安裝JTest
拷貝破解文件lic_client.jar到
\Parasoft\Test\9.4\plugins\com.parasoft.xtest.libs_9.4.0.20120412\Parasoft\
創建附帶案例,例如JPetStore、WebGoat等
JTest靜態分析包含安全編程規則掃描
參考:jtest9_users_guide.pdf
Lesson 21: Using Jtest to Find Security Vulnerabilities
支持的規則集包括:
Jtest can also be used "out of the box" to identify common security vulnerabilities through both static
code analysis (based on pattern-matching coding standard rules) and flow-based static analysis (Bug-
Detective). Jtest provides several customizable Test Configurations for this purpose, including:
• Cigital Java Security Rulepack: Checks for security issues identified by Cigital (an independent
consulting company) in specific technology such as J2EE, Struts, Java Cryptography, etc.
(http://www.cigital.com/securitypack/view/index.html)
Cigital and Fortify Software Release Cigital Java Security Rulepack 1.0
http://www.linux-mag.com/id/6938/
• CWE-SANS Top 25 2011 Most Dangerous Programming Errors: Checks for dangerous
coding errors in 25 categories identified by the SANS Institute of Maryland with help from more
than 30 organizations, including the US National Security Agency, the Department of Homeland
Security, Microsoft, and Symantec. (http://cwe.mitre.org/top25/index.html)
• HIPAA Security Assessment: Checks rules that help you comply with HIPAA requirements
for the proper encoding, privacy, security, integrity, and availability of patient health data.
(http://www.hhs.gov/ocr/privacy/)
• NIST SAMATE 2010: Checks for the security issues referenced in the "Report on the Third
Static Analysis Tool Exposition (SATE 2010)", Vadim Okun, Aurelien Delaitre, Paul E. Black,
editors, U.S. National Institute of Standards and Technology (NIST) Special Publication (SP)
500-283, October, 2011. (http://samate.nist.gov/SATE2010.html)
• OWASP Top 10 2010 Security Vulnerabilities: Checks for the security issues referenced in
the OWASP Top 10 Security Vulnerabilities (https://www.owasp.org/index.php/Top_10_2010).
This enables you to identify code which could result in the most critical web application security
vulnerabilities, including:
• Injection
• Cross Site Scripting (XSS)
• Broken Authentication and Session Management
• Insecure Direct Object References
• Cross-Site Forgery Requests
• Security Misconfiguration
• Insecure Cryptographic Storage
• Failure to Restrict URL Access
• Insufficient Transport Layer Protection
• Unvalidated Redirects and Forwards
• PCI Data Security Standard: Checks for security issues referenced in section 6 of the Payment
Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements
for enhancing payment account data security (https://www.pcisecuritystandards.org/
security_standards/pci_dss.shtml). This enables you to rapidly assess the level of compliance—
without spending time reading the PCI DSS specification and determining how the
requirements translate to code.
• Security Assessment: Provides an “out of the box” assessment of code’s vulnerability to a
wide range of security attacks.
拷貝破解文件lic_client.jar到
\Parasoft\Test\9.4\plugins\com.parasoft.xtest.libs_9.4.0.20120412\Parasoft\
創建附帶案例,例如JPetStore、WebGoat等
JTest靜態分析包含安全編程規則掃描
參考:jtest9_users_guide.pdf
Lesson 21: Using Jtest to Find Security Vulnerabilities
支持的規則集包括:
Jtest can also be used "out of the box" to identify common security vulnerabilities through both static
code analysis (based on pattern-matching coding standard rules) and flow-based static analysis (Bug-
Detective). Jtest provides several customizable Test Configurations for this purpose, including:
• Cigital Java Security Rulepack: Checks for security issues identified by Cigital (an independent
consulting company) in specific technology such as J2EE, Struts, Java Cryptography, etc.
(http://www.cigital.com/securitypack/view/index.html)
Cigital and Fortify Software Release Cigital Java Security Rulepack 1.0
http://www.linux-mag.com/id/6938/
• CWE-SANS Top 25 2011 Most Dangerous Programming Errors: Checks for dangerous
coding errors in 25 categories identified by the SANS Institute of Maryland with help from more
than 30 organizations, including the US National Security Agency, the Department of Homeland
Security, Microsoft, and Symantec. (http://cwe.mitre.org/top25/index.html)
• HIPAA Security Assessment: Checks rules that help you comply with HIPAA requirements
for the proper encoding, privacy, security, integrity, and availability of patient health data.
(http://www.hhs.gov/ocr/privacy/)
• NIST SAMATE 2010: Checks for the security issues referenced in the "Report on the Third
Static Analysis Tool Exposition (SATE 2010)", Vadim Okun, Aurelien Delaitre, Paul E. Black,
editors, U.S. National Institute of Standards and Technology (NIST) Special Publication (SP)
500-283, October, 2011. (http://samate.nist.gov/SATE2010.html)
• OWASP Top 10 2010 Security Vulnerabilities: Checks for the security issues referenced in
the OWASP Top 10 Security Vulnerabilities (https://www.owasp.org/index.php/Top_10_2010).
This enables you to identify code which could result in the most critical web application security
vulnerabilities, including:
• Injection
• Cross Site Scripting (XSS)
• Broken Authentication and Session Management
• Insecure Direct Object References
• Cross-Site Forgery Requests
• Security Misconfiguration
• Insecure Cryptographic Storage
• Failure to Restrict URL Access
• Insufficient Transport Layer Protection
• Unvalidated Redirects and Forwards
• PCI Data Security Standard: Checks for security issues referenced in section 6 of the Payment
Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements
for enhancing payment account data security (https://www.pcisecuritystandards.org/
security_standards/pci_dss.shtml). This enables you to rapidly assess the level of compliance—
without spending time reading the PCI DSS specification and determining how the
requirements translate to code.
• Security Assessment: Provides an “out of the box” assessment of code’s vulnerability to a
wide range of security attacks.
