This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Statically Scanning Java Code: Finding Security Vulnerabilities
September/October 2000 (vol. 17 no. 5)
pp. 68-74
Developers and users require some degree of assurance in their applications' security vulnerabilities. The authors have designed a prototype tool, Jslint, to help programmers automatically use existing security knowledge.

1. G. McGraw, "Software Assurance for Security," Computer, Vol. 32, No. 4, Apr. 1999, pp. 103-105.
2. C. Cowan et al., "Stackgard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attack," Proc. Seventh Usenix Security Symp., Usenix Assoc., San Diego, Calif., 1998.
3. R. Pethia, "CERT/CC 10th Anniversary Retrospective and Intruder Outlook for the Next 10 Years," Information Survivability Workshop, 1998.
4. T. Gilb and D. Graham, Software Inspection, Addison-Wesley, 1993.
5. G. McGraw and E. Felten, Securing Java: Getting Down to Business with Mobile Code, John Wiley&Sons, New York, 1999.
6. J. Viega et al., "ITS4: A Static Vulnerability Scanner for C and C++ Code," to be published in Proc. Ann. Computer Security Applications Conf. 2000, Dec. 2000.
7. D.S. Wallach and E.W. Felten, "Understanding Java Stack Inspection," Proc. 1998 IEEE Symp. Security and Privacy, IEEE Computer Soc. Press, Los Alamitos, 1998.
8. D. Dean, E. Felten, and D. Wallach, "Java Security: From HotJava to Netscape and Beyond," Proc. IEEE Symp. Security and Privacy, IEEE Computer Soc. Press, Los Alamitos, Calif., 1996.
9. D. Dean et al., "Java Security: Web Browsers and Beyond," Internet Besieged: Countering Cyberspace Scofflaws, D.E. Denning and P.J. Denning, eds., ACM Press, New York, 1997.
10. G. McGraw and E. Felten, "Twelve Rules for Developing More Secure Java," JavaWorld, Dec. 1998, www.javaworld.com/javaworld/jw-12-1998jw-12-securityrules.html (current Aug. 2000).
11. E. Gamma et al., Design Patterns: Elements of Object-Oriented Software, Addison-Wesley, Reading, Mass., 1994.
1. M. Bishop and M. Dilger, Checking for Race Conditions in Unix File Access, Tech. Report 95-9, Dept. of Computer Science, Univ. of California at Davis, 1995.
2. J. Viega et al., "ITS4: A Static Vulnerability Scanner for C and C++ Code," to be published in Proc. Ann. Computer Security Applications Conf. 2000, Dec. 2000.
3. D. Wagner et al., "A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities," Proc. Network and Distributed Systems Security Symp. (NDSS 2000), 2000.
1. C. Landwehr et al., "A Taxonomy of Computer Program Security Flaws," Computing Surveys, Vol. 26, No. 3, Sept. 1994, pp. 211-255.
2. P. Neumann, "Computer System Security Evaluation," 1978 National Computer Conf. Proc., AFIPS Conference Proc., 1978, pp. 1087-1095.

Citation:
John Viega, Gary McGraw, Tom Mutdosch, Edward W. Felten, "Statically Scanning Java Code: Finding Security Vulnerabilities," IEEE Software, vol. 17, no. 5, pp. 68-74, Sept.-Oct. 2000, doi:10.1109/52.877869
Usage of this product signifies your acceptance of the Terms of Use.