Re: [SC-L] Insecure Java Code Snippets
Brad, You can also look at The CERT Sun Microsystems Secure Coding Standard for Java at: https://www.securecoding.cert.org/confluence/display/java/The+CERT+Sun+Microsystems+Secure+Coding+Standard+for+Java Which has many examples of secure/insecure Java source code. rCs -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Brad Andrews Sent: Wednesday, May 06, 2009 1:41 PM To: sc-l@securecoding.org Subject: [SC-L] Insecure Java Code Snippets Does anyone know of a source of insecure Java snippets? I would like to get some for a monthly meeting of leading technical people. My idea was to have a find the bug like the old C-Lint ads. Does anyone know of a source of something like this. Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
ljknews ljkn...@mac.com wrote: At 12:47 PM -0500 5/7/09, Brad Andrews wrote: Quoting ljknews ljkn...@mac.com: At 5:49 PM -0500 5/6/09, Brad Andrews wrote: Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. They can be really hard to figure out, And yet people keep choosing those programming languages. They offer quite a bit of power in exchange for the danger. I would be interested in hearing what they can do that cannot be done in Ada. It's rarely (I won't say never!) a question of what *can't* be done in language X or Y. Usually, it's about what's *easier* to do in X or Y. Sometimes the security tradeoff is worth taking the hard way, but sometimes the choice is to the point of being at all practical or not. -Dave, making good progress on the job hunt, thanks in part to people here -- Dave Aronson, software engineer soon to be for hire. Looking for job (or contract) in Washington DC area. See http://www.davearonson.com/ for resume - if that is down see http://mysite.verizon.net/~nosnoraevad/. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
At 9:15 AM -0400 5/8/09, SC-L Reader Dave Aronson wrote: ljknews ljkn...@mac.com wrote: At 12:47 PM -0500 5/7/09, Brad Andrews wrote: Quoting ljknews ljkn...@mac.com: At 5:49 PM -0500 5/6/09, Brad Andrews wrote: Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. They can be really hard to figure out, And yet people keep choosing those programming languages. They offer quite a bit of power in exchange for the danger. I would be interested in hearing what they can do that cannot be done in Ada. It's rarely (I won't say never!) a question of what *can't* be done in language X or Y. Usually, it's about what's *easier* to do in X or Y. Sometimes the security tradeoff is worth taking the hard way, but sometimes the choice is to the point of being at all practical or not. Well the _easiest_ development comes from not worrying about security. So tell me what you think is easier in C/C++. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
Thanks Karen, that site may have enough of what I can use. Still a bit of work to do, but worth pursuing. The other sources were a bit too short on the snippets side, which is my fault for not making the question better. I don't know how many of you used to read the C-Lint ads that said find the bug in this C code. They were very difficult in all the cases I worked at. :) The whole point of their ad was that their product would find things you couldn't find easily in a manual review. I want something like that. Just playing tell me the security flaw in these 3 lines of code will not do quite the same thing. I will find a copy of Core Java to look through again, but I don't recall seeing things in this format when I looked before. The challenge with this is that I need something that fits well in a single PowerPoint slide (so it can be viewed while the participants eat). It also has to be fairly difficult. I am not sure that just not filtering user input is sufficiently strong. I want something that would take some thinking. I expect that I will have to design and format these myself, but I would love to have something sooner by using something that already did this. Thanks for the other replies. I am going to check out the NIST site some more. I will read over the other sites, but using them will take more effort than I was hoping for. Brad Quoting Goertzel, Karen [USA] goertzel_ka...@bah.com: The NIST SAMATE Reference Dataset has mainly C code in it, but there is also Java, C++, and PHP. There's a search function that allows you to search by programming language to find what you want. http://samate.nist.gov/SRD/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
See here: http://suif.stanford.edu/~livshits/work/securibench-micro/ -Ben From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Goertzel, Karen [USA] Sent: Wednesday, May 06, 2009 12:40 PM To: Brad Andrews; sc-l@securecoding.org Subject: Re: [SC-L] Insecure Java Code Snippets The NIST SAMATE Reference Dataset has mainly C code in it, but there is also Java, C++, and PHP. There's a search function that allows you to search by programming language to find what you want. http://samate.nist.gov/SRD/ -- Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com -Original Message- From: sc-l-boun...@securecoding.org on behalf of Brad Andrews Sent: Wed 06-May-09 13:41 To: sc-l@securecoding.org Subject: [SC-L] Insecure Java Code Snippets Does anyone know of a source of insecure Java snippets? I would like to get some for a monthly meeting of leading technical people. My idea was to have a find the bug like the old C-Lint ads. Does anyone know of a source of something like this. Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
Brad, I recommend you approach this problem in reverse. Think of the bug you want people to hunt for and then put together an appropriate regular expressions in Google Code Search (http://www.google.com/codesearch) For instance lang:java request getParameter .*price might be a good starting point. After doing that search I found a few different possible vulns. Once you find a vulnerability you can extract as much or as little code out of it as you'd like. I use this often in class design. Cheers, Rohit On Wed, May 6, 2009 at 6:49 PM, Brad Andrews andr...@rbacomm.com wrote: I had the name wrong, it was PC-Lint. See http://www.gimpel.com/html/bugs.htm That is what I am looking for, not just a general listing of bugs or insecure code. I want bugs that are hard to find and formatted like this. If I do create some and do it on my own (outside work), I will try to submit them to OWASP, possibly starting a project on that. Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. They can be really hard to figure out, though maybe not by all the smart people here! :) Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Rohit Sethi Security Compass http://www.securitycompass.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
At 12:47 PM -0500 5/7/09, Brad Andrews wrote: Quoting ljknews ljkn...@mac.com: At 5:49 PM -0500 5/6/09, Brad Andrews wrote: Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. They can be really hard to figure out, And yet people keep choosing those programming languages. They offer quite a bit of power in exchange for the danger. I would be interested in hearing what they can do that cannot be done in Ada. My bias is based on my experience. I am sure somebody who knows Eiffel would be interested in hearing what C/C++ can do that cannot be done in Eiffel. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Insecure Java Code Snippets
Does anyone know of a source of insecure Java snippets? I would like to get some for a monthly meeting of leading technical people. My idea was to have a find the bug like the old C-Lint ads. Does anyone know of a source of something like this. Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
We keep a big catalog here: http://www.fortify.com/vulncat On 5/6/09 10:41 AM, Brad Andrews andr...@rbacomm.com wrote: Does anyone know of a source of insecure Java snippets? I would like to get some for a monthly meeting of leading technical people. My idea was to have a find the bug like the old C-Lint ads. Does anyone know of a source of something like this. Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___