[SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog

James Manico jim at manico.net
Wed Jan 6 16:36:09 EST 2010 

Hello Matt,

Java EE still has NO support for escaping and lots of other important
security areas. You need something like OWASP ESAPI to make a secure app
even remotely possible. I was once a Sun guy, and I'm very fond of Java and
Sun. But JavaEE 6 does very little to raise the bar when it comes to
Application Security.

- Jim

On Tue, Jan 5, 2010 at 3:30 PM, Matt Parsons <mparsons1980 at gmail.com> wrote:

> >From what I read it appears that this Java EE 6 could be a few rule
> changers.   It looks like to me, java is checking for authorization and
> authentication with this new framework.   If that is the case, I think that
> static code analyzers could change their rule sets to check what normally
> is
> a manual process in the code review of authentication and authorization.
> Am I correct on my assumption?
>
> Thanks,
> Matt
>
>
> Matt Parsons, MSM, CISSP
> 315-559-3588 Blackberry
> 817-294-3789 Home office
> mailto:mparsons1980 at gmail.com
> http://www.parsonsisconsulting.com
> http://www.o2-ounceopen.com/o2-power-users/
> http://www.linkedin.com/in/parsonsconsulting
>
>
>
>
>
>
> -----Original Message-----
> From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org]
> On Behalf Of Kenneth Van Wyk
> Sent: Tuesday, January 05, 2010 8:59 AM
> To: Secure Coding
> Subject: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security
> made simple ! | Core Security Patterns Weblog
>
> Happy new year SC-Lers.
>
> FYI, interesting blog post on some of the new security features in Java EE
> 6, by Ramesh Nagappan.  Worth reading for all you Java folk, IMHO.
>
> http://www.coresecuritypatterns.com/blogs/?p=1622
>
>
> Cheers,
>
> Ken
>
> -----
> Kenneth R. van Wyk
> SC-L Moderator
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>



-- 
-- 
Jim Manico, Application Security Architect
jim.manico at aspectsecurity.com | jim at manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://krvw.com/pipermail/sc-l/attachments/20100106/40c0954c/attachment.htm>

More information about the SC-L mailing list