Also be sure to check on http://www.owasp.org as there is a *ton* of great information on the site.
Here are some good starting points: http://www.owasp.org/index.php/Category:OWASP_Java_Project http://www.owasp.org/index.php/Category:Java And also some good information on doing code review in general: http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents On Thu, Apr 1, 2010 at 2:29 PM, Romain Gaucher <rgauc...@cigital.com> wrote: > CERT has also a many rules for Java (good and bad examples) as part of > their secure coding practices. > You can find that here: > > https://www.securecoding.cert.org/confluence/display/java/The+CERT+Sun+Microsystems+Secure+Coding+Standard+for+Java > > Romain > - Security consultant, Cigital > > ________________________________________ > From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On > Behalf Of Martin, Robert A. [ramar...@mitre.org] > Sent: Thursday, April 01, 2010 2:49 PM > To: Matt Parsons > Cc: SC-L@securecoding.org > Subject: Re: [SC-L] working on java security help from experts > > The Common Weakness Enumeration (CWE) has a "view" of issues that can > occur in Java applications. > > See: http://cwe.mitre.org/data/slices/660.html for a listing of all the > details or: http://cwe.mitre.org/data/lists/660.html for a list of the > items where the names are hyper-links to the content about them. > > The entries include description, code examples, real world CVE examples > of the issue in many cases, references and in most cases pointers to the > attack patterns effective against the issue. > > Bob > > Matt Parsons wrote: > > I am trying to become an expert in source code review in java application > security. Are there any experts on this list that are willing to share some > of their knowledge? I am reading Java Security by Scott Oaks and I am > rereading all of the Sun Docs on java security. Any help would be greatly > appreciated. > > > > Thanks, > > Matt > > > > Matt Parsons, MSM, CISSP > > 315-559-3588 Blackberry > > 817-294-3789 Home office > > "Do Good and Fear No Man" > > Fort Worth, Texas > > A.K.A The Keyboard Cowboy > > mailto:mparsons1...@gmail.com > > http://www.parsonsisconsulting.com > > http://www.o2-ounceopen.com/o2-power-users/ > > http://www.linkedin.com/in/parsonsconsulting > > http://parsonsisconsulting.blogspot.com/ > > http://www.vimeo.com/8939668 > > > > [cid:image001.jpg@01CAD11E.CF635CA0] > > > > [cid:image002.jpg@01CAD11E.CF635CA0] > > > > > > > > > > > > > > > > > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > _______________________________________________ > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > _______________________________________________ > -- Chris Schmidt OWASP ESAPI Developer http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Check out OWASP ESAPI for Java http://code.google.com/p/owasp-esapi-java/ OWASP ESAPI for JavaScript http://code.google.com/p/owasp-esapi-js/ Yet Another Developers Blog http://yet-another-dev.blogspot.com Bio and Resume http://www.digital-ritual.net/resume.html
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________