User:Johanna Curiel

2017-12-10T16:26:45Z

Johanna Curiel: Blanked the page

Category:Scala

2017-11-19T10:53:39Z

Johanna Curiel:

= Main =
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== About ==

The OWASP Scala and JVM Technology Knowledge Base is the clearing house for all information related to building secure web/distributed applications and services based on Java and JVM technologies. The focus of these pages is on guidance for developers and architects using Scala frameworks and JVM based technologies for Backend development

==Purpose==

* Provide deep, rich guidance for Scala developers in using the security features of Scala frameworks.
* Address security in relation to the Java Virtual Machine and derived technologies.
* Guide system administrators in managing Scala and JVM related components and applications.
* Create guidance for use of OWASP components that are designed for use with Scala or other JVM languages.
* Focus on information about working with and on OWASP tools built using Scala or other JVM technologies.
* Provide a stream of security related information, like vulnerabilities and security patches, related to the Scala and JVM universe.
* Build an ecosystem allowing to all actors interested to discuss, share and learn.

== Licensing ==

OWASP Java™ and JVM Technology Knowledge Base is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Oracle® and Java™ are [http://www.oracle.com/us/legal/trademarks/index.html|registered trademarks of Oracle] and/or its affiliates. Other names may be trademarks of their respective owners.

== What's Hot! ==

See the "Tasks and Roadmap" tab for more information.

[[OWASP Java Project WIPRO 1 2015|Wiki Pages Review Operation - 2015/2016]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

[[File:Scala logo.png|frame]]

== Meta ==

Last Update: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

 

== Other Resources ==

[http://lists.owasp.org/mailman/listinfo/java-project Mailing List]

[https://github.com/owasp GitHub (OWASP)]

 

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[Language|Languages Repository]]
* [[OWASP_.NET_Project|.NET Project]]
* [[Ruby|Ruby]]
* [[PHP|PHP]]
* [[Perl|Perl]]
* [[Python|Python]]
* [[JavaScript|JavaScript]]
* [[C/C++|C/C++]]
* [[SQL|SQL, PL/SQL, DB Scripting]]
* [[OWASP_Internet_of_Things_Project|OWASP IoT Security]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

|}

= Related OWASP Projects =

== Security Tools ==

{| width="100%"
| colspan="2" | [[OWASP_Dependency_Check|OWASP Dependency Check]]
|-
| width="20" |  
| Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Scala, .NET, Java, Ruby, Node.js, and Python projects are supported.
More info visit : https://github.com/albuch/sbt-dependency-check
|-
| colspan="2" | [[OWASP_SonarQube_Project|OWASP SonarQube Project]]
|-
| width="20" |  
| The first goal of the OWASP SonarQube Project is to a create a referential of check specifications targeting OWASP vulnerabilities that can be detected by SAST tools (Static Application Security Testing). From there, the second goal is to provide a reference implementations of most of those checks in the Open Source SonarQube language analyzers (Java, JavaScript, PHP and C#). SonarQube is an Open Source platform for managing code quality.
|}

== General Documents ==

{| width="100%"
| [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]]
| [[OWASP_Codes_of_Conduct|OWASP Codes of Conduct]]
| [[Cheat_Sheets|OWASP Cheat Sheets Series]]
|-
| [[OWASP_Testing_Project|OWASP Testing Project]]
| [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
| [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP Vulnerable Web Applications Directory]]
|}

= Security Frameworks =

{| class="wikitable"
|-
! Framework !! Authentication !! Authorization !! CSRF !! XSS !! SQLInjection !! OWASP page !! Notes
|-
| [https://www.playframework.com/documentation/2.0.4/ScalaSecurity Play] || ✓ || ✓ || - || - || - ||[[Scala_Frameworks/Play|Play Security Guidelines]]||
|-
| [http://deadbolt.ws/#service Deadbolt 2] || || ✓ || - || - || -|| - || Fine-grained authorization for controllers & templates
|-
| [https://github.com/pac4j/play-pac4j Play-pac4j] || ✓ || ✓ || ✓ || - || - || - || Security Library for Play framework , uses Deadbolt as dependency
|-
| [https://auth0.com/authenticate/scala/oauth2/ Scala-oauth2-provider] || ✓ || - || - || - || - || - || Authentication Play 2 Scala with Generic OAuth2 Provider
|-
| [http://www.securesocial.ws/ SecureSocial] || ✓ || - || - || - || - || - || Supports up to 2.5.12 Play versions (Actual one 2.6.x)
|-
| [https://www.silhouette.rocks/ Silhouette - Play Framework Library] || ✓ || - || - || - || - || - || For the Playframework
|-
| [https://liftweb.net/ Lift] || ✓ || ✓ || ✓ || ✓ || ✓ || - || Created for Web application security
|-
| [https://index.scala-lang.org/akka/akka-http/akka-http-core/10.0.10?target=_2.12 Akka (Akka-http)] || ✓ || ✓ || - || - || - || - || Primary focus is HTTP-based services
|-
| [http://spray.io/ Spray] || ✓ || ✓ || - || - || - || - || [http://spray.io spray library is not longer maintained, replaced by akka-http]
|}

Reference
https://www.47deg.com/blog/security-frameworks-for-scala/
= Resources =

== Mailing List ==

[http://lists.owasp.org/mailman/listinfo/java-project OWASP Java and JVM Technologies Mailing List]

== Code Repository ==

[https://github.com/owasp GitHub OWASP Global Repository]

== Related Project Resources ==

[[OWASP_Project|OWASP Project Repository]]

[[Language|Languages Repository]]

[[OWASP_.NET_Project|.NET Project]]

[[Ruby|Ruby Technology Knowledge Base]]

[[PHP|PHP Technology Knowledge Base]]

[[Perl|Perl Technology Knowledge Base]]

[[Python|Python Technology Knowledge Base]]

[[JavaScript|JavaScript Technology Knowledge Base]]

[[C/C++|C/C++ Technology Knowledge Base]]

[[SQL|SQL, PL/SQL and DB Scripting Technology Knowledge Base]]

[[OWASP_Internet_of_Things_Project|OWASP IoT Security Project]]

[[OWASP_Mobile_Security_Project|OWASP Mobile Security Project]]

= Tasks and Roadmap =

== Roadmap ==

* General review of all Scala and JVM related pages in the wiki.
* Build Scala and JVM security related resources guide
* Concrete guideline for Scala and JVM developers
* Clear checklists, around various topics, language, servers and frameworks.

 

= Get involved =

The first step would be to establish contact with the project leaders and/or the entire team. This can be done using a direct and private message, or by joining the public mailing list to say hello.

When it comes to participating in project activities, everything depends on the time you are willing and able to invest. It is however very important to not jump into too many things at the beginning, later having to back out or to let unfinished things behind you. It is much better to start with small tasks, increasing intensity and investment over time.

Please also be patient with expecting the "merge" of your work into the existing project pages and code. As everywhere in live, trust has to be built-up.

The Java and JVM knowledge base has currently multiple tasks open, which can be found on the adequate section of this page. Not all tasks require a wiki account. Please take something you are interested in and start participating. Work load is not the only outcome when participating in open projects. You are getting a lot of things back: recognition, satisfaction, knowledge and contacts, sometime friends.

Sounds cool? Then jump in...

To get involved join the mailing list, follow this link: [http://lists.owasp.org/mailman/listinfo/java-project OWASP Java and JVM Mailing List]

= Archives =

The previous version of this JAVA Project home page is archived here: [[OWASP Java Project Archive (8.2010)]]

 

<hr/>

__NOTOC__
<headertabs />

 

(The pages in the "old" category "OWASP Java Project" have to be moved into the category "Java". Work is in progress).

<categorytree mode=pages>OWASP Java Project</categorytree>



[[Category:Technology]]
[[Category:Language]]

Scala Frameworks/Play

2017-11-19T10:50:51Z

Johanna Curiel:

==Play Framework==
The Playframework has excellent documentation on many topics, however when it touches security, this section is quite limited regarding how to do secure implementations.
Documentation refers to the latest version.For more information please check:
https://www.playframework.com/documentation/2.6.x/Home

The following sections contain some important security aspects to be considered while implementing certain configurations and features.

===Sensitive information in Configuration Files===
Every Scala project will contain configuration files that can contain sensitive information such as:
*Passwords in clear text
*Path to Keystores
*Passwords from Keystores
Programers should avoid configuring clear text passwords in Application.conf files, for that purpose, encryption is necessary
===Configuration Keystore===
At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required. The Playframework provides some examples of implementing [https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore this] unfortunately, there is no further information on how to create this information securely. The developer must also keep in mind that the default configuration is quite insecure and certificates generated are self-signed, becoming unsuitable for real applications.

Developers should revise the following configuration information:

'''play.server.https.keyStore.path''' - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you

''Security issue'': Keys must be secure guarded, allowing the 'generated' one, can allow an attacker obtain such information if code is compromised

More information refer to: [[Cryptographic Storage Cheat Sheet|Cryptographic Storage Cheat Sheet#Rule - Protect keys in a key vault]]

'''play.server.https.keyStore.password''' - The password, defaults to a blank password

''Security issue'': Blank passwords are a 'no-go', therefore, it is essential to change this information. Again, do not create a 'clear-text' passwords, but make sure you use an environment variable for this purpose, or encrypt properly if you place one in the configuration file

'''play.server.https.keyStore.algorithm''' - The key store algorithm, defaults to the platforms default algorithm

''Security issue'': Developer should check what is the 'defaults' being used and make sure the algorithm in question is secure as recommended by NIST guidelines
====Encryption Keystore Password====
Using Environment in configuration files instead of clear text passwords, example
<code>password=${?MAIL_PASSWD}</code>
Following best practices, if you need to store a password, make sure that
*It's hashed
*Use salt
*Implement a slow algorithm against brute force such as Bcrypt The following example uses Bcrypt library for this purpose
def PasswordHash( name:String, pwd:String, version:Int = 1 ) : String = { if( version == 2 && false ) { // ANY CHANGES SHOULD BE MADE AS A NEW VERSION AND ADDED HERE "" } else { import org.mindrot.jbcrypt.BCrypt // jbcrypt-0.3m.jar // Salt will be incorporated in the password hash val salt = BCrypt.gensalt(12) // Default is 10, or 2**10 rounds. More rounds is slower. BCrypt.hashpw( (name + pwd), salt ) } } def VerifyPassword( name:String, pwd:String, hash:String, version:Int = 1 ) : Boolean = { if( version == 1 ) { import org.mindrot.jbcrypt.BCrypt // jbcrypt-0.3m.jar BCrypt.checkpw( (name + pwd), hash ) } else false }
===Enabling SSL in Production===
[https://www.playframework.com/documentation/2.3.x/ConfiguringHttps Play recommends] to use the latest JDK , at the moment of writing is 1.8, which provides a number of new features that make JSSE feasible as a TLS termination layer.

=== Security Features ===
The Play framework contains some essential security features, the following is a guide map to them. This is valid for version 2.6.x
* Input Validation
* CRSF Token
* [https://www.playframework.com/documentation/2.6.x/ScalaCsrf#Plays-CSRF-protection Security Headers]
Extending Security

There are different frameworks supporting Play with granular security features. For more information, please check the [[:Category:Scala|Scala Security Frameworks]]

2017-11-19T08:24:59Z

Johanna Curiel: /* Security Features */

Category:Scala

2017-11-16T09:49:02Z

Johanna Curiel:

= Main =
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== About ==

The OWASP Scala and JVM Technology Knowledge Base is the clearing house for all information related to building secure web/distributed applications and services based on Java and JVM technologies. The focus of these pages is on guidance for developers and architects using Scala frameworks and JVM based technologies for Backend development

==Purpose==

* Provide deep, rich guidance for Scala developers in using the security features of Scala frameworks.
* Address security in relation to the Java Virtual Machine and derived technologies.
* Guide system administrators in managing Scala and JVM related components and applications.
* Create guidance for use of OWASP components that are designed for use with Scala or other JVM languages.
* Focus on information about working with and on OWASP tools built using Scala or other JVM technologies.
* Provide a stream of security related information, like vulnerabilities and security patches, related to the Scala and JVM universe.
* Build an ecosystem allowing to all actors interested to discuss, share and learn.

== Licensing ==

OWASP Java™ and JVM Technology Knowledge Base is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Oracle® and Java™ are [http://www.oracle.com/us/legal/trademarks/index.html|registered trademarks of Oracle] and/or its affiliates. Other names may be trademarks of their respective owners.

== What's Hot! ==

See the "Tasks and Roadmap" tab for more information.

[[OWASP Java Project WIPRO 1 2015|Wiki Pages Review Operation - 2015/2016]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

[[File:Scala logo.png|frame]]

== Meta ==

Last Update: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

 

== Other Resources ==

[http://lists.owasp.org/mailman/listinfo/java-project Mailing List]

[https://github.com/owasp GitHub (OWASP)]

 

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[Language|Languages Repository]]
* [[OWASP_.NET_Project|.NET Project]]
* [[Ruby|Ruby]]
* [[PHP|PHP]]
* [[Perl|Perl]]
* [[Python|Python]]
* [[JavaScript|JavaScript]]
* [[C/C++|C/C++]]
* [[SQL|SQL, PL/SQL, DB Scripting]]
* [[OWASP_Internet_of_Things_Project|OWASP IoT Security]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

|}

= Related OWASP Projects =

== Security Tools ==

{| width="100%"
| colspan="2" | [[OWASP_Dependency_Check|OWASP Dependency Check]]
|-
| width="20" |  
| Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Scala, .NET, Java, Ruby, Node.js, and Python projects are supported.
More info visit : https://github.com/albuch/sbt-dependency-check
|-
| colspan="2" | [[OWASP_SonarQube_Project|OWASP SonarQube Project]]
|-
| width="20" |  
| The first goal of the OWASP SonarQube Project is to a create a referential of check specifications targeting OWASP vulnerabilities that can be detected by SAST tools (Static Application Security Testing). From there, the second goal is to provide a reference implementations of most of those checks in the Open Source SonarQube language analyzers (Java, JavaScript, PHP and C#). SonarQube is an Open Source platform for managing code quality.
|}

== General Documents ==

{| width="100%"
| [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]]
| [[OWASP_Codes_of_Conduct|OWASP Codes of Conduct]]
| [[Cheat_Sheets|OWASP Cheat Sheets Series]]
|-
| [[OWASP_Testing_Project|OWASP Testing Project]]
| [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
| [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP Vulnerable Web Applications Directory]]
|}

= Security Frameworks =

{| class="wikitable"
|-
! Framework !! Authentication !! Authorization !! CSRF !! XSS !! SQLInjection !! OWASP page !! Notes
|-
| [https://www.playframework.com/documentation/2.0.4/ScalaSecurity Play] || ✓ || ✓ || - || - || - ||[[Scala_Frameworks/Play|Play Security Guidelines]]||
|-
| [http://deadbolt.ws/#service Deadbolt 2] || ✓ || ✓ || - || - || -|| - ||
|-
| [https://github.com/pac4j/play-pac4j Play-pac4j] || ✓ || ✓ || ✓ || - || - || - ||
|-
| [https://auth0.com/authenticate/scala/oauth2/ Scala-oauth2-provider] || ✓ || - || - || - || - || - ||
|-
| [http://www.securesocial.ws/ SecureSocial] || ✓ || - || - || - || - || - ||
|-
| [https://www.silhouette.rocks/ Silhouette - Play Framework Library] || ✓ || - || - || - || - || - ||
|-
| [https://liftweb.net/ Lift] || ✓ || ✓ || ✓ || ✓ || ✓ || - ||
|-
| [https://index.scala-lang.org/akka/akka-http/akka-http-core/10.0.10?target=_2.12 Akka (Akka-http)] || ✓ || ✓ || - || - || - || - ||
|-
| [http://spray.io/ Spray] || ✓ || ✓ || - || - || - || - || [http://spray.io spray library is not longer maintained, replaced by akka-http]
|}

Reference
https://www.47deg.com/blog/security-frameworks-for-scala/
= Resources =

== Mailing List ==

[http://lists.owasp.org/mailman/listinfo/java-project OWASP Java and JVM Technologies Mailing List]

== Code Repository ==

[https://github.com/owasp GitHub OWASP Global Repository]

== Related Project Resources ==

[[OWASP_Project|OWASP Project Repository]]

[[Language|Languages Repository]]

[[OWASP_.NET_Project|.NET Project]]

[[Ruby|Ruby Technology Knowledge Base]]

[[PHP|PHP Technology Knowledge Base]]

[[Perl|Perl Technology Knowledge Base]]

[[Python|Python Technology Knowledge Base]]

[[JavaScript|JavaScript Technology Knowledge Base]]

[[C/C++|C/C++ Technology Knowledge Base]]

[[SQL|SQL, PL/SQL and DB Scripting Technology Knowledge Base]]

[[OWASP_Internet_of_Things_Project|OWASP IoT Security Project]]

[[OWASP_Mobile_Security_Project|OWASP Mobile Security Project]]

= Tasks and Roadmap =

== Roadmap ==

* General review of all Scala and JVM related pages in the wiki.
* Build Scala and JVM security related resources guide
* Concrete guideline for Scala and JVM developers
* Clear checklists, around various topics, language, servers and frameworks.

 

= Get involved =

The first step would be to establish contact with the project leaders and/or the entire team. This can be done using a direct and private message, or by joining the public mailing list to say hello.

When it comes to participating in project activities, everything depends on the time you are willing and able to invest. It is however very important to not jump into too many things at the beginning, later having to back out or to let unfinished things behind you. It is much better to start with small tasks, increasing intensity and investment over time.

Please also be patient with expecting the "merge" of your work into the existing project pages and code. As everywhere in live, trust has to be built-up.

The Java and JVM knowledge base has currently multiple tasks open, which can be found on the adequate section of this page. Not all tasks require a wiki account. Please take something you are interested in and start participating. Work load is not the only outcome when participating in open projects. You are getting a lot of things back: recognition, satisfaction, knowledge and contacts, sometime friends.

Sounds cool? Then jump in...

To get involved join the mailing list, follow this link: [http://lists.owasp.org/mailman/listinfo/java-project OWASP Java and JVM Mailing List]

= Archives =

The previous version of this JAVA Project home page is archived here: [[OWASP Java Project Archive (8.2010)]]

 

<hr/>

__NOTOC__
<headertabs />

 

(The pages in the "old" category "OWASP Java Project" have to be moved into the category "Java". Work is in progress).

<categorytree mode=pages>OWASP Java Project</categorytree>



[[Category:Technology]]
[[Category:Language]]

Scala Frameworks/Play

2017-11-14T16:50:14Z

Johanna Curiel:

Scala Frameworks/Play

2017-11-14T12:14:24Z

Johanna Curiel:

==Play Framework==
The Playframework has excellent documentation on many topics, however when it touches security, this section is quite limited regarding how to do secure implementations.
Documentation refers to the latest version.For more information please check:
https://www.playframework.com/documentation/2.6.x/Home

The following sections contain some important security aspects to be considered while implementing certain configurations and features.

===Sensitive information in Configuration Files===
Every Scala project will contain configuration files that can contain sensitive information such as:
*Passwords in clear text
*Path to Keystores
*Passwords from Keystores
Programers should avoid configuring clear text passwords in Application.conf files, for that purpose, encryption is necessary
===Configuration Keystore===
At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required. The Playframework provides some examples of implementing [https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore this] unfortunately, there is no further information on how to create this information securely. The developer must also keep in mind that the default configuration is quite insecure and certificates generated are self-signed, becoming unsuitable for real applications.

Developers should revise the following configuration information:

'''play.server.https.keyStore.path''' - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you

''Security issue'': Keys must be secure guarded, allowing the 'generated' one, can allow an attacker obtain such information if code is compromised

More information refer to: [[Cryptographic Storage Cheat Sheet|Cryptographic Storage Cheat Sheet#Rule - Protect keys in a key vault]]

'''play.server.https.keyStore.password''' - The password, defaults to a blank password

''Security issue'': Blank passwords are a 'no-go', therefore, it is essential to change this information. Again, do not create a 'clear-text' passwords, but make sure you use an environment variable for this purpose, or encrypt properly if you place one in the configuration file

'''play.server.https.keyStore.algorithm''' - The key store algorithm, defaults to the platforms default algorithm

''Security issue'': Developer should check what is the 'defaults' being used and make sure the algorithm in question is secure as recommended by NIST guidelines
====Encryption Keystore Password====
Using Environment in configuration files instead of clear text passwords, example
<code>password=${?MAIL_PASSWD}</code>
Following best practices, if you need to store a password, make sure that
*It's hashed
*Use salt
*Implement a slow algorithm against brute force such as Bcrypt The following example uses Bcrypt library for this purpose
def PasswordHash( name:String, pwd:String, version:Int = 1 ) : String = { if( version == 2 && false ) { // ANY CHANGES SHOULD BE MADE AS A NEW VERSION AND ADDED HERE "" } else { import org.mindrot.jbcrypt.BCrypt // jbcrypt-0.3m.jar // Salt will be incorporated in the password hash val salt = BCrypt.gensalt(12) // Default is 10, or 2**10 rounds. More rounds is slower. BCrypt.hashpw( (name + pwd), salt ) } } def VerifyPassword( name:String, pwd:String, hash:String, version:Int = 1 ) : Boolean = { if( version == 1 ) { import org.mindrot.jbcrypt.BCrypt // jbcrypt-0.3m.jar BCrypt.checkpw( (name + pwd), hash ) } else false }
===Enabling SSL in Production===
[https://www.playframework.com/documentation/2.3.x/ConfiguringHttps Play recommends] to use the latest JDK , at the moment of writing is 1.8, which provides a number of new features that make JSSE feasible as a TLS termination layer.

=== Security Features ===
The Play framework contains some essential security features, the following is a guide map to them
{| class="wikitable"
!Security feature
! rowspan="4" |
!Guidelines for implementation
!
!
|-
|Input Validation
|
|
|
|-
|CRSF Token
|
|
|
|-
|Encryption
|
|
|
|}

2017-11-07T16:52:21Z

Johanna Curiel: /* Enabling SSL in Production */

Scala Frameworks/Play

2017-11-07T16:49:23Z

Johanna Curiel:

==Play Framework==
The Playframework has excellent documentation on many topics, however when it touches security, this section is quite limited regarding how to do secure implementations.
Documentation refers to the latest version.For more information please check:
https://www.playframework.com/documentation/2.6.x/Home

The following sections contain some important security aspects to be considered while implementing certain configurations and features.

===Sensitive information in Configuration Files===
Every Scala project will contain configuration files that can contain sensitive information such as:
*Passwords in clear text
*Path to Keystores
*Passwords from Keystores
Programers should avoid configuring clear text passwords in Application.conf files, for that purpose, encryption is necessary
===Configuration Keystore===
At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required. The Playframework provides some examples of implementing [https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore this] unfortunately, there is no further information on how to create this information securely. The developer must also keep in mind that the default configuration is quite insecure and certificates generated are self-signed, becoming unsuitable for real applications.

Developers should revise the following configuration information:

'''play.server.https.keyStore.path''' - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you

''Security issue'': Keys must be secure guarded, allowing the 'generated' one, can allow an attacker obtain such information if code is compromised

More information refer to: [[Cryptographic Storage Cheat Sheet|Cryptographic Storage Cheat Sheet#Rule - Protect keys in a key vault]]

'''play.server.https.keyStore.password''' - The password, defaults to a blank password

''Security issue'': Blank passwords are a 'no-go', therefore, it is essential to change this information. Again, do not create a 'clear-text' passwords, but make sure you use an environment variable for this purpose, or encrypt properly if you place one in the configuration file

'''play.server.https.keyStore.algorithm''' - The key store algorithm, defaults to the platforms default algorithm

''Security issue'': Developer should check what is the 'defaults' being used and make sure the algorithm in question is secure as recommended by NIST guidelines
====Encryption Keystore Password====
Using Environment in configuration files instead of clear text passwords, example
<code>password=${?MAIL_PASSWD}</code>
Following best practices, if you need to store a password, make sure that
*It's hashed
*Use salt
*Implement a slow algorithm against brute force such as Bcrypt The following example uses Bcrypt library for this purpose
def PasswordHash( name:String, pwd:String, version:Int = 1 ) : String = { if( version == 2 && false ) { // ANY CHANGES SHOULD BE MADE AS A NEW VERSION AND ADDED HERE "" } else { import org.mindrot.jbcrypt.BCrypt // jbcrypt-0.3m.jar // Salt will be incorporated in the password hash val salt = BCrypt.gensalt(12) // Default is 10, or 2**10 rounds. More rounds is slower. BCrypt.hashpw( (name + pwd), salt ) } } def VerifyPassword( name:String, pwd:String, hash:String, version:Int = 1 ) : Boolean = { if( version == 1 ) { import org.mindrot.jbcrypt.BCrypt // jbcrypt-0.3m.jar BCrypt.checkpw( (name + pwd), hash ) } else false }
===Enabling SSL in Production===
[https://www.playframework.com/documentation/2.3.x/ConfiguringHttps Play recommends] to use JDK 1.8 which provides a number of new features that make JSSE feasible as a TLS termination layer

Scala Frameworks

2017-11-07T13:34:47Z

Johanna Curiel: /* Vulnerable Framework Components */

Scala Frameworks

2017-11-07T13:34:22Z

Johanna Curiel:

Scala Frameworks

2017-11-07T13:07:08Z

Johanna Curiel:

Scala Frameworks/Play

2017-11-07T13:06:22Z

Johanna Curiel:

==Play Framework==
The Playframework has excellent documentation on many topics, however when it touches security, documentation is quite limited regarding how to implementations. Documentation refers to the latest version

https://www.playframework.com/documentation/2.6.x/Home

for more information please check

===Sensitive information in Configuration Files===
Every Scala project will contain configuration files that can contain sensitive information such as:
*Passwords in clear text
*Path to Keystores
*Passwords from Keystores
Programers should avoid configuring clear text passwords in Application.conf files, for that purpose, encryption is necessary
===Configuration Keystore===
At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required. The Playframework provides some examples of implementing [https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore this] unfortunately, there is no further information on how to create this information securely. The developer must also keep in mind that the default configuration is quite insecure and certificates generated are self-signed, becoming unsuitable for real applications.

Developers should revise the following configuration information:

'''play.server.https.keyStore.path''' - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you

''Security issue'': Keys must be secure guarded, allowing the 'generated' one, can allow an attacker obtain such information if code is compromised

More information refer to: [[Cryptographic Storage Cheat Sheet|Cryptographic Storage Cheat Sheet#Rule - Protect keys in a key vault]]

'''play.server.https.keyStore.password''' - The password, defaults to a blank password

''Security issue'': Blank passwords are a 'no-go', therefore, it is essential to change this information. Again, do not create a 'clear-text' passwords, but make sure you use an environment variable for this purpose, or encrypt properly if you place one in the configuration file

'''play.server.https.keyStore.algorithm''' - The key store algorithm, defaults to the platforms default algorithm

''Security issue'': Developer should check what is the 'defaults' being used and make sure the algorithm in question is secure as recommended by NIST guidelines
====Encryption Keystore Password====
Using Environment in configuration files instead of clear text passwords, example
<code>password=${?MAIL_PASSWD}</code>
Following best practices, if you need to store a password, make sure that
*It's hashed
*Use salt
*Implement a slow algorithm against brute force such as Bcrypt The following example uses Bcrypt library for this purpose
def PasswordHash( name:String, pwd:String, version:Int = 1 ) : String = { if( version == 2 && false ) { // ANY CHANGES SHOULD BE MADE AS A NEW VERSION AND ADDED HERE "" } else { import org.mindrot.jbcrypt.BCrypt // jbcrypt-0.3m.jar // Salt will be incorporated in the password hash val salt = BCrypt.gensalt(12) // Default is 10, or 2**10 rounds. More rounds is slower. BCrypt.hashpw( (name + pwd), salt ) } } def VerifyPassword( name:String, pwd:String, hash:String, version:Int = 1 ) : Boolean = { if( version == 1 ) { import org.mindrot.jbcrypt.BCrypt // jbcrypt-0.3m.jar BCrypt.checkpw( (name + pwd), hash ) } else false }
===Enabling SSL in Production===
[https://www.playframework.com/documentation/2.3.x/ConfiguringHttps Play recommends] to use JDK 1.8 which provides a number of new features that make JSSE feasible as a TLS termination layer

Scala Frameworks/Play

2017-11-07T13:02:12Z

Johanna Curiel: Created page with "==Play Framework== ===Sensitive information in Configuration Files=== Every Scala project will contain configuration files that can contain sensitive information such as: *Pas..."

==Play Framework==
===Sensitive information in Configuration Files===
Every Scala project will contain configuration files that can contain sensitive information such as:
*Passwords in clear text
*Path to Keystores
*Passwords from Keystores
Programers should avoid configuring clear text passwords in Application.conf files, for that purpose, encryption is necessary
===Configuration Keystore===
At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required. The Playframework provides some examples of implementing [https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore this] unfortunately, there is no further information on how to create this information securely. The developer must also keep in mind that the default configuration is quite insecure and certificates generated are self-signed, becoming unsuitable for real applications.

Developers should revise the following configuration information:

'''play.server.https.keyStore.path''' - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you

''Security issue'': Keys must be secure guarded, allowing the 'generated' one, can allow an attacker obtain such information if code is compromised

More information refer to: [[Cryptographic Storage Cheat Sheet|Cryptographic Storage Cheat Sheet#Rule - Protect keys in a key vault]]

'''play.server.https.keyStore.password''' - The password, defaults to a blank password

''Security issue'': Blank passwords are a 'no-go', therefore, it is essential to change this information. Again, do not create a 'clear-text' passwords, but make sure you use an environment variable for this purpose, or encrypt properly if you place one in the configuration file

'''play.server.https.keyStore.algorithm''' - The key store algorithm, defaults to the platforms default algorithm

''Security issue'': Developer should check what is the 'defaults' being used and make sure the algorithm in question is secure as recommended by NIST guidelines
====Encryption Keystore Password====
Using Environment in configuration files instead of clear text passwords, example
<code>password=${?MAIL_PASSWD}</code>
Following best practices, if you need to store a password, make sure that
*It's hashed
*Use salt
*Implement a slow algorithm against brute force such as Bcrypt The following example uses Bcrypt library for this purpose
def PasswordHash( name:String, pwd:String, version:Int = 1 ) : String = { if( version == 2 && false ) { // ANY CHANGES SHOULD BE MADE AS A NEW VERSION AND ADDED HERE "" } else { import org.mindrot.jbcrypt.BCrypt // jbcrypt-0.3m.jar // Salt will be incorporated in the password hash val salt = BCrypt.gensalt(12) // Default is 10, or 2**10 rounds. More rounds is slower. BCrypt.hashpw( (name + pwd), salt ) } } def VerifyPassword( name:String, pwd:String, hash:String, version:Int = 1 ) : Boolean = { if( version == 1 ) { import org.mindrot.jbcrypt.BCrypt // jbcrypt-0.3m.jar BCrypt.checkpw( (name + pwd), hash ) } else false }
===Enabling SSL in Production===
[https://www.playframework.com/documentation/2.3.x/ConfiguringHttps Play recommends] to use JDK 1.8 which provides a number of new features that make JSSE feasible as a TLS termination layer

2017-11-07T06:42:19Z

Johanna Curiel:

Scala language , just as JAVA , offers different types of Security Frameworks you can work with. Depending on the task, here we offer some general guidelines regarding the proper use of them
The following table contains the most popular ones and their security in terms of modules and implementation
= Security Frameworks =
The following Scala frameworks contain modules that help developers implement secure features such as Authentenciation, Authorization, CRSF or SQLInjection
{| class="wikitable"
|-
! Framework !! Authentication !! Authorization !! CSRF !! XSS !! SQLInjection
|-
| [https://www.playframework.com/documentation/2.0.4/ScalaSecurity Play] || ✓ || ✓ || - || - || -
|-
| [http://deadbolt.ws/#service Deadbolt 2] || || ✓ || - || - || -
|-
| [https://github.com/pac4j/play-pac4j Play-pac4j] || ✓ || - || - || - || -
|-
| [https://auth0.com/authenticate/scala/oauth2/ Scala-oauth2-provider] || ✓ || - || - || - || -
|-
| [http://www.securesocial.ws/ SecureSocial] || ✓ || - || - || - || -
|-
| [https://www.silhouette.rocks/ Silhouette - Play Framework Library] || ✓ || - || - || - || -
|-
| [https://liftweb.net/ Lift] || ✓ || ✓ || ✓ || ✓ || ✓
|-
| [https://index.scala-lang.org/akka/akka-http/akka-http-core/10.0.10?target=_2.12 Akka (Akka-http)] || ✓ || ✓ || - || - || -
|-
| [http://spray.io/ Spray] || ✓ || ✓ || - || - || -
|}

==Play Framework==
=== Sensitive information in Configuration Files===
Every Scala project will contain configuration files that can contain sensitive information such as:
* Passwords in clear text
* Path to Keystores
* Passwords from Keystores

Programers should avoid configuring clear text passwords in Application.conf files, for that purpose, encryption is necessary

===Configuration Keystore ===
At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required.
The Playframework provides some examples of implementing [https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore this]
unfortunately, there is no further information on how to create this information securely. The developer must also keep in mind that the default configuration is quite insecure and certificates generated are self-signed, becoming unsuitable for real applications.

'''play.server.https.keyStore.path''' - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you

''Security issue'': Keys must be secure guarded, allowing the 'generated' one, can allow an attacker obtain such information if code is compromised

'''play.server.https.keyStore.password''' - The password, defaults to a blank password

''Security issue'': Blank passwords are a 'no-go', therefore, it is essential to change this information. Again, do not create a 'clear-text' passwords, but make sure you use an environment variable for this purpose, or encrypt properly if you place one in the configuration file

'''play.server.https.keyStore.algorithm''' - The key store algorithm, defaults to the platforms default algorithm

''Security issue'': Developer should check what is the 'defaults' being used and make sure the algorithm in question is secure as recommended by NIST guidelines

====Encryption Keystore====

==Vulnerable Framework Components==
It is essential that developers implement regular dependency checks of their components, since must Scala projects will make use of the above mentioned frameworks

==Reference==
https://www.47deg.com/blog/security-frameworks-for-scala/


[[Category:Technology]]
[[Category:Language]]
[[Category:Scala]]

Scala Frameworks

2017-11-07T06:37:51Z

Johanna Curiel:

Scala language , just as JAVA , offers different types of Security Frameworks you can work with. Depending on the task, here we offer some general guidelines regarding the proper use of them
The following table contains the most popular ones and their security in terms of modules and implementation
= Security Frameworks =
The following Scala frameworks contain modules that help developers implement secure features such as Authentenciation, Authorization, CRSF or SQLInjection
{| class="wikitable"
|-
! Framework !! Authentication !! Authorization !! CSRF !! XSS !! SQLInjection
|-
| [https://www.playframework.com/documentation/2.0.4/ScalaSecurity Play] || ✓ || ✓ || - || - || -
|-
| [http://deadbolt.ws/#service Deadbolt 2] || || ✓ || - || - || -
|-
| [https://github.com/pac4j/play-pac4j Play-pac4j] || ✓ || - || - || - || -
|-
| [https://auth0.com/authenticate/scala/oauth2/ Scala-oauth2-provider] || ✓ || - || - || - || -
|-
| [http://www.securesocial.ws/ SecureSocial] || ✓ || - || - || - || -
|-
| [https://www.silhouette.rocks/ Silhouette - Play Framework Library] || ✓ || - || - || - || -
|-
| [https://liftweb.net/ Lift] || ✓ || ✓ || ✓ || ✓ || ✓
|-
| [https://index.scala-lang.org/akka/akka-http/akka-http-core/10.0.10?target=_2.12 Akka (Akka-http)] || ✓ || ✓ || - || - || -
|-
| [http://spray.io/ Spray] || ✓ || ✓ || - || - || -
|}

== Sensitive information in Configuration Files==
Every Scala project will contain configuration files that can contain sensitive information such as:
* Passwords in clear text
* Path to Keystores
* Passwords from Keystores

Programers should avoid configuring clear text passwords in Application.conf files, for that purpose, encryption is necessary

===Configuration Keystore ===
At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required.
The Playframework provides some examples of implementing [https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore this]
unfortunately, there is no further information on how to create this information securely. The developer must also keep in mind that the default configuration is quite insecure and certificates generated are self-signed, becoming unsuitable for real applications.

'''play.server.https.keyStore.path''' - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you

''Security issue'': Keys must be secure guarded, allowing the 'generated' one, can allow an attacker obtain such information if code is compromised

'''play.server.https.keyStore.password''' - The password, defaults to a blank password

''Security issue'': Blank passwords are a 'no-go', therefore, it is essential to change this information. Again, do not create a 'clear-text' passwords, but make sure you use an environment variable for this purpose, or encrypt properly if you place one in the configuration file

'''play.server.https.keyStore.algorithm''' - The key store algorithm, defaults to the platforms default algorithm

''Security issue'': Developer should check what is the 'defaults' being used and make sure the algorithm in question is secure as recommended by NIST guidelines

====Encryption Keystore====

==Vulnerable Framework Components==
It is essential that developers implement regular dependency checks of their components, since must Scala projects will make use of the above mentioned frameworks

==Reference==
https://www.47deg.com/blog/security-frameworks-for-scala/


[[Category:Technology]]
[[Category:Language]]
[[Category:Scala]]