can be done using some sort of tool that can analyze byte code or source code? Does the book show how to use vulnerability assessment software on a java program or web application?



Thank-you for reading.

Regards,

Ted
 
Dhruv Mohindra
Author
Greenhorn
Posts: 11
5
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ted,

Ted North wrote:
Does the book cover any tests that can be done using some sort of tool that can analyze byte code or source code?


The JCG book consists of guidelines that are meant for a programmer to read. Guidelines differ from rules in that, sound automated analysis is not always possible. For example, a tool may not be able to determine programmer intent by inspecting bytecode or source code.

The CERT Oracle Secure Coding Standard for Java (AW, 2012) from the same group of authors consists of rules that are amenable to static analysis and useful if you intend to build secure and reliable Java based software. In fact, some of the rules have been adopted by these tools and converted to checkers / detectors.


Does the book show how to use vulnerability assessment software on a java program or web application?


Tool support is out of scope for the JCG book - such information is eternally changing and tool updates are frequent. The JCG book explains through example insecure and secure code but does not intend to provide a "security testing" strategy.
 
Ted North
Ranch Hand
Posts: 201
1
Java Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dhruv,

Ah, Thank-you for the reply. It is excellent to receive an interesting reply from a knowledgeable author.

I think I understand what you are typing. There is no security testing help using static analysis tools or vulnerability scanners via tutorials in the book but the guidelines in the book make up some of the logic of these tools. I guess I could make my own scanner with this information.

Thank-you again sir for the reply. It means a great deal to me.

Respectfully,

Ted

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic