FYI, there is a security related thread starting on eclipse-pmc
Begin forwarded message:
Eclipse PMC,
My name is Arshan and I'd like Eclipse to enable developers to write
more secure code. I'm working with the OWASP foundation and have
elicited funds to accomplish the introduction of security into key
points in the technology stack with security analysis of application
server frameworks, vendor outreach programs, and more. I'm writing
to ask you, however, about introducing security into your IDE (which
happens to be my favorite IDE).
The IDE is a very effective place for security to go since it will
necessarily catch problems earlier in the lifecycle than would
security checks in other places. There a host of issues the JDT can
easily detect while developers are writing code, including:
* Injection attacks (cross-site scripting, command injection,
SQL injection, XPath/XML injection, etc.)
* Information leakage
* Cryptographic weakness
* ...and many more!
While a 3rd party plugin could technically perform these checks,
having them in the IDE would greatly legitimize security in
developers' eyes, since most view security problems as theoretical
or bothersome. And the momentum is growing; it's not just the banks
that are taking application security seriously anymore - the world
is starting recognize that applications are part of your security
perimeter. In fact, we recently spoke at JavaOne about some specific
security flaws the J2EE world is continually producing.
Other IDEs are getting into the game as well. Visual Studio invested
in CAT.NET, a tool used to help MS developers find security problems
and IBM recently bought Ounce, a static analysis tool for finding
security flaws. I do penetration testing, code review and security
research for a living. The problems are out there in staggering
numbers, and its only getting worse. Frankly, developers will keep
re-introducing problems as long as the IDE lets them.
I'm proposing we create an Eclipse sub-project or extend a piece of
the existing Eclipse base to allow users to enable security guidance
with customizable levels of interaction. As budget allows we are
prepared to take on the necessary expenses for implementing these
features, but the commitment to developing more secure code can only
come from your organization.
We are very flexible on the logistical details and are mostly eager
to start a conversation around application security and Eclipse.
Thanks for your time,
Arshan Dabirsiaghi
Director of R&D
Aspect Security
http://www.aspectsecurity.com
O: (301) 604-4882
C: (443) 791-5355
Project Lead
Intrinsic Security Working Group
Open Web Application Security Project (OWASP)
http://owasp.org
_______________________________________________
eclipse-pmc mailing list
[email protected]
https://dev.eclipse.org/mailman/listinfo/eclipse-pmc
_______________________________________________
equinox-dev mailing list
[email protected]
https://dev.eclipse.org/mailman/listinfo/equinox-dev
