Java Security: How can I start now
Presentation Coverage:On Wednesday, October 1st, Jason Grembi from Sterling Connect, LLC
gave a presentation on Software Security. He is currently working with
Covisint (a subsidiary of Compuware) to help them address some
potential issues with security. Jason's presentation primarily focused on the fact that security
is really intricately tied to code quality and that code quality is
achieved via a well-defined, repeatable, maintainable software
development process. He also emphasized that security is not an
'after-the-fact' concept, but that it must be taken into consideration
at every phase of the software development lifecycle. The presentation spoke of using static analysis tools such as FindBugs to expose programming bugs that could become potential security issues. Jason also mentioned a few interesting security projects:
Jason's book is available through Amazon: http://www.amazon.com/Secure-Software-Construction-Security-Programmers/dp/1418065471/ref=sr_1_1?ie=UTF8&s=books&qid=1223334560&sr=8-1
Additional Links:Jason mentioned Fuzz Testing in his presentation last week. I found a list of testing tools in Software Test & Performance magazine which includes Peach Fuzzer and Holodeck. Here is the complete list of these tools.
Free Tools:- Peach Fuzzing Platform 2.0 (http://www.peachfuzzer.com):
Peach is a free and comprehensive fuzzing platform that allows
on-the-wire fuzzing of network I/O and files of almost any type.
- Wireshark 1.0.0 (http://www.wireshark.org/about.html): Wireshark, formally known as Ethereal, is a free and powerful tool for real-time monitoring and analysis of network traffic.
- Portmon for Windows v3.02 (http://technet.microsoft.com/en-us/sysinternals/bb896644.aspx): Portmon is a utility that monitors and displays all serial and parallel port activity on a system. It has advanced filtering and search capabilities that make it a powerful tool for exploring the way Windows works, seeing how applications use ports, or tracking down problems in system or application configurations.
- Process Monitor v2.0 (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx): Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Commercial Tools:- Holodeck Enterprise Edition v2.8 by Security Innovation Inc. (http://www.securityinnovation.com/holodeck): Holodeck is a professional-grade discovery and fault injection tool that virtualizes an application's runtime environment and allows testers to completely control its resources.
- WhatsUp Gold by Ipswitch (http://www.whatsupgold.com): WhatsUp Gold is an inexpensive professional-grade network discovery and management tool that provides real-time server and service monitoring.
Source: These tools are listed in article "Attack The Stack" by Pete Jenney published in Software Test & Performance Magazine (September 2008 edition)
|
|
