My name is Arshan and I'd like Eclipse to enable developers to write more secure code. I'm working with the OWASP foundation and have elicited funds to accomplish the introduction of security into key points in the technology stack with security analysis of application server frameworks, vendor outreach programs, and more. I'm writing to ask you, however, about introducing security into your IDE (which happens to be my favorite IDE).
The IDE is a very effective place for security to go since it will necessarily catch problems earlier in the lifecycle than would
security checks in other places. There a host of issues the JDT can easily detect while developers are writing code, including:
* Injection attacks (cross-site scripting, command injection, SQL injection, XPath/XML injection, etc.)
* Information leakage
* Cryptographic weakness
* ...and many more!
While a 3rd party plugin could technically perform these checks, having them in the IDE would greatly legitimize security in developers' eyes, since most view security problems as theoretical or bothersome. And the momentum is growing; it's not just the banks that are taking application security seriously anymore - the world is starting recognize that applications are part of your security perimeter. In fact, we recently spoke at JavaOne about some specific security flaws the J2EE world is continually producing.
Other IDEs are getting into the game as well. Visual Studio invested in CAT.NET, a tool used to help MS developers find security problems and IBM recently bought Ounce, a static analysis tool for finding security flaws. I do penetration testing, code review and security research for a living. The problems are out there in staggering numbers, and its only getting worse. Frankly, developers will keep re-introducing problems as long as the IDE lets them.
I'm proposing we create an Eclipse sub-project or extend a piece of the existing Eclipse base to allow users to enable security guidance with customizable levels of interaction. As budget allows we are prepared to take on the necessary expenses for implementing these features, but the commitment to developing more secure code can only come from your organization.
We are very flexible on the logistical details and are mostly eager to start a conversation around application security and Eclipse.
Thanks for your time,
Director of R&D
O: (301) 604-4882
C: (443) 791-5355
Intrinsic Security Working Group
Open Web Application Security Project (OWASP)