Also be sure to check on http://www.owasp.org as there is a *ton* of great
information on the site.

Here are some good starting points:

http://www.owasp.org/index.php/Category:OWASP_Java_Project
http://www.owasp.org/index.php/Category:Java

And also some good information on doing code review in general:

http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents


On Thu, Apr 1, 2010 at 2:29 PM, Romain Gaucher <rgauc...@cigital.com> wrote:

> CERT has also a many rules for Java (good and bad examples) as part of
> their secure coding practices.
> You can find that here:
>
> https://www.securecoding.cert.org/confluence/display/java/The+CERT+Sun+Microsystems+Secure+Coding+Standard+for+Java
>
> Romain
>  - Security consultant, Cigital
>
> ________________________________________
> From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On
> Behalf Of Martin, Robert A. [ramar...@mitre.org]
> Sent: Thursday, April 01, 2010 2:49 PM
> To: Matt Parsons
> Cc: SC-L@securecoding.org
> Subject: Re: [SC-L] working on java security help from experts
>
> The Common Weakness Enumeration (CWE) has a "view" of issues that can
> occur in Java applications.
>
> See: http://cwe.mitre.org/data/slices/660.html for a listing of all the
> details or: http://cwe.mitre.org/data/lists/660.html for a list of the
> items where the names are hyper-links to the content about them.
>
> The entries include description, code examples, real world CVE examples
> of the issue in many cases, references and in most cases pointers to the
> attack patterns effective against the issue.
>
> Bob
>
> Matt Parsons wrote:
> > I am trying to become an expert in source code review in java application
> security.  Are there any experts on this list that are willing to share some
> of their knowledge?   I am reading Java Security by Scott Oaks and I am
> rereading all of the Sun Docs on java security.  Any help would be greatly
> appreciated.
> >
> > Thanks,
> > Matt
> >
> > Matt Parsons, MSM, CISSP
> > 315-559-3588 Blackberry
> > 817-294-3789 Home office
> > "Do Good and Fear No Man"
> > Fort Worth, Texas
> > A.K.A The Keyboard Cowboy
> > mailto:mparsons1...@gmail.com
> > http://www.parsonsisconsulting.com
> > http://www.o2-ounceopen.com/o2-power-users/
> > http://www.linkedin.com/in/parsonsconsulting
> > http://parsonsisconsulting.blogspot.com/
> > http://www.vimeo.com/8939668
> >
> > [cid:image001.jpg@01CAD11E.CF635CA0]
> >
> > [cid:image002.jpg@01CAD11E.CF635CA0]
> >
> >
> >
> >
> >
> >
> >
> >
> >
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________
>



-- 
Chris Schmidt

OWASP ESAPI Developer
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Check out OWASP ESAPI for Java
http://code.google.com/p/owasp-esapi-java/

OWASP ESAPI for JavaScript
http://code.google.com/p/owasp-esapi-js/

Yet Another Developers Blog
http://yet-another-dev.blogspot.com

Bio and Resume
http://www.digital-ritual.net/resume.html
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Reply via email to