Is there a way to rate or review the security for a Java web application? Except for web scanner or code audit, does it exist a metric/procedure to evaluate the application's security?
Also I have read How to rate Open Source Libraries? and Are there any web application security standards?, but they don't solve my question. I need a metric to rate the code, then can refactor the application's Java code in order to reduce its security weaknesses.
The CVSS rates the risk associated with vulnerabilities found in deployed software. Think of CVSS as a way to score the seriousness of traffic accidents. The Common Weaknesss Enumeration describes the software flaws and bugs that are the root cause of these vulnerabilities. Think of the CWE as analogous to the bad practices (gas tanks exposed to impacts, absence of guard rails, failure to buckle seatbelts) that cause or contribute to traffic risks.
The Common Weakness Scoring System (CWSS) is the scoring system for assessing software flaws and bugs. Given that weaknesses present different risks depending on temproal and environmental factors, DHS and MITRE have developed the Common Weakness Risk Analysis Framework (CWRAF) to give tool makers and enterprises greater flexibility in assessing the significance and priority of software issues and application security.
Other scoring systems include Software Fault Patterns from KDM Analytics and Semantic Templates from Dr. Robin Ghandi and Dr. Yan Wu at University of Nebraska at Omaha and Bolling Green State University respectively.
If the application is complete, you would generally score each issue seperately using a system like the Common Vulnerability Scoring System.
If the application is still in development, you can use a similar model designed for threat modeling such as DREAD.
Each of these systems will give you numerical values for your security issues that you can use create an objective assessment of the overall state of the application's security.
