Austin Computer Security logo

.
.

Software Security Review

It is critically important for software applications to be reviewed for security vulnerabilities both prior to and during and implementation. Austin Computer Security begins with OWASP and other secure coding guidelines and modifies these to conform to your own development tools, software architecture and proposed system function. This ensures that you end up with rules that are usable both for an initial review and maintainance of future development activities.

Java/J2EE specific issues may include:

  • Security of Java polymorphism
  • Secure use of declarative access control
  • Secure use of Java Authentication and Authorization Service (JAAS)
  • Java session fixation
  • Protecting binaries (bytecode obsfucation, signatures, jarsigner)
  • Java Cryptographic Extensions (JCE)
  • Logging
  • Exception handling
  • Operational environment constraints
  • Web based application components
  • Securing popular J2EE servers (Tomcat, JBoss, WebLogic, WebSphere)
  • Verification using Eclipse
  • Struts validation
  • Java Server Faces (JSF) validation
  • Classes of web attacks including SQL/LDAP/XPATH/shell/script code injection, Cross-site scripting (XSS), Cross-site request forgery (XSRF), Cross-site trace (XST)
  • Web Services security (SAML, WS-Security, XML Signature/Encryption
  • Automated code review tools for Java developers and future audit and how and when to apply them in the context of the organization's SDLC. Tools may include, but are not limited to Checksyle, Enerjy, ESC Java, FindBugs, Fortify, Gauntlet, Java Pathfinder, JChains, JiveLint, JLint, Jmetrics, JPaX, Lapse, Lint4j, and PMD. Support for manual security code review ranging from processes and procedures to conducting review

.NET specific issues may include:

  • Security of .NET polymorphism
  • Secure use of declarative access control
  • Secure use of .NET Authentication and Authorization
  • ASP.NET (SAML, WS-Security, XML Signature/Encryption)
  • XML Web Services
  • Windows Communications Foundations
  • Internet Information Server
  • .NET session
  • Protecting binaries (bytecode obsfucation, signatures)
  • .NET Cryptographic
  • Logging
  • Exception handling
  • Operational environment constraints
  • Web based application components
  • Securing Windows
  • Verification using Visual Studio
  • Classes of web attacks including SQL/LDAP/XPATH/shell/script code injection, Cross-site scripting (XSS), Cross-site request forgery (XSRF), Cross-site trace (XST)
  • Automated code review tools for Java developers and future audit and how and when to apply them in the context of the organization's SDLC. Tools may include, but are not limited to Fortify, FXCop,
  • Support for manual security code review ranging from processes and procedures to conducting review

Other Language/Environment Software

Austin Computer Security is actively investigating and continues to gain experience with additional software environments and languages (groovy, grails, drupal, struts, etc.)