WebApp Sec: Re: Java Security Code Review Tool

["Dean H. Saxe" <dean () fullfrontalnerdity com>]

I have used CodeAssure from Secure Software.   I like it, though it  
can take a LONG time to run (~4 hours on ~170KLOC recently on a  
reasonably powerful laptop with ample RAM).  Admittedly, I don't have  
much else to compare it to.
Be aware that no tool is able to find all of the issues that a human  
is able to find.  The ability of any tool to find the fewest false  
positives while also minimizing false negatives is dependent on your  
configuration of the tool.  If you understand the limitations of the  
tools and follow up any automated review with manual code reviews you  
will get the best results.  I find these tools to be most helpful in  
pointing me to code which requires further manual review.
Anyone who knows me knows of my love for regular expressions  
(RegEx).  Carefully crafted RegEx code is also *extremely* helpful to  
point you in the right direction when doing a manual review just by  
searching for target strings (rand, crypt, password, class names,  
etc).  Automated tools, directed searching with RegEx and manual  
reviews directed by the previous two and a threat model works best  
for me.
-dhs

Dean H. Saxe, CEH
dean () fullfrontalnerdity com
"[U]nconstitutional behavior by the authorities is constrained only  
by the peoples' willingness to contest them"
    --John Perry Barlow


On Nov 3, 2005, at 3:00 AM, dharmeshmm () mastek com wrote:

> Hi All,
>
> Has anybody evaluated any Java Security Code Review Tool ?
>
> I have come across FxCop and DevPartner which are particularly  
> for .NET.
> Regards,
> Dharmesh.