8/19/2023 0 Comments Fortify java annotations![]() If tainted data leaves a source and reaches a sink without being cleansed (through a cleanse function), a vulnerability has occurred. It must trace the flow of data (pass-through functions) from the source to the sink. Fortify SCA detects this class of data vulnerabilities by recognizing sources and sinks. Data flows towards a sink for subsequent processing. Data flows from a source such as a database, web service, or user interface. In order to detect these types of vulnerabilities, Fortify SCA traces data as it flows through an application. Particularly popular vulnerabilities within this class include the following: Cross Site scripting (XSS), SQL Injection, and Information Leakage. There are many vulnerabilities that result from processing dangerous ("tainted") data. This application mainly handles and processes lots of sensitive data. In the Java example provided, annotations have been added to the appropriate wrapper that is used to call the corresponding third-party method. As such, there is a risk that false negatives or false positives may result due to a lack of understanding of these third-party libraries.ĭevelopers can include Java annotations to describe the underlying libraries and give Fortify SCA enough information to discover the security vulnerabilities that may result from the use of these libraries. ![]() However, other less popular libraries are unknown. Fortunately, Fortify SCA recognizes some of the libraries and is able to observe any security vulnerabilities based on this previous knowledge. ![]() In this example application, none of the third party libraries include source code. Logging and auditing requirements dictate that this component uses a third-party library responsible for processing relevant security events. The application relies upon third-party libraries to retrieve, transform, and post information relevant to the user. Credit-card data is presented to the user along with other personal information in a sidebar of the main front-end interface. Upon startup, this component grabs many different types of information about the give user and packages it together for subsequent processing in a front-end user interface. This component is executed after a user has already logged into the solution. The application acts as a middleware component within a larger project. The following sections illustrate the potential problems and solutions associated with vulnerability results. The goal of this example is to illustrate how the use of Fortify Annotations can result in increased accuracy in the reported vulnerabilities. For detailed information about all of the Fortify Java Annotations, please use the Fortify Static Code Analyzer User Guide for reference.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |