CSci 6907.85 Beta Milestone “Hack” Session: Code Review Form
“Any code that looks overly complicated likely has bugs.”
Who are the members of your own project group (henceforth, “your group”)?
Who are the members of the group whose system you are reviewing (henceforth, “their group”)?
Instructions: Find vulnerabilities in their system. Document your findings below. Email this form
to the course staff at gw.csci6907.85.2012fa@gmail.com by 11:59 pm tonight.
Step 1: Static Analysis. Run FindBugs on their code. Does it report any Scary or Scariest bugs? Any
security bugs? If so, look at them, and see whether it might be possible for an attacker to exploit
those bugs as vulnerabilities.
Report your findings here:
Step 2: Targeted Code Review. Find the places in their code that use cryptography, secrets (keys,
passwords, maybe nonces), and user inputs. Examine the code to determine whether it adheres to
the following criteria:









No embedded secrets in code (hardcoded keys, passwords, etc.)
No hardcoded resources in code (server names, IP addresses, user names)
No secrets sent to public channels (output password to log file, etc.)
No secrets stored in memory that can’t be zeroed (passwords in String’s instead of
StringBuffer’s or char[], etc.)
No home-developed crypto code
No random numbers generated from insecure sources
No keys used for multiple purposes
No weak crypto: use sufficiently high security level for keys and nonces
No user input used or stored before being verified (especially in SQL queries or in protocols)
Report your findings here: