Hello Matt, Java EE still has NO support for escaping and lots of other important security areas. You need something like OWASP ESAPI to make a secure app even remotely possible. I was once a Sun guy, and I'm very fond of Java and Sun. But JavaEE 6 does very little to raise the bar when it comes to Application Security.
- Jim On Tue, Jan 5, 2010 at 3:30 PM, Matt Parsons <mparsons1...@gmail.com> wrote: > >From what I read it appears that this Java EE 6 could be a few rule > changers. It looks like to me, java is checking for authorization and > authentication with this new framework. If that is the case, I think that > static code analyzers could change their rule sets to check what normally > is > a manual process in the code review of authentication and authorization. > Am I correct on my assumption? > > Thanks, > Matt > > > Matt Parsons, MSM, CISSP > 315-559-3588 Blackberry > 817-294-3789 Home office > mailto:mparsons1...@gmail.com > http://www.parsonsisconsulting.com > http://www.o2-ounceopen.com/o2-power-users/ > http://www.linkedin.com/in/parsonsconsulting > > > > > > > -----Original Message----- > From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] > On Behalf Of Kenneth Van Wyk > Sent: Tuesday, January 05, 2010 8:59 AM > To: Secure Coding > Subject: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security > made simple ! | Core Security Patterns Weblog > > Happy new year SC-Lers. > > FYI, interesting blog post on some of the new security features in Java EE > 6, by Ramesh Nagappan. Worth reading for all you Java folk, IMHO. > > http://www.coresecuritypatterns.com/blogs/?p=1622 > > > Cheers, > > Ken > > ----- > Kenneth R. van Wyk > SC-L Moderator > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > -- -- Jim Manico, Application Security Architect jim.man...@aspectsecurity.com | j...@manico.net (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your applications at the source http://www.aspectsecurity.com
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
