When I was presenting to the Chicago Java Users Group a couple of weeks ago one of the attendees turned me on to a tool called JCute. JCute is a freely-available “concolic unit testing engine” which means it is a tool that can enumerate and examine all of the execution paths of a program to look for errors. It can also help to identify race conditions in concurrent Java code. It can also take the results of this analysis and generate JUnit unit tests.
This tool offers some very interesting potential for software and application security because of the in-depth branch analysis. That would allow developers to find fairly subtle bugs that would typically go unnoticed. What I haven’t had a chance to look at yet is how hard it would be to do analysis of server-side Java code like servlets and JSPs so perhaps I will have some time to look into that more in the next week or so.
dan _at_ denimgroup.com