Secure Coding Experience For Java SE

I just had been assigned to the secure coding for a Java project. The first thing I 'd do, as usual, is look for suitable documents to set up my own checklist. In doing so, we'll ensure we don't miss any kind of bugs or unsafe code output.

Once making the security checklists, people still talk about OWASP for the first time, so do I. Fortunately, I also found https://www.oracle.com/java/technologies/javase/seccodeguide.html which was made by Oracle, and this should be reliable and valuable reference. I should have glanced over the OWASP secure coding guidelines, but I think Oracle provides a sufficient knowledge with respect to their child. Hence, I decided to stick with their guideline.

You should also look at many other viewpoints as well when performing the code analysis either manually or automatically:

  • Control Flow Analysis ( a graph of the program's control flow and look for anomalies)

  • Symbolic Execution (determine the inputs that cause certian parts of the code to execute)

  • Taint Analysis (check what variables are controled by other objects)

  • Test Coverage (ensure that unit tests cover all of the code)

  • Linting (ensure that contract meets style requirements and has no grammatical errors)

The above-mentioned perspectives should cover most of the important things that a code review should be conducted. However, in this article I'd want to keen on secure code review than checking for the grammatical errors :D

Checklist

You can find it here

Automation Tests

For Java:

Spotbug

PMD (.java)

  • Download the latest version of PMD

  • Decompress the file and compile the souce code as the following

  • The files should be placed in pmd-pmd_releases-6.25.0/pmd-dist/target/pmd-bin-6.25.0/bin

  • ./run.sh pmd -d /Users/macbookpro/Downloads/java/contract.java -R ../../../../pmd-java/src/main/resources/category/java/bestpractices.xml -f html >> report_sample.html

The rule files should be taken from pmd-java/src/main/resources/category/java/.

Read the documentation for more details

Deep Dive (.apk, .jar)

  • Download the latest version of DeepDive

  • Decompress the zip file

  • The run.sh should be in /bin

  • It might return the error of JAVA_HOME must point to a valid JRE (You may want to set it permanently in setenv.sh).

  • Run these 2 commands to get rid of the above issue and pop up the GUI

export CLASSPATH=../discotek.deepdive-1.5.5-beta.jar:../lib/discotek.deepdive-engine-1.5.5-beta.jar

java -Xmx4G -jar ../lib/discotek.deepdive-engine-1.5.5-beta.jar -decompile=true -project-directory=../sample-config -output-directory=/temp/report ../discotek.deepdive-1.5.5-beta.jar

Semgrep (java, python, golang, javascript)

  • Clone the repo and read the Readme

  • Run semgrep --config=https://semgrep.live/c/p/java <PathToFile>

  • VisualCodeGrepp (C++, C#, VB, PHP, Java, PL/SQL and COBOL)

  • Download the latest version

  • Install it in WIndows

  • Select the language

  • Open the folder that contains the source code files.

Gaudit (many languages)

graudit [opts] /path/to/scan

OPTIONS

-d database to use or /path/to/file.db (uses default if not specified)

-A scan ALL files

-x exclude these files (comma separated list: -x .js,.sql)

-i case in-sensitive scan

-c number of lines of context to display, default is 2

-B suppress banner

-L vim friendly lines

-b colour blind friendly template

-z suppress colors

-Z high contrast colors

-l lists databases available

-v prints version number

-h prints this help screen

Manual Review

Use your eyes. But this tool can help you identify the LOC and language