Java Application Security Through Static Analysis

By Angsuman Chakraborty, Gaea News Network
Saturday, June 28, 2008

Extendable (by plugins, ) Static Analysis tools like FindBugs can enhance the security of your Java applications (web as well as standalone or client-servers applications) in several significant ways.

Enforcing security policy compliance

Security policies are espoused by security experts such as OWASP and mandated for compliance by many regulations such as Sarbanes-Oxley that require organizations to demonstrate they have done “due diligence” in safeguarding application security and information privacy. A security policy is a specification document that defines how code needs to be written to protect it from attacks. Security policies typically include custom security requirements, privacy requirements, security coding best practices, security application design rules, and security testing benchmarks.
Static analysis can be used to automatically verify whether most security policy requirements are actually implemented in the code and identify currently non-compliant code.

Static analysis can be used to automatically verify the code’s compliance to application specific security policy requirements like, for example, for authentication, authorization, logging, and input validation. Couple of examples of security policies that can be easily implemented are:
1. Don’t import WSDLs outside a certain domain
2. Don’t import schemas outside a certain domain

Language specific security policy rules can also be implemented such as:
1. Ensure all sensitive method invocations are logged
2. Allow only certain providers to be specified for the “Security.addProvider()” method

Static analysis can also be used to check whether code complies with industry-standard security best practices developed for the applicable language and technologies.

If you’re developing in Java, you’d want to do static analysis to check industry-standard Java security rules such as:
1. Validate an HttpServletRequest object when extracting data from it
2. Use JAAS in a single centralized authentication mechanism
3. Don’t cause deadlocks by calling a synchronized method from a synchronized method
4. Use only strong cryptographic algorithms

For SOA, you may want to check industry-standard rules such as:
1. Avoid unbounded schema sequence types
2. Avoid xsd:any, xsd:anyType and xsd:anySimpleType
3. Avoid xsd:list types

This article borrows ideas from sys-con article, which unfortunately stresses only on Parasoft’s product. While you can do most of the above with Parasoft’s tool, you can also do it easily with a free opensource tool - FindBugs. The bottomline is that static analysis can significantly improve application security and ensure compliance with security standards and guidelines like Sarbanes-Oxley.

June 28, 2008: 12:15 am

[...] it doesn’t redirect requests like this, which contains index.php as part of the url. Only the exact url [...]

will not be displayed