SWORD4J: Security WORkbench Development environment 4 Java

Creating secure software systems remains a challenge for most developers, even for those who are conscientious about following security best practices. Software development has evolved to incorporate complex software frameworks, middleware and components developed by multiple parties. We have seen the rise of tools for testing the security of applications, including so called "black box" testing and "white box" testing. Some of these include static analysis technologies, and run-time testing to verify specific security properties, as well as conformance to "best practices" The lack of integration of these security tools creates a significant burden on most developers, many of whom lack formal training in secure software development and deployment practices. They are often less motivated to secure their software than security professionals.

To address the challenges of creating secure Java applications we created a tool called SWORD4J that integrates a suite of security analysis tools into the Java Developement Tool in the Eclipse Integrated Developement Environment. We believe that SWORD4J is more usable than standalone security tools because it greatly simplifies many time consuming tasks required to develop secure software components. significantly reducing the time to perform security analysis tasks. In this paper we also argue that secure Open Services Gateway initiative (OSGi) component development has characteristics that are common to many software environments, including Web application developement.

By: Ted Habeck; Larry Koved; Marco Pistoia

Published in: RC24554 in 2008

LIMITED DISTRIBUTION NOTICE:

This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.

rc24554.pdf

Questions about this service can be mailed to reports@us.ibm.com .