This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Talk:Java leading security practice
From OWASP
Revision as of 12:22, 8 September 2010 by Thomas Herlea (talk | contribs) (Added description of the implied threat model)
Threat model?
What is the threat model behind these recommendations? Most of them don't seem to make sense to me because they can be bypassed in 5 minutes with a custom classloader, so I'm wondering what I'm missing. HenryAyoola 05:13, 10 February 2009 (EST)
- The threat model allows the attacker to interact with the application only through its inputs and outputs (think "web application"). Manipulation of the virtual machine, replacement of the libraries, manipulation of the operating system are not among the mechanisms available to the attacker in this threat model. --Thomas Herlea 12:22, 8 September 2010 (UTC)
Article move proposal
I propose to rename this article from
Java_leading_security_practice
to
Leading_Java_Security_Practice
which uses the same title case as most other section titles in the Code Review Guide and uses a more natural adjective order (http://en.wikipedia.org/wiki/Adjective#Adjective_order). --Thomas Herlea 12:17, 8 September 2010 (UTC)