Hello Matt,<br><br><span class="status-body"><span class="entry-content">Java EE still has NO support for escaping and lots of other important security areas. You need something like OWASP ESAPI to make a secure app even remotely possible.</span></span> I was once a Sun guy, and I'm very fond of Java and Sun. But JavaEE 6 does very little to raise the bar when it comes to Application Security.<br>
<br>- Jim<br><br><div class="gmail_quote">On Tue, Jan 5, 2010 at 3:30 PM, Matt Parsons <span dir="ltr"><<a href="mailto:mparsons1980@gmail.com">mparsons1980@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
>From what I read it appears that this Java EE 6 could be a few rule<br>
changers. It looks like to me, java is checking for authorization and<br>
authentication with this new framework. If that is the case, I think that<br>
static code analyzers could change their rule sets to check what normally is<br>
a manual process in the code review of authentication and authorization.<br>
Am I correct on my assumption?<br>
<br>
Thanks,<br>
Matt<br>
<br>
<br>
Matt Parsons, MSM, CISSP<br>
315-559-3588 Blackberry<br>
817-294-3789 Home office<br>
mailto:<a href="mailto:mparsons1980@gmail.com">mparsons1980@gmail.com</a><br>
<a href="http://www.parsonsisconsulting.com" target="_blank">http://www.parsonsisconsulting.com</a><br>
<a href="http://www.o2-ounceopen.com/o2-power-users/" target="_blank">http://www.o2-ounceopen.com/o2-power-users/</a><br>
<a href="http://www.linkedin.com/in/parsonsconsulting" target="_blank">http://www.linkedin.com/in/parsonsconsulting</a><br>
<div><div></div><div class="h5"><br>
<br>
<br>
<br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:sc-l-bounces@securecoding.org">sc-l-bounces@securecoding.org</a> [mailto:<a href="mailto:sc-l-bounces@securecoding.org">sc-l-bounces@securecoding.org</a>]<br>
On Behalf Of Kenneth Van Wyk<br>
Sent: Tuesday, January 05, 2010 8:59 AM<br>
To: Secure Coding<br>
Subject: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security<br>
made simple ! | Core Security Patterns Weblog<br>
<br>
Happy new year SC-Lers.<br>
<br>
FYI, interesting blog post on some of the new security features in Java EE<br>
6, by Ramesh Nagappan. Worth reading for all you Java folk, IMHO.<br>
<br>
<a href="http://www.coresecuritypatterns.com/blogs/?p=1622" target="_blank">http://www.coresecuritypatterns.com/blogs/?p=1622</a><br>
<br>
<br>
Cheers,<br>
<br>
Ken<br>
<br>
-----<br>
Kenneth R. van Wyk<br>
SC-L Moderator<br>
<br>
<br>
</div></div>_______________________________________________<br>
Secure Coding mailing list (SC-L) <a href="mailto:SC-L@securecoding.org">SC-L@securecoding.org</a><br>
List information, subscriptions, etc - <a href="http://krvw.com/mailman/listinfo/sc-l" target="_blank">http://krvw.com/mailman/listinfo/sc-l</a><br>
List charter available at - <a href="http://www.securecoding.org/list/charter.php" target="_blank">http://www.securecoding.org/list/charter.php</a><br>
SC-L is hosted and moderated by KRvW Associates, LLC (<a href="http://www.KRvW.com" target="_blank">http://www.KRvW.com</a>)<br>
as a free, non-commercial service to the software security community.<br>
_______________________________________________<br>
</blockquote></div><br><br clear="all"><br>-- <br>-- <br>Jim Manico, Application Security Architect<br><a href="mailto:jim.manico@aspectsecurity.com">jim.manico@aspectsecurity.com</a> | <a href="mailto:jim@manico.net">jim@manico.net</a><br>
(301) 604-4882 (work)<br>(808) 652-3805 (cell)<br><br>Aspect Security™<br>Securing your applications at the source<br><a href="http://www.aspectsecurity.com">http://www.aspectsecurity.com</a><br>