Security Java/J2EE Code Review - Identifying Web Vulnerabilities by Kiran Maraju

This paper gives an introduction of security code review inspections, and provides details about web application security vulnerabilities identification in the source code. This paper gives the details of the inspections to perform on the Java/J2EE source code. This paper explains the process of identifying vulnerable code and remediation details. This paper illustrates the specific locations of code flows to be checked to identify web application vulnerabilities.

Read the article (in PDF format). In this article Maraju has gathered a list of code review tools for JAVA/J2EE which can be used for security:

1- Escjava
2- Hammurapi
3- Jlint
4- JavaPathFinder
5- JavaPureCheck
6- Checkstyle
7- Pmd
8- Findbugs

I have used GNU/Findbugs and found it useful in java code/bytecode analysis. See FindBugs blog in blogspot.