OWASP - User contributions [en]

GPC Project Details/OWASP Enterprise Security API Java EE Version

2019-06-28T18:04:41Z

Kevin W. Wall: Updates for ESAPI 2.2.0.0 release

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude>
| project_name = OWASP ESAPI for Java EE
| project_description = This is the Java EE language version of OWASP ESAPI. The ESAPI for Java EE is the baseline ESAPI design.
* The current release of this project '''is''' suitable for production use
* The ESAPI 2.x branch supports Java 5 and above, but the latest release (2.2.0.0) requires Java 7 or later. You may view the Javadocs here http://www.javadoc.io/doc/org.owasp.esapi/esapi/
* The ESAPI 1.4 branch supports Java 4 and above. Complete information on latest 1.4 branch dependencies can be found here http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/site/dependencies.html. (Google may have removed this though, so you may have to search for it on https://archive.org/)
* The OWASP AppSensor-ESAPI integration guide is out! [[AppSensor_GettingStarted]]



| project_license = [http://en.wikipedia.org/wiki/BSD_license BSD license]
| leader_name = Kevin Wall & Matt Seil
| leader_email = esapi-project-dev@owasp.org
| leader_username = Kevin_W._Wall
| past_leaders_special_contributions = Jeff_Williams (project creator)
| maintainer_name = ESAPI-Dev mailing list
| maintainer_email = esapi-project-dev@owasp.org
| maintainer_username =
| contributor_name1 = Kevin W. Wall
| contributor_email1 = kevin.w.wall@gmail.com
| contributor_username1 = Kevin_W._Wall
| contributor_name2 = Matt Seil
| contributor_email2 = xeno6696@gmail.com@gmail.com
| contributor_username2 = Matt Seil
| contributor_name3 = Jeremiah J Stacey
| contributor_email3 =
| contributor_username3 =
| contributor_name4 = Jeff Williams
| contributor_email4 = Jeff.Williams@owasp.org
| contributor_username4 = Jeff_Williams
| contributor_name5 = Jim Manico
| contributor_email5 = Jim.Manico@owasp.org
| contributor_username5 = Jmanico
| contributor_name6 = Chris Schmidt
| contributor_email6 = chrisisbeef@gmail.com
| contributor_username6 = Chris_Schmidt
| contributor_name7 = See https://github.com/ESAPI/esapi-java-legacy/graphs/contributors for list of other contributors
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =

| pamphlet_link =
| presentation_link =
| mailing_list_name = esapi-dev
| links_url1 = https://search.maven.org/#search%7Cga%7C1%7Corg.owasp.esapi
| links_name1 = ESAPI 2.x Downloads
| links_url2 = https://code.google.com/p/owasp-esapi-java/downloads/list
| links_name2 = All previous ESAPI 1.4.x Downloads (no longer supported)
| links_url3 = https://github.com/ESAPI/esapi-java-legacy
| links_name3 = GitHub code repository for ESAPI JAVA
| links_url4 = https://github.com/ESAPI/esapi-java-legacy/issues
| links_name4 = Report a bug!
| links_url5 = http://www.javadoc.io/doc/org.owasp.esapi/esapi/
| links_name5 = Latest ESAPI Javadocs (and earlier versions)
| links_url6 = http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/index.html
| links_name6 = ESAPI 1.4.4 Javadocs (may need to access via archive.org as Google was planning to remove Google Code)
| links_url7 = http://www.owasp.org/index.php/ESAPI-Building
| links_name7 = How to build ESAPI 2.0 with Maven
| links_url8 = http://www.owasp.org/index.php/ESAPI-BuildingWithEclipse
| links_name8 = How to build ESAPI 2.0 with Maven via Eclipse
| project_road_map =
| project_health_status =
| current_release_name = 2.2.0.0
| current_release_date = June 25, 2019
| current_release_download_link = https://mvnrepository.com/artifact/org.owasp.esapi/esapi/2.2.0.0
| current_release_rating =
| current_release_leader_name =
| current_release_leader_email =
| current_release_leader_username =
| current_release_details =
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
| last_GPC_update = 4/10/2009
| GPC_Notes = Empty template (Java EE Version)
| project_home_page = :Category:OWASP_Enterprise_Security_API
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version
}}

Category:OWASP Enterprise Security API

2019-06-28T17:39:23Z

Kevin W. Wall: Update Javadoc link on main tab to reference 2.2.0.0 release.

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project co-leads can be reached [mailto:kevin.w.wall@gmail.com here] and [mailto:xeno6696@gmail.com here].
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

|}

= Downloads =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

| valign="top" style="padding-left:25px;width:33%;border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[https://search.maven.org/#search|ga|1|esapi ESAPI for Java Downloads (binaries)]
*[https://github.com/ESAPI/esapi-java-legacy ESAPI for Java (source)]<br>
*[https://github.com/ESAPI/owasp-esapi-js ESAPI for Javascript]<br>

'''No longer supported versions'''. If you absolutely need to download one of those, it is suggested that you search the [https://archive.org/ Internet Archive Wayback Machine] or [https://github.com/ GitHub] for someone who may have mirrored it:

* ESAPI for .NET
* ESAPI for Classic ASP
* ESAPI for PHP
* ESAPI for ColdFusion & CFML
* ESAPI for Python

| valign="top" style="padding-left:25px;width:33%;" |

[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.2.0.0 JavaDocs])

|}

= What I did with ESAPI =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Should I use ESAPI? =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[NOTE: The heretical opinions on this ESAPI tab are 100% my own and do not necessarily reflect the rest of other ESAPI contributors or the OWASP staff, leadership, community. --kevin wall]

Or, specifically, "Should I use ESAPI for Java?" since that's the only one run by OWASP that still shows any semblance of life.
Maintenance activities is down, way down in fact of its peak development activities. Some of us are still trying and haven't given up and volunteers are still welcome. But without active contributors, projects make slow progress.

The first question to ask is, are you already using ESAPI in your project, and if so, do you have a lot vested in it? If so, then the answer to "Should I use ESAPI?" probably is "yes". The second question you should ask, if I'm using it, why am I not contributing to it in some manner? But we won't go there.

If you are starting out on a new project or trying for the first time to secure an existing project, then _before_ you consider ESAPI, you should consider these possible alternatives:
* Output encoding: [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]
* General HTML sanitization: [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project OWASP Java HTML Sanitizer]
* Validation: [http://beanvalidation.org/ JSR-303/JSR-349 Bean Validation]
*Strong cryptography: [https://github.com/google/tink Google Tink], [https://github.com/google/keyczar Keyczar]
* Authentication / authorization: [https://shiro.apache.org/ Apache Shiro]
* CSRF protection: [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP CSRFGuard Project] or [https://www.owasp.org/index.php/CSRFProtector_Project OWASP CSRFProtector Project]

Note that this is not to suggest that ESAPI is dead, but rather to acknowledge the fact that it isn't being as well-maintained as most F500 companies would like for their enterprise software. There may be alternatives, such as companies that you can purchase ESAPI support from. Those are not being considered here for various reasons, not the least of which is to remain vendor neutral. Rather, instead these recommendations should be taken as possible alternatives to secure your application. It is not a perfect world that we live in, but I would be remiss as an appsec guy if I were to plug ESAPI over other good security solutions simply because of my contributions to / involvement with ESAPI. I think that ESAPI has it's place and I will do my best to maintain it, but not to the exclusion of my family or day job. If you would like to volunteer to help, you know where to find me.

-[mailto:kevin.w.wall@gmail.com kevin wall]

= Glossary =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Project Details =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}
[[Category:Popular]]
[[Category:SAMM-SA-3]]

GPC Project Details/OWASP Enterprise Security API Java EE Version

2019-05-29T03:22:08Z

Kevin W. Wall: Add Jeremiah Stacey as contributor.

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude>
| project_name = OWASP ESAPI for Java EE
| project_description = This is the Java EE language version of OWASP ESAPI. The ESAPI for Java EE is the baseline ESAPI design.
* The current release of this project '''is''' suitable for production use
* The ESAPI 2.x branch supports Java 1.5 and above. You may view the Javadocs here http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
* The ESAPI 1.4 branch supports Java 1.4 and above. Complete information on latest 1.4 branch dependencies can be found here http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/site/dependencies.html
* The OWASP AppSensor-ESAPI integration guide is out! [[AppSensor_GettingStarted]]



| project_license = [http://en.wikipedia.org/wiki/BSD_license BSD license]
| leader_name = Kevin Wall & Matt Seil
| leader_email = esapi-dev@lists.owasp.org
| leader_username = Kevin_W._Wall
| past_leaders_special_contributions = Jeff_Williams (project creator)
| maintainer_name = ESAPI-Dev mailing list
| maintainer_email = esapi-dev@lists.owasp.org
| maintainer_username =
| contributor_name1 = Kevin W. Wall
| contributor_email1 = kevin.w.wall@gmail.com
| contributor_username1 = Kevin_W._Wall
| contributor_name2 = Matt Seil
| contributor_email2 = xeno6696@gmail.com@gmail.com
| contributor_username2 = Matt Seil
| contributor_name3 = Jeremiah J Stacey
| contributor_email3 =
| contributor_username3 =
| contributor_name4 = Jeff Williams
| contributor_email4 = Jeff.Williams@owasp.org
| contributor_username4 = Jeff_Williams
| contributor_name5 = Jim Manico
| contributor_email5 = Jim.Manico@owasp.org
| contributor_username5 = Jmanico
| contributor_name6 = Chris Schmidt
| contributor_email6 = chrisisbeef@gmail.com
| contributor_username6 = Chris_Schmidt
| contributor_name7 = See "Members" under https://code.google.com/p/owasp-esapi-java/ for list of other contributors
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =

| pamphlet_link =
| presentation_link =
| mailing_list_name = esapi-dev
| links_url1 = https://search.maven.org/#search%7Cga%7C1%7Corg.owasp.esapi
| links_name1 = ESAPI 2.x Downloads
| links_url2 = https://code.google.com/p/owasp-esapi-java/downloads/list
| links_name2 = All previous ESAPI Downloads
| links_url3 = https://github.com/ESAPI/esapi-java-legacy
| links_name3 = GitHub code repository for ESAPI JAVA
| links_url4 = https://github.com/ESAPI/esapi-java-legacy/issues
| links_name4 = Report a bug!
| links_url5 = http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
| links_name5 = ESAPI 2.1.0 Javadocs
| links_url6 = http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/index.html
| links_name6 = ESAPI 1.4.4 Javadocs
| links_url7 = http://www.owasp.org/index.php/ESAPI-Building
| links_name7 = How to build ESAPI 2.0 with Maven
| links_url8 = http://www.owasp.org/index.php/ESAPI-BuildingWithEclipse
| links_name8 = How to build ESAPI 2.0 with Maven via Eclipse
| project_road_map =
| project_health_status =
| current_release_name =
| current_release_date =
| current_release_download_link =
| current_release_rating =
| current_release_leader_name =
| current_release_leader_email =
| current_release_leader_username =
| current_release_details =
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
| last_GPC_update = 4/10/2009
| GPC_Notes = Empty template (Java EE Version)
| project_home_page = :Category:OWASP_Enterprise_Security_API
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version
}}

GPC Project Details/OWASP Enterprise Security API

2019-05-29T03:11:59Z

Kevin W. Wall: Added Jeremiah Stacey as a contributor.

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude>
| project_name = OWASP Enterprise Security API
| project_description = ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development. Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

* '''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

* '''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

* '''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.
| project_license =BSD license
| leader_name =Kevin W. Wall and Matt Seil
| leader_email =kevin.w.wall@gmail.com
| past_leaders_special_contributions =Jeff Williams, Dave Wichers, Chris Schmidt, Jim Manico
| maintainer_name =
| maintainer_email =
| maintainer_username =
| contributor_name1 = Jeremiah J. Stacey
| contributor_email1 =
| contributor_username1 =
| contributor_name2 = Chris Schmidt
| contributor_email2 = chris.schmidt@owasp.org
| contributor_username2 = Chris_Schmidt
| contributor_name3 =
| contributor_email3 =
| contributor_username3 =
| contributor_name4 =Jeff Williams
| contributor_email4 =
| contributor_username4 =
| contributor_name5 =Dave Wichers
| contributor_email5 =
| contributor_username5 =
| contributor_name6 =John Steven
| contributor_email6 =
| contributor_username6 =

| contributor_name7 =
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =
|
| pamphlet_link = http://www.owasp.org/images/8/81/Esapi-datasheet.pdf
| presentation_link = http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt
| mailing_list_name = esapi-user
| links_url1 = http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Downloads
| links_name1 = General ESAPI information
| links_url2 = http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API/Sub-Projects
| links_name2 = ESAPI/Sub-Projects
| project_road_map =
| project_health_status =
| current_release_name =
| current_release_date =
| current_release_download_link =
| current_release_rating =
| current_release_leader_name =
| current_release_leader_email =
| current_release_leader_username =
| current_release_details =
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
| last_GPC_update = 4/10/2009
| GPC_Notes = Empty template (ESAPI Global)
| project_home_page = :Category:OWASP_Enterprise_Security_API
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API
}}

User talk:Douglasheld

2018-09-03T14:11:53Z

Kevin W. Wall: /* Comments left on "Choosing and Using Security Questions Cheat Sheet" */ new section

From Jim:
I brought the HTTP Response splitting page back. I am fully deleting the CLASP and other old projects from the wiki - so I removed those categories form the page when I brought it back.

If you see anything else that I deleted (and I deleted a lot) that needs to be brought back, let me know via jim@owasp.org.

== Comments left on "Choosing and Using Security Questions Cheat Sheet" ==

Douglas,

Regarding your comment. For the most part, but unfortunately I don't see this changing anytime soon. It is likely to be around as long as passwords are still used, some people will forget their passwords. And since by some accounts a call to the help desk costs as much as $5.00 USD, mechanisms involving automatic resets of forgotten passwords will be preferred. (And besides, for companies not having questions that they can ask about a user's transactional history, etc., how are they to confirm the identity of a user claiming a forgotten password?) So as long as that's the case, this a wiki cheat sheet as well as the related "Forgot Password" cheat sheet will hopefully make this method of resetting passwords as secure as possible. What we really need to do is to replace passwords with stronger authentication mechanisms such as FIDO, etc. but that is something that likely will take many years to become mainstream.

-kevin

Choosing and Using Security Questions Cheat Sheet

2018-08-31T18:23:55Z

Kevin W. Wall: Fix minor typo in Desired Characteristics section.

__NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
= Introduction =
__TOC__{{TOC hidden}}

This cheat sheet provides some best practice for developers to follow when choosing and using security questions to implement a "forgot password" web application feature.<br>

= The Problem =

There is no industry standard either for providing guidance to users or developers when using or implementing a Forgot Password feature. The result is that developers generally pick a set of dubious questions and implement them insecurely. They do so, not only at the risk to their users, but also--because of potential liability issues--at the risk to their organization. Ideally, passwords would be dead, or at least less important in the sense that they make up only one of several multi-factor authentication mechanisms, but the truth is that we probably are stuck with passwords just like we are stuck with Cobol. So with that in mind, what can we do to make the Forgot Password solution as palatable as possible?

= Choosing Security Questions and/or Identity Data =

Most of us can instantly spot a bad "security question" when we see one. You know the ones we mean. Ones like "What is your favorite color?" are obviously bad. But as the [http://goodsecurityquestions.com/ Good Security Questions] web site rightly points out,
"there really are NO GOOD security questions; only fair or bad questions".

The reason that most organizations allow users to reset their own forgotten passwords is not because of security, but rather to reduce their own costs by reducing their volume of calls to their help desks. It's the classic convenience vs. security trade-off, and in this case, convenience (both to the organization in terms of reduced costs and to the user in terms of simpler, self-service) almost always wins out.

So given that the business aspect of lower cost generally wins out, what can we do to at least raise the bar a bit?

Here are some suggestions. Note that we intentionally avoid recommending specific security questions. To do so likely would be counterproductive because many developers would simply use those questions without much thinking and adversaries would immediately start harvesting that data from various social networks.

== Desired Characteristics ==

Any security questions or identity information presented to users to reset forgotten passwords should ideally have the following four characteristics:

# '''Memorable''': If users can't remember their answers to their security questions, you have achieved nothing.
# '''Consistent''': The user's answers should not change over time. For instance, asking "What is the name of your significant other?" may have a different answer 5 years from now.
# '''Nearly universal''': The security questions should apply to as wide an audience as possible.
# '''Safe''': The answers to security questions should not be something that is easily guessed, or research (e.g., something that is matter of public record).

== Steps ==

=== Step 1) Decide on Identity Data vs Canned Questions vs. User-Created Questions ===

Generally, a single HTML form should be used to collect all of the inputs to be used for later password resets.

If your organization has a business relationship with users, you probably have collected some sort of additional information from your users when they registered with your web site. Such information includes, but is not limited to:

* email address
* last name
* date of birth
* account number
* customer number
* last 4 of social security number
* zip code for address on file
* street number for address on file

For enhanced security, you may wish to consider asking the user for their email address first and then send an email that takes them to a private page that requests the other 2 (or more) identity factors. That way the email itself isn’t that useful because they still have to answer a bunch of ‘secret’ questions after they get to the landing page.

On the other hand, if you host a web site that targets the general public, such as social networking sites, free email sites, news sites, photo sharing sites, etc., then you likely to not have this identity information and will need to use some sort of the ubiquitous "security questions". However, also be sure that you collect some means to send the password reset information to some out-of-band side-channel, such as a (different) email address, an SMS texting number, etc.

Believe it or not, there is a certain merit to allow your users to select from a set of several "canned" questions. We generally ask users to fill out the security questions as part of completing their initial user profile and often that is the very time that the user is in a hurry; they just wish to register and get about using your site. If we ask users to create their own question(s) instead, they then generally do so under some amount of duress, and thus may be more likely to come up with extremely poor questions.

However, there is also some strong rationale to requiring users to create their own question(s), or at least one such question. The prevailing legal opinion seems to be if we provide some sort of reasonable guidance to users in creating their own questions and then insist on them doing so, at least some of the potential liabilities are transferred from our organizations to the users. In such cases, if user accounts get hacked because of their weak security questions (e.g., "What is my favorite ice cream flavor?", etc.) then the thought is that they only have themselves to blame and thus our organizations are less likely to get sued.

Since OWASP recommends in the [[Forgot Password Cheat Sheet]] that multiple security questions should be posed to the user and successfully answered before allowing a password reset, a good practice might be to require the user to select 1 or 2 questions from a set of canned questions as well as to create (a different) one of their own and then require they answer one of their selected canned questions as well as their own question.

=== Step 2) Review Any Canned Questions with Your Legal Department or Privacy Officer ===

While most developers would generally first review any potential questions with whatever relevant business unit, it may not occur to them to review the questions with their legal department or chief privacy officer. However, this is advisable because their may be applicable laws or regulatory / compliance issues to which the questions must adhere. For example, in the telecommunications industry, the FCC's Customer Proprietary Network Information (CPNI) regulations prohibit asking customers security questions that involve "personal information", so questions such as "In what city were you born?" are generally not allowed.

=== Step 3) Insist on a Minimal Length for the Answers ===

Even if you pose decent security questions, because users generally dislike putting a whole lot of forethought into answering the questions, they often will just answer with something short. Answering with a short expletive is not uncommon, nor is answering with something like "xxx" or "1234". If you tell the user that they ''should'' answer with a phrase or sentence and tell them that there is some minimal length to an acceptable answer (say 10 or 12 characters), you generally will get answers that are somewhat more resistant to guessing.

=== Step 4) Consider How To Securely Store the Questions and Answers ===

There are two aspects to this...storing the questions and storing the answers. Obviously, the questions must be presented to the user, so the options there are store them as plaintext or as reversible ciphertext. The answers technically do not need to be ever viewed by any human so they could be stored using a secure cryptographic hash (although in principle, I am aware of some help desks that utilize the both the questions and answers for password reset and they insist on being able to ''read'' the answers rather than having to type them in; YMMV). Either way, we would always recommend at least encrypting the answers rather than storing them as plaintext. This is especially true for answers to the "create your own question" type as users will sometimes pose a question that potentially has a sensitive answer (e.g., "What is my bank account # that I share with my wife?").

So the main question is whether or not you should store the questions as plaintext or reversible ciphertext. Admittedly, we are a bit biased, but for the "create your own question" types at least, we recommend that such questions be encrypted. This is because if they are encrypted, it makes it much less likely that your company will be sued if you have some bored, rogue DBAs pursuing the DB where the security questions and answers are stored in an attempt to amuse themselves and stumble upon something sensitive or perhaps embarrassing.

In addition, if you explain to your customers that you are encrypting their questions and hashing their answers, they might feel safer about asking some questions that while potentially embarrassing, might be a bit more secure. (Use your imagination. Do we need to spell it out for you? Really???)

=== Step 5) Periodically Have Your Users Review their Questions ===

Many companies often ask their users to update their user profiles to make sure contact information such as email addresses, street address, etc. is still up-to-date. Use that opportunity to have your users review their security questions. (Hopefully, at that time, they will be in a bit less of a rush, and may use the opportunity to select better questions.) If you had chosen to encrypt rather than hash their answers, you can also display their corresponding security answers at that time.

If you keep statistics on how many times the respective questions has been posed to someone as part of a Forgot Password flow (recommended), it would be advisable to also display that information. (For instance, if against your advice, they created a question such as "What is my favorite hobby?" and see that it had been presented 113 times and they think they might have only reset their password 5 times, it would probably be advisable to change that security question and probably their password as well.)

=== Step 6) Authenticate Requests to Change Questions ===

Many web sites properly authenticate change password requests simply by requesting the current password along with the desired new password. If the user cannot provide the correct current password, the request to change the password is ignored. The same authentication control should be in place when changing security questions. The user should be required to provide the correct password along with their new security questions & answers. If the user cannot provide the correct password, then the request to change the security questions should be ignored. This control prevents both Cross-Site Request Forgery attacks, as well as changes made by attackers who have taken control over a users workstation or authenticated application session.

= Using Security Questions =

Requiring users to answer security questions is most frequently done under two quite different scenarios:
* As a means for users to reset forgotten passwords. (See [[Forgot Password Cheat Sheet]].)
* As an additional means of corroborating evidence used for authentication.

If at anytime you intend for your users to answer security questions for both of these scenarios, it is ''strongly'' recommended that you use two different sets of questions / answers.

It should noted that using a security question / answer in addition to using passwords does '''''not''''' give you multi-factor authentication because both of these fall under the category of "what you know". Hence they are two of the ''same'' factor, which is not multi-factor. Furthermore, it should be noted that while passwords are a very weak form of authentication, answering security questions are generally is a much weaker form. This is because when we have users create passwords, we generally test the candidate password against some password complexity rules (e.g., minimal length > 10 characters; must have at least one alphabetic, one numeric, and one special character; etc.); we usually do no such thing for security answers (except for perhaps some minimal length requirement). Thus good passwords generally will have much more entropy than answers to security questions, often by several orders of magnitude.

=== Security Questions Used To Reset Forgotten Passwords ===

The [[Forgot Password Cheat Sheet]] already details pretty much everything that you need to know as a developer when ''collecting'' answers to security questions. However, it provides no guidance about how to assist the user in selecting security questions (if chosen from a list of candidate questions) or writing their own security questions / answers. Indeed, the [[Forgot Password Cheat Sheet]] makes the assumption that one can actually use additional ''identity'' data as the security questions / answers. However, often this is not the case as the user has never (or won't) volunteer it or is it prohibited for compliance reasons with certain regulations (e.g., as in the case of telecommunications companies and [[http://en.wikipedia.org/wiki/Customer_proprietary_network_information CPNI]] data).

Therefore, at least some development teams will be faced with collecting more generic security questions and answers from their users. If you must do this as a developer, it is good practice to:
* briefly describe the importance of selecting a good security question / answer.
* provide some guidance, along with some examples, of what constitutes bad vs. fair security questions.

You may wish to refer your users to the [[http://goodsecurityquestions.com/ Good Security Questions]] web site for the latter.

Furthermore, since adversaries will try the "forgot password" reset flow to reset a user's password (especially if they have compromised the side-channel, such as user's email account or their mobile device where they receive SMS text messages), is a good practice to minimize unintended and unauthorized information disclosure of the security questions. This may mean that you require the user to answer one security question before displaying any subsequent questions to be answered. In this manner, it does not allow an adversary an opportunity to research all the questions at once. Note however that this is contrary to the advice given on the [[Forgot Password Cheat Sheet]] and it may also be perceived as not being user-friendly by your sponsoring business unit, so again YMMV.

Lastly, you should consider whether or not you should treat the security questions that a user will type in as a "password" type or simply as regular "text" input. The former can prevent shoulder-surfing attacks, but also cause more typos, so there is a trade-off. Perhaps the best advice is to give the user a choice; hide the text by treating it as "password" input type by default, but all the user to check a box that would display their security answers as clear text when checked.

=== Security Questions As An Additional Means Of Authenticating ===

First, it bears repeating again...if passwords are considered weak authentication, then using security questions are even less robust. Furthermore, they are no substitute for true multi-factor authentication, or stronger forms of authentication such as authentication using one-time passwords or involving side-channel communications. In a word, very little is gained by using security questions in this context. But, if you must...keep these things in mind:

* Display the security question(s) on a separate page only ''after'' your users have successfully authenticated with their usernames / passwords (rather than only after they have entered their username). In this manner, you at least do not allow an adversary to view and research the security questions unless they also know the user's current password.
* If you also use security questions to reset a user's password, then you should use a ''different'' set of security questions for an additional means of authenticating.
* Security questions used for actual authentication purposes should regularly expire much like passwords. Periodically make the user choose new security questions and answers.
* If you use answers to security questions as a ''subsequent'' authentication mechanism (say to enter a more sensitive area of your web site), make sure that you keep the session idle time out very low...say less than 5 minutes or so, or that you also require the user to first re-authenticate with their password and then immediately after answer the security question(s).

= Related Articles =
[[Forgot Password Cheat Sheet]]<br/>
[http://goodsecurityquestions.com/ Good Security Questions web site]

= Authors and Primary Editors =

Kevin Wall - kevin.w.wall[at]gmail com

= Other Cheatsheets =

{{Cheatsheet_Navigation_Body}}

|}

[[Category:Cheatsheets]]

Category:OWASP Enterprise Security API

2018-08-22T00:52:36Z

Kevin W. Wall: Add Google Tink as recommendation for strong crypto.

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project co-leads can be reached [mailto:kevin.w.wall@gmail.com here] and [mailto:xeno6696@gmail.com here].
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

|}

= Downloads =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

| valign="top" style="padding-left:25px;width:33%;border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[https://search.maven.org/#search|ga|1|esapi ESAPI for Java Downloads (binaries)]
*[https://github.com/ESAPI/esapi-java-legacy ESAPI for Java (source)]<br>
*[https://github.com/ESAPI/owasp-esapi-js ESAPI for Javascript]<br>

'''No longer supported versions'''. If you absolutely need to download one of those, it is suggested that you search the [https://archive.org/ Internet Archive Wayback Machine] or [https://github.com/ GitHub] for someone who may have mirrored it:

* ESAPI for .NET
* ESAPI for Classic ASP
* ESAPI for PHP
* ESAPI for ColdFusion & CFML
* ESAPI for Python

| valign="top" style="padding-left:25px;width:33%;" |

[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0 JavaDocs])

|}

= What I did with ESAPI =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Should I use ESAPI? =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[NOTE: The heretical opinions on this ESAPI tab are 100% my own and do not necessarily reflect the rest of other ESAPI contributors or the OWASP staff, leadership, community. --kevin wall]

Or, specifically, "Should I use ESAPI for Java?" since that's the only one run by OWASP that still shows any semblance of life.
Maintenance activities is down, way down in fact of its peak development activities. Some of us are still trying and haven't given up and volunteers are still welcome. But without active contributors, projects make slow progress.

The first question to ask is, are you already using ESAPI in your project, and if so, do you have a lot vested in it? If so, then the answer to "Should I use ESAPI?" probably is "yes". The second question you should ask, if I'm using it, why am I not contributing to it in some manner? But we won't go there.

If you are starting out on a new project or trying for the first time to secure an existing project, then _before_ you consider ESAPI, you should consider these possible alternatives:
* Output encoding: [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]
* General HTML sanitization: [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project OWASP Java HTML Sanitizer]
* Validation: [http://beanvalidation.org/ JSR-303/JSR-349 Bean Validation]
*Strong cryptography: [https://github.com/google/tink Google Tink], [https://github.com/google/keyczar Keyczar]
* Authentication / authorization: [https://shiro.apache.org/ Apache Shiro]
* CSRF protection: [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP CSRFGuard Project] or [https://www.owasp.org/index.php/CSRFProtector_Project OWASP CSRFProtector Project]

Note that this is not to suggest that ESAPI is dead, but rather to acknowledge the fact that it isn't being as well-maintained as most F500 companies would like for their enterprise software. There may be alternatives, such as companies that you can purchase ESAPI support from. Those are not being considered here for various reasons, not the least of which is to remain vendor neutral. Rather, instead these recommendations should be taken as possible alternatives to secure your application. It is not a perfect world that we live in, but I would be remiss as an appsec guy if I were to plug ESAPI over other good security solutions simply because of my contributions to / involvement with ESAPI. I think that ESAPI has it's place and I will do my best to maintain it, but not to the exclusion of my family or day job. If you would like to volunteer to help, you know where to find me.

-[mailto:kevin.w.wall@gmail.com kevin wall]

= Glossary =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Project Details =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}
[[Category:Popular]]
[[Category:SAMM-SA-3]]

Category:OWASP Enterprise Security API

2017-11-10T20:46:28Z

Kevin W. Wall: Fix bad grammar.

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project co-leads can be reached [mailto:kevin.w.wall@gmail.com here] and [mailto:xeno6696@gmail.com here].
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

|}

= Downloads =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

| valign="top" style="padding-left:25px;width:33%;border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[https://search.maven.org/#search|ga|1|esapi ESAPI for Java Downloads (binaries)]
*[https://github.com/ESAPI/esapi-java-legacy ESAPI for Java (source)]<br>
*[https://github.com/ESAPI/owasp-esapi-js ESAPI for Javascript]<br>

'''No longer supported versions'''. If you absolutely need to download one of those, it is suggested that you search the [https://archive.org/ Internet Archive Wayback Machine] or [https://github.com/ GitHub] for someone who may have mirrored it:

* ESAPI for .NET
* ESAPI for Classic ASP
* ESAPI for PHP
* ESAPI for ColdFusion & CFML
* ESAPI for Python

| valign="top" style="padding-left:25px;width:33%;" |

[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0 JavaDocs])

|}

= What I did with ESAPI =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Should I use ESAPI? =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[NOTE: The heretical opinions on this ESAPI tab are 100% my own and do not necessarily reflect the rest of other ESAPI contributors or the OWASP staff, leadership, community. --kevin wall]

Or, specifically, "Should I use ESAPI for Java?" since that's the only one run by OWASP that still shows any semblance of life.
Maintenance activities is down, way down in fact of its peak development activities. Some of us are still trying and haven't given up and volunteers are still welcome. But without active contributors, projects make slow progress.

The first question to ask is, are you already using ESAPI in your project, and if so, do you have a lot vested in it? If so, then the answer to "Should I use ESAPI?" probably is "yes". The second question you should ask, if I'm using it, why am I not contributing to it in some manner? But we won't go there.

If you are starting out on a new project or trying for the first time to secure an existing project, then _before_ you consider ESAPI, you should consider these possible alternatives:
* Output encoding: [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]
* General HTML sanitization: [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project OWASP Java HTML Sanitizer]
* Validation: [http://beanvalidation.org/ JSR-303/JSR-349 Bean Validation]
*Strong cryptography: [https://github.com/google/keyczar Keyczar]
* Authentication / authorization: [https://shiro.apache.org/ Apache Shiro]
* CSRF protection: [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP CSRFGuard Project] or [https://www.owasp.org/index.php/CSRFProtector_Project OWASP CSRFProtector Project]

Note that this is not to suggest that ESAPI is dead, but rather to acknowledge the fact that it isn't being as well-maintained as most F500 companies would like for their enterprise software. There may be alternatives, such as companies that you can purchase ESAPI support from. Those are not being considered here for various reasons, not the least of which is to remain vendor neutral. Rather, instead these recommendations should be taken as possible alternatives to secure your application. It is not a perfect world that we live in, but I would be remiss as an appsec guy if I were to plug ESAPI over other good security solutions simply because of my contributions to / involvement with ESAPI. I think that ESAPI has it's place and I will do my best to maintain it, but not to the exclusion of my family or day job. If you would like to volunteer to help, you know where to find me.

-[mailto:kevin.w.wall@gmail.com kevin wall]

= Glossary =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Project Details =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}
[[Category:Popular]]
[[Category:SAMM-SA-3]]

Category:OWASP Enterprise Security API

2017-11-10T20:43:55Z

Kevin W. Wall: Remove broken documentation link for unsupported "ESAPI for PHP".

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project co-leads can be reached [mailto:kevin.w.wall@gmail.com here] and [mailto:xeno6696@gmail.com here].
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

|}

= Downloads =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

| valign="top" style="padding-left:25px;width:33%;border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[https://search.maven.org/#search|ga|1|esapi ESAPI for Java Downloads (binaries)]
*[https://github.com/ESAPI/esapi-java-legacy ESAPI for Java (source)]<br>
*[https://github.com/ESAPI/owasp-esapi-js ESAPI for Javascript]<br>

'''No longer supported versions'''. If you absolutely need to download one of those, it is suggested that you search the [https://archive.org/ Internet Archive Wayback Machine] or [https://github.com/ GitHub] for someone who may have mirrored it:

* ESAPI for .NET
* ESAPI for Classic ASP
* ESAPI for PHP
* ESAPI for ColdFusion & CFML
* ESAPI for Python

| valign="top" style="padding-left:25px;width:33%;" |

[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0 JavaDocs])

|}

= What I did with ESAPI =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Should I use ESAPI? =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[NOTE: The heretical opinions on this ESAPI tab are 100% my own and do not necessarily reflect the rest of other ESAPI contributors or the OWASP staff, leadership, community. --kevin wall]

Or, specifically, "Should I use ESAPI for Java?" since that's the only one run by OWASP that still shows any semblance of life.
Maintenance activities is down, way down in fact of its peak development activities. Some of us are still trying and haven't given up and volunteers are still welcome. But without active contributors, projects make slow progress.

The first question to ask is, are you already using ESAPI in your project, and if so, do you have a lot vested in it? If so, then the answer to "Should I use ESAPI?" probably is "yes". The second question you should ask, if I'm using it, why am I not contributing to it in some manner? But we won't go there.

If you are starting out on a new project or trying for the first time to secure an existing project, then _before_ you consider ESAPI, you should consider these possible alternatives:
* Output encoding: [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]
* General HTML sanitization: [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project OWASP Java HTML Sanitizer]
* Validation: [http://beanvalidation.org/ JSR-303/JSR-349 Bean Validation]
*Strong cryptography: [https://github.com/google/keyczar Keyczar]
* Authentication / authorization: [https://shiro.apache.org/ Apache Shiro]
* CSRF protection: [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP CSRFGuard Project] or [https://www.owasp.org/index.php/CSRFProtector_Project OWASP CSRFProtector Project]

Note that it not the suggestion to suggest that ESAPI is dead, but rather to acknowledge the fact that it isn't being as well-maintained as most F500 companies would like for their enterprise software. There may be alternatives, such as companies that you can purchase ESAPI support from. Those are not being considered here for various reasons, not the least of which is to remain vendor neutral. Rather, instead these recommendations should be taken as possible alternatives to secure your application. It is not a perfect world that we live in, but I would be remiss as an appsec guy if I were to plug ESAPI over other good security solutions simply because of my contributions to / involvement with ESAPI. I think that ESAPI has it's place and I will do my best to maintain it, but not to the exclusion of my family or day job. If you would like to volunteer to help, you know where to find me.

-[mailto:kevin.w.wall@gmail.com kevin wall]

= Glossary =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Project Details =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}
[[Category:Popular]]
[[Category:SAMM-SA-3]]

Category:OWASP Enterprise Security API

2017-11-09T03:36:13Z

Kevin W. Wall: Edit downloads section to remove links of unsupported versions.

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project co-leads can be reached [mailto:kevin.w.wall@gmail.com here] and [mailto:xeno6696@gmail.com here].
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

|}

= Downloads =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

| valign="top" style="padding-left:25px;width:33%;border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[https://search.maven.org/#search|ga|1|esapi ESAPI for Java Downloads (binaries)]
*[https://github.com/ESAPI/esapi-java-legacy ESAPI for Java (source)]<br>
*[https://github.com/ESAPI/owasp-esapi-js ESAPI for Javascript]<br>

'''No longer supported versions'''. If you absolutely need to download one of those, it is suggested that you search the [https://archive.org/ Internet Archive Wayback Machine] or [https://github.com/ GitHub] for someone who may have mirrored it:

* ESAPI for .NET
* ESAPI for Classic ASP
* ESAPI for PHP
* ESAPI for ColdFusion & CFML
* ESAPI for Python

| valign="top" style="padding-left:25px;width:33%;" |

[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0 JavaDocs])
*ESAPI for PHP interface documentation ([http://owasp-esapi-php.googlecode.com/svn/trunk_doc/latest/index.html phpdoc])

|}

= What I did with ESAPI =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Should I use ESAPI? =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[NOTE: The heretical opinions on this ESAPI tab are 100% my own and do not necessarily reflect the rest of other ESAPI contributors or the OWASP staff, leadership, community. --kevin wall]

Or, specifically, "Should I use ESAPI for Java?" since that's the only one run by OWASP that still shows any semblance of life.
Maintenance activities is down, way down in fact of its peak development activities. Some of us are still trying and haven't given up and volunteers are still welcome. But without active contributors, projects make slow progress.

The first question to ask is, are you already using ESAPI in your project, and if so, do you have a lot vested in it? If so, then the answer to "Should I use ESAPI?" probably is "yes". The second question you should ask, if I'm using it, why am I not contributing to it in some manner? But we won't go there.

If you are starting out on a new project or trying for the first time to secure an existing project, then _before_ you consider ESAPI, you should consider these possible alternatives:
* Output encoding: [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]
* General HTML sanitization: [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project OWASP Java HTML Sanitizer]
* Validation: [http://beanvalidation.org/ JSR-303/JSR-349 Bean Validation]
*Strong cryptography: [https://github.com/google/keyczar Keyczar]
* Authentication / authorization: [https://shiro.apache.org/ Apache Shiro]
* CSRF protection: [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP CSRFGuard Project] or [https://www.owasp.org/index.php/CSRFProtector_Project OWASP CSRFProtector Project]

Note that it not the suggestion to suggest that ESAPI is dead, but rather to acknowledge the fact that it isn't being as well-maintained as most F500 companies would like for their enterprise software. There may be alternatives, such as companies that you can purchase ESAPI support from. Those are not being considered here for various reasons, not the least of which is to remain vendor neutral. Rather, instead these recommendations should be taken as possible alternatives to secure your application. It is not a perfect world that we live in, but I would be remiss as an appsec guy if I were to plug ESAPI over other good security solutions simply because of my contributions to / involvement with ESAPI. I think that ESAPI has it's place and I will do my best to maintain it, but not to the exclusion of my family or day job. If you would like to volunteer to help, you know where to find me.

-[mailto:kevin.w.wall@gmail.com kevin wall]

= Glossary =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Project Details =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}
[[Category:Popular]]
[[Category:SAMM-SA-3]]

GPC Project Details/OWASP Enterprise Security API

2017-09-08T18:24:03Z

Kevin W. Wall: Update ESAPI project leaders.

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude>
| project_name = OWASP Enterprise Security API
| project_description = ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development. Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

* '''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

* '''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

* '''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.
| project_license =BSD license
| leader_name =Kevin W. Wall and Matt Seil
| leader_email =kevin.w.wall@gmail.com
| past_leaders_special_contributions =Jeff Williams, Dave Wichers, Chris Schmidt, Jim Manico
| maintainer_name =
| maintainer_email =
| maintainer_username =
| contributor_name1 = Chris Schmidt
| contributor_email1 = chris.schmidt@owasp.org
| contributor_username1 = Chris_Schmidt
| contributor_name2 =
| contributor_email2 =
| contributor_username2 =
| contributor_name3 =Jeff Williams
| contributor_email3 =
| contributor_username3 =
| contributor_name4 =Dave Wichers
| contributor_email4 =
| contributor_username4 =
| contributor_name5 =John Steven
| contributor_email5 =
| contributor_username5 =
| contributor_name6 =
| contributor_email6 =
| contributor_username6 =
| contributor_name7 =
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =
|
| pamphlet_link = http://www.owasp.org/images/8/81/Esapi-datasheet.pdf
| presentation_link = http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt
| mailing_list_name = esapi-user
| links_url1 = http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Downloads
| links_name1 = General ESAPI information
| links_url2 = http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API/Sub-Projects
| links_name2 = ESAPI/Sub-Projects
| project_road_map =
| project_health_status =
| current_release_name =
| current_release_date =
| current_release_download_link =
| current_release_rating =
| current_release_leader_name =
| current_release_leader_email =
| current_release_leader_username =
| current_release_details =
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
| last_GPC_update = 4/10/2009
| GPC_Notes = Empty template (ESAPI Global)
| project_home_page = :Category:OWASP_Enterprise_Security_API
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API
}}

Deserialization Cheat Sheet

2017-03-20T00:29:42Z

Kevin W. Wall: Added new reference.

Using the Java Cryptographic Extensions

2017-03-18T01:13:23Z

Kevin W. Wall: Updated FIXME comment.

{{taggedDocument
| type=old
| comment=The page should be updated; see Discussion tab for some details.
}}

==Meta==

The code included in this article has not been reviewed and should not be used without proper analysis. If you have reviewed the included code or portions of it, please post your findings back to the Java Project mailing list or contact the [[OWASP_Java_Project|OWASP Java and JVM Project]] team.

== Overview ==
Java Cryptographic Extensions (JCE) is a set of Java API's which provides cryptographic services such as encryption, secret Key Generation, Message Authentication code and Key Agreement. The ciphers supported by JCE include symmetric, asymmetric, block and stream ciphers. JCE was an optional package to JDK v 1.2.x and 1.3.x. JCE has been integrated into JDK v1.4.<br>

JCE API's are implemented by Cryptographic Service Providers. Each of these cryptographic service providers implements the Service Provider Interface which specifies the functionalities which needs to be implemented by the service providers. Programmers can plugin any Service Providers for performing cryptographic functionalities provided by JCE. J2SE comes with a default provider named SunJCE.

===Symmetric Encryption Algorithms provided by SunJCE===
# DES - default keylength of 56 bits
# AES -
# RC2, RC4 and RC5
# IDEA
# Triple DES – default keylength 112 bits
# Blowfish – default keylength 56 bits
# PBEWithMD5AndDES
# PBEWithHmacSHA1AndDESede
# DES ede

===Modes of Encryption===
# ECB
# CBC
# CFB
# OFB
# PCBC

===Asymmetric Encryption Algorithms implemented by SunJCE===
# RSA
# Diffie-Hellman – default keylength 1024 bits

===Hashing / Message Digest Algorithms implemented by SunJCE===
# MD5 – default size 64 bytes
# SHA1 - default size 64 bytes

==Examples==
===SecureRandom===
SecureRandom class is used to generate a cryptographically strong pseudo random number by using a PRNG Algorithm.
The following are the advantages of using SecureRandom over Random.
1. SecureRandom produces a cryptographically strong pseudo random number generator.
2. SecureRandom produces cryptographically strong sequences as described in
[http://www.ietf.org/rfc/rfc1750.txt RFC 1750: Randomness Recommendations for Security]

<pre>
package org.owasp.java.crypto;

import java.security.SecureRandom;
import java.security.NoSuchAlgorithmException;

import sun.misc.BASE64Encoder;

/**
* @author Joe Prasanna Kumar
* This program provides the functionality for Generating a Secure Random Number.
*
* There are 2 ways to generate a Random number through SecureRandom.
* 1. By calling nextBytes method to generate Random Bytes
* 2. Using setSeed(byte[]) to reseed a Random object
*
*/

public class SecureRandomGen {

/**
* @param args
*/
public static void main(String[] args) {
try {
// Initialize a secure random number generator
SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");

// Method 1 - Calling nextBytes method to generate Random Bytes
byte[] bytes = new byte[512];
secureRandom.nextBytes(bytes);

// Printing the SecureRandom number by calling secureRandom.nextDouble()
System.out.println(" Secure Random # generated by calling nextBytes() is " + secureRandom.nextDouble());

// Method 2 - Using setSeed(byte[]) to reseed a Random object
int seedByteCount = 10;
byte[] seed = secureRandom.generateSeed(seedByteCount);

// TBR System.out.println(" Seed value is " + new BASE64Encoder().encode(seed));

secureRandom.setSeed(seed);

System.out.println(" Secure Random # generated using setSeed(byte[]) is " + secureRandom.nextDouble());

} catch (NoSuchAlgorithmException noSuchAlgo)
{
System.out.println(" No Such Algorithm exists " + noSuchAlgo);
}
}

}
</pre>

=== AES Encryption and Decryption ===
<pre>
package org.owasp.java.crypto;

import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;

import sun.misc.BASE64Encoder;

/**
* @author Joe Prasanna Kumar
* This program provides the following cryptographic functionalities
* 1. Encryption using AES
* 2. Decryption using AES
*
* High Level Algorithm :
* 1. Generate a AES key (specify the Key size during this phase)
* 2. Create the Cipher
* 3. To Encrypt : Initialize the Cipher for Encryption
* 4. To Decrypt : Initialize the Cipher for Decryption
*
*
*/

public class AES {
public static void main(String[] args) {

String strDataToEncrypt = new String();
String strCipherText = new String();
String strDecryptedText = new String();

try {
/**
* Step 1. Generate an AES key using KeyGenerator Initialize the
* keysize to 128 bits (16 bytes)
*
*/
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(128);
SecretKey secretKey = keyGen.generateKey();

/**
* Step 2. Generate an Initialization Vector (IV)
* a. Use SecureRandom to generate random bits
* The size of the IV matches the blocksize of the cipher (128 bits for AES)
* b. Construct the appropriate IvParameterSpec object for the data to pass to Cipher's init() method
*/

final int AES_KEYLENGTH = 128; // change this as desired for the security level you want
byte[] iv = new byte[AES_KEYLENGTH / 8]; // Save the IV bytes or send it in plaintext with the encrypted data so you can decrypt the data later
SecureRandom prng = new SecureRandom();
prng.nextBytes(iv);

/**
* Step 3. Create a Cipher by specifying the following parameters
* a. Algorithm name - here it is AES
* b. Mode - here it is CBC mode
* c. Padding - e.g. PKCS7 or PKCS5
*/

Cipher aesCipherForEncryption = Cipher.getInstance("AES/CBC/PKCS7PADDING"); // Must specify the mode explicitly as most JCE providers default to ECB mode!!

/**
* Step 4. Initialize the Cipher for Encryption
*/

aesCipherForEncryption.init(Cipher.ENCRYPT_MODE, secretKey,
new IvParameterSpec(iv));

/**
* Step 5. Encrypt the Data
* a. Declare / Initialize the Data. Here the data is of type String
* b. Convert the Input Text to Bytes
* c. Encrypt the bytes using doFinal method
*/
strDataToEncrypt = "Hello World of Encryption using AES ";
byte[] byteDataToEncrypt = strDataToEncrypt.getBytes();
byte[] byteCipherText = aesCipherForEncryption
.doFinal(byteDataToEncrypt);
// b64 is done differently on Android
strCipherText = new BASE64Encoder().encode(byteCipherText);
System.out.println("Cipher Text generated using AES is "
+ strCipherText);

/**
* Step 6. Decrypt the Data
* a. Initialize a new instance of Cipher for Decryption (normally don't reuse the same object)
* Be sure to obtain the same IV bytes for CBC mode.
* b. Decrypt the cipher bytes using doFinal method
*/

Cipher aesCipherForDecryption = Cipher.getInstance("AES/CBC/PKCS7PADDING"); // Must specify the mode explicitly as most JCE providers default to ECB mode!!

aesCipherForDecryption.init(Cipher.DECRYPT_MODE, secretKey,
new IvParameterSpec(iv));
byte[] byteDecryptedText = aesCipherForDecryption
.doFinal(byteCipherText);
strDecryptedText = new String(byteDecryptedText);
System.out
.println(" Decrypted Text message is " + strDecryptedText);
}

catch (NoSuchAlgorithmException noSuchAlgo) {
System.out.println(" No Such Algorithm exists " + noSuchAlgo);
}

catch (NoSuchPaddingException noSuchPad) {
System.out.println(" No Such Padding exists " + noSuchPad);
}

catch (InvalidKeyException invalidKey) {
System.out.println(" Invalid Key " + invalidKey);
}

catch (BadPaddingException badPadding) {
System.out.println(" Bad Padding " + badPadding);
}

catch (IllegalBlockSizeException illegalBlockSize) {
System.out.println(" Illegal Block Size " + illegalBlockSize);
}

catch (InvalidAlgorithmParameterException invalidParam) {
System.out.println(" Invalid Parameter " + invalidParam);
}
}
}
</pre>
=== Des Encryption and Decryption ===
<pre>
package org.owasp.crypto;

import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.Cipher;

import java.security.NoSuchAlgorithmException;
import java.security.InvalidKeyException;
import java.security.InvalidAlgorithmParameterException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;

import sun.misc.BASE64Encoder;

/**
* @author Joe Prasanna Kumar
* This program provides the following cryptographic functionalities
* 1. Encryption using DES
* 2. Decryption using DES
*
* The following modes of DES encryption are supported by SUNJce provider
* 1. ECB (Electronic code Book) - Every plaintext block is encrypted separately
* 2. CBC (Cipher Block Chaining) - Every plaintext block is XORed with the previous ciphertext block
* 3. PCBC (Propogating Cipher Block Chaining) -
* 4. CFB (Cipher Feedback Mode) - The previous ciphertext block is encrypted and this enciphered block is XORed with the plaintext block to produce the corresponding ciphertext block
* 5. OFB (Output Feedback Mode) -
*
* High Level Algorithm :
* 1. Generate a DES key
* 2. Create the Cipher (Specify the Mode and Padding)
* 3. To Encrypt : Initialize the Cipher for Encryption
* 4. To Decrypt : Initialize the Cipher for Decryption
*
* Need for Padding :
* Block ciphers operates on data blocks on fixed size n.
* Since the data to be encrypted might not always be a multiple of n, the remainder of the bits are padded.
* PKCS#5 Padding is what will be used in this program
*
*/

public class DES {
public static void main(String[] args) {

String strDataToEncrypt = new String();
String strCipherText = new String();
String strDecryptedText = new String();

try{
/**
* Step 1. Generate a DES key using KeyGenerator
*
*/
KeyGenerator keyGen = KeyGenerator.getInstance("DES");
SecretKey secretKey = keyGen.generateKey();

/**
* Step2. Create a Cipher by specifying the following parameters
* a. Algorithm name - here it is DES
* b. Mode - here it is CBC
* c. Padding - PKCS5Padding
*/

Cipher desCipher = Cipher.getInstance("DES/CBC/PKCS5Padding"); /* Must specify the mode explicitly as most JCE providers default to ECB mode!! */

/**
* Step 3. Initialize the Cipher for Encryption
*/

desCipher.init(Cipher.ENCRYPT_MODE,secretKey);

/**
* Step 4. Encrypt the Data
* 1. Declare / Initialize the Data. Here the data is of type String
* 2. Convert the Input Text to Bytes
* 3. Encrypt the bytes using doFinal method
*/
strDataToEncrypt = "Hello World of Encryption using DES ";
byte[] byteDataToEncrypt = strDataToEncrypt.getBytes();
byte[] byteCipherText = desCipher.doFinal(byteDataToEncrypt);
strCipherText = new BASE64Encoder().encode(byteCipherText);
System.out.println("Cipher Text generated using DES with CBC mode and PKCS5 Padding is " +strCipherText);

/**
* Step 5. Decrypt the Data
* 1. Initialize the Cipher for Decryption
* 2. Decrypt the cipher bytes using doFinal method
*/
desCipher.init(Cipher.DECRYPT_MODE,secretKey,desCipher.getParameters());
//desCipher.init(Cipher.DECRYPT_MODE,secretKey);
byte[] byteDecryptedText = desCipher.doFinal(byteCipherText);
strDecryptedText = new String(byteDecryptedText);
System.out.println(" Decrypted Text message is " +strDecryptedText);
}

catch (NoSuchAlgorithmException noSuchAlgo)
{
System.out.println(" No Such Algorithm exists " + noSuchAlgo);
}

catch (NoSuchPaddingException noSuchPad)
{
System.out.println(" No Such Padding exists " + noSuchPad);
}

catch (InvalidKeyException invalidKey)
{
System.out.println(" Invalid Key " + invalidKey);
}

catch (BadPaddingException badPadding)
{
System.out.println(" Bad Padding " + badPadding);
}

catch (IllegalBlockSizeException illegalBlockSize)
{
System.out.println(" Illegal Block Size " + illegalBlockSize);
}

catch (InvalidAlgorithmParameterException invalidParam)
{
System.out.println(" Invalid Parameter " + invalidParam);
}
}

}
</pre>
[[Category:OWASP Java Project]]

Talk:Using the Java Cryptographic Extensions

2017-03-18T01:06:56Z

Kevin W. Wall: Some needed fixes to OWASP wiki page "Using Java Cryptographic Extensions"

While performing AES encryption using SunJCE provider, I did not see usuage of the mode in the program provided.
I have few questions:
Do we really need to specify the mode when using AES?
Does PaddingException happen with AES and how do we prevent the PaddingException?

Please let me know.

== AES mode on this page is insecure ==

The example for AES did not specify a mode which results in the default of ECB mode in most JCE providers!! I fixed that line and commented, but this will need some other work as it is not providing any Initialization Vector (IV) to the AES encryption since it was using ECB mode originally (bad). Will try to fix this with a working example.

== Some changes that need to be made ==
[Note: Originally shared by me with Jim Manico in a private email dated 7/25/2016.]

Major things wrong with this wiki page:

1) IV size does NOT depend on key size, but rather cipher block size

Minimally, need to change lines that say:
final int AES_KEYLENGTH = 128; // change this as desired for the security level you want
byte[] iv = new byte[AES_KEYLENGTH / 8]; // Save the IV bytes or send it in plaintext with the encrypted data so you can decrypt the data later
to
final int AES_BLOCKSIZE = 128 // AES cipher block size, in bits
byte[] iv = new byte[AES_BLOCKSIZE / 8]; // Save the IV bytes or send it in plaintext with the encrypted data so you can decrypt the data later
so that is not implied. Because if user wanted to use 256-bit AES key, the IV should still be 16 bytes, not 32 bytes.

Ideally, we should replace with a call Cipher.getBlockSize(), but that requires reordering of the steps after
the call to Cipher.getInstance().

2) Also using PKCS7PADDING, which is not valid in Java so this would fail. Change to PKCS5Padding.
(PKCS7 padding is actually technically the correct padding name, but Java blew it and called it
PKCS5 padding. Technically, PKCS5 padding only applies to ciphers with a with a cipher block
size of 64-bits, not 128-bits, but both PKCS5 and PKCS7 padding act identically for block sizes
<= 255 bits.)

Best is to rewrite the entire thing and use CCM which isn't prone to padding oracle attacks, but I may not
have time to do that.

3) Not portable across OS;. Should use getBytes("UTF8") instead of just getBytes(). Doesn't really matter for ASCII
strings like the "Hello world..." examples here, but can matter if encrypting binary data.

4) Example foolishly assumes that the IV doesn't need to be passed back and forth. In this particular case,
it doesn't, but in general it will. Usually IV is prepended to raw ciphertext and that is passed around. But
because of examples like this where that is not shown, I've seen an awful lot (too many!) shortcuts of
people just hard-coding a fixed IV to use instead.

-kevin

Category:OWASP Enterprise Security API

2017-02-04T01:04:17Z

Kevin W. Wall: Change link for 'ESAPI for JavaScript' from obsolete Google Code link to GitHub link.

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project co-leads can be reached [mailto:kevin.w.wall@gmail.com here] and [mailto:xeno6696@gmail.com here].
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

|}

= Downloads =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

| valign="top" style="padding-left:25px;width:33%;border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[https://search.maven.org/#search|ga|1|esapi ESAPI for Java Downloads (binaries)]
*[https://github.com/ESAPI/esapi-java-legacy ESAPI for Java (source)]<br>
*{{#switchtablink:.NET|ESAPI for .NET}}<br>
*{{#switchtablink:Classic ASP|ESAPI for Classic ASP}}<br>
*{{#switchtablink:PHP|ESAPI for PHP}}<br>
*{{#switchtablink:ColdFusion.2FCFML|ESAPI for ColdFusion & CFML}}<br>
*{{#switchtablink:Python|ESAPI for Python}}<br>
*[https://github.com/ESAPI/owasp-esapi-js ESAPI for Javascript]<br>

| valign="top" style="padding-left:25px;width:33%;" |

[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0 JavaDocs])
*ESAPI for PHP interface documentation ([http://owasp-esapi-php.googlecode.com/svn/trunk_doc/latest/index.html phpdoc])

|}

= What I did with ESAPI =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Should I use ESAPI? =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[NOTE: The heretical opinions on this ESAPI tab are 100% my own and do not necessarily reflect the rest of other ESAPI contributors or the OWASP staff, leadership, community. --kevin wall]

Or, specifically, "Should I use ESAPI for Java?" since that's the only one run by OWASP that still shows any semblance of life.
Maintenance activities is down, way down in fact of its peak development activities. Some of us are still trying and haven't given up and volunteers are still welcome. But without active contributors, projects make slow progress.

The first question to ask is, are you already using ESAPI in your project, and if so, do you have a lot vested in it? If so, then the answer to "Should I use ESAPI?" probably is "yes". The second question you should ask, if I'm using it, why am I not contributing to it in some manner? But we won't go there.

If you are starting out on a new project or trying for the first time to secure an existing project, then _before_ you consider ESAPI, you should consider these possible alternatives:
* Output encoding: [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]
* General HTML sanitization: [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project OWASP Java HTML Sanitizer]
* Validation: [http://beanvalidation.org/ JSR-303/JSR-349 Bean Validation]
*Strong cryptography: [https://github.com/google/keyczar Keyczar]
* Authentication / authorization: [https://shiro.apache.org/ Apache Shiro]
* CSRF protection: [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP CSRFGuard Project] or [https://www.owasp.org/index.php/CSRFProtector_Project OWASP CSRFProtector Project]

Note that it not the suggestion to suggest that ESAPI is dead, but rather to acknowledge the fact that it isn't being as well-maintained as most F500 companies would like for their enterprise software. There may be alternatives, such as companies that you can purchase ESAPI support from. Those are not being considered here for various reasons, not the least of which is to remain vendor neutral. Rather, instead these recommendations should be taken as possible alternatives to secure your application. It is not a perfect world that we live in, but I would be remiss as an appsec guy if I were to plug ESAPI over other good security solutions simply because of my contributions to / involvement with ESAPI. I think that ESAPI has it's place and I will do my best to maintain it, but not to the exclusion of my family or day job. If you would like to volunteer to help, you know where to find me.

-[mailto:kevin.w.wall@gmail.com kevin wall]

= Glossary =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Project Details =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}
[[Category:Popular]]
[[Category:SAMM-SA-3]]

User:Kevin W. Wall

2016-12-17T03:44:17Z

Kevin W. Wall:

=== Involved in OWASP ESAPI for Java EE project, starting in July, 2009. ===

*Completely rewrote the [[ESAPI]] 2.0 symmetric encryption<br>
*General ESAPI 2.0 code clean-up and bug fixes.
*Project owner of ESAPI for Java prohect

=== Involved in OWASP ESAPI for C++ (since May, 2011) ===
* Troublesome meddler (aka, tor-mentor)
* Working on porting ESAPI 2.0's crypto to C++ along with Jeff Walton.
* I swore I'd never do C++ again; I must be out of my freakin' mind.

=== Day job ===
* Currently Information Security Engineer at Wells Fargo, part of Security Code Review team
* Formerly Staff Security Engineer at CenturyLink (f/k/a Qwest)
* Formerly tech lead of Application Security Team at Qwest for 11 years
* Full-time husband and father

=== Memberships and certifications ===
* Member of ACM, IEEE Computer Society, OWASP
* ISC^2 CISSP
* GIAC Certified Web Application Security Defender (GWEB)

=== Other ===

* Active participant in following mailing lists: Security Coding, Web Application Security, IPCop-Users, OWASP-ESAPI, cryptography
* Interests include reading, soccer (futbol), cryptography, and computer security
* Blog: [[http://off-the-wall-security.blogspot.com/ Off-the-Wall Security]]
* Twitter: @KevinWWall
* My OWASP Wiki contributions: [[Special:Contributions/Kevin_W._Wall]]

GPC Project Details/OWASP Enterprise Security API Java EE Version

2016-12-17T03:39:20Z

Kevin W. Wall: Replaced Chris Schmidt as project co-lead with Matt Seil, who is stepping in to replace him. Changed leader_email to ESAPI Dev mailing list.

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude>
| project_name = OWASP ESAPI for Java EE
| project_description = This is the Java EE language version of OWASP ESAPI. The ESAPI for Java EE is the baseline ESAPI design.
* The current release of this project '''is''' suitable for production use
* The ESAPI 2.x branch supports Java 1.5 and above. You may view the Javadocs here http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
* The ESAPI 1.4 branch supports Java 1.4 and above. Complete information on latest 1.4 branch dependencies can be found here http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/site/dependencies.html
* The OWASP AppSensor-ESAPI integration guide is out! [[AppSensor_GettingStarted]]



| project_license = [http://en.wikipedia.org/wiki/BSD_license BSD license]
| leader_name = Kevin Wall & Matt Seil
| leader_email = esapi-dev@lists.owasp.org
| leader_username = Kevin_W._Wall
| past_leaders_special_contributions = Jeff_Williams (project creator)
| maintainer_name = ESAPI-Dev mailing list
| maintainer_email = esapi-dev@lists.owasp.org
| maintainer_username =
| contributor_name1 = Kevin W. Wall
| contributor_email1 = kevin.w.wall@gmail.com
| contributor_username1 = Kevin_W._Wall
| contributor_name2 = Matt Seil
| contributor_email2 = xeno6696@gmail.com@gmail.com
| contributor_username2 = Matt Seil
| contributor_name3 = Jeff Williams
| contributor_email3 = Jeff.Williams@owasp.org
| contributor_username3 = Jeff_Williams
| contributor_name4 = Jim Manico
| contributor_email4 = Jim.Manico@owasp.org
| contributor_username4 = Jmanico
| contributor_name5 = Chris Schmidt
| contributor_email5 = chrisisbeef@gmail.com
| contributor_username5 = Chris_Schmidt
| contributor_name6 = See "Members" under https://code.google.com/p/owasp-esapi-java/ for list of other contributors
| contributor_email6 =
| contributor_username6 =
| contributor_name7 =
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =
| pamphlet_link =
| presentation_link =
| mailing_list_name = esapi-dev
| links_url1 = https://search.maven.org/#search%7Cga%7C1%7Corg.owasp.esapi
| links_name1 = ESAPI 2.x Downloads
| links_url2 = https://code.google.com/p/owasp-esapi-java/downloads/list
| links_name2 = All previous ESAPI Downloads
| links_url3 = https://github.com/ESAPI/esapi-java-legacy
| links_name3 = GitHub code repository for ESAPI JAVA
| links_url4 = https://github.com/ESAPI/esapi-java-legacy/issues
| links_name4 = Report a bug!
| links_url5 = http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
| links_name5 = ESAPI 2.1.0 Javadocs
| links_url6 = http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/index.html
| links_name6 = ESAPI 1.4.4 Javadocs
| links_url7 = http://www.owasp.org/index.php/ESAPI-Building
| links_name7 = How to build ESAPI 2.0 with Maven
| links_url8 = http://www.owasp.org/index.php/ESAPI-BuildingWithEclipse
| links_name8 = How to build ESAPI 2.0 with Maven via Eclipse
| project_road_map =
| project_health_status =
| current_release_name =
| current_release_date =
| current_release_download_link =
| current_release_rating =
| current_release_leader_name =
| current_release_leader_email =
| current_release_leader_username =
| current_release_details =
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
| last_GPC_update = 4/10/2009
| GPC_Notes = Empty template (Java EE Version)
| project_home_page = :Category:OWASP_Enterprise_Security_API
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version
}}

GPC Project Details/OWASP Enterprise Security API Java EE Version

2016-12-17T03:34:49Z

Kevin W. Wall:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude>
| project_name = OWASP ESAPI for Java EE
| project_description = This is the Java EE language version of OWASP ESAPI. The ESAPI for Java EE is the baseline ESAPI design.
* The current release of this project '''is''' suitable for production use
* The ESAPI 2.x branch supports Java 1.5 and above. You may view the Javadocs here http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
* The ESAPI 1.4 branch supports Java 1.4 and above. Complete information on latest 1.4 branch dependencies can be found here http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/site/dependencies.html
* The OWASP AppSensor-ESAPI integration guide is out! [[AppSensor_GettingStarted]]



| project_license = [http://en.wikipedia.org/wiki/BSD_license BSD license]
| leader_name = Kevin Wall & Matt Seil
| leader_email = kevin.w.wall@gmail.com
| leader_username = Kevin_W._Wall
| past_leaders_special_contributions = Jeff_Williams (project creator)
| maintainer_name = ESAPI-Dev mailing list
| maintainer_email = esapi-dev@lists.owasp.org
| maintainer_username =
| contributor_name1 = Kevin W. Wall
| contributor_email1 = kevin.w.wall@gmail.com
| contributor_username1 = Kevin_W._Wall
| contributor_name2 = Matt Seil
| contributor_email2 = xeno6696@gmail.com@gmail.com
| contributor_username2 = Matt Seil
| contributor_name3 = Jeff Williams
| contributor_email3 = Jeff.Williams@owasp.org
| contributor_username3 = Jeff_Williams
| contributor_name4 = Jim Manico
| contributor_email4 = Jim.Manico@owasp.org
| contributor_username4 = Jmanico
| contributor_name5 = Chris Schmidt
| contributor_email5 = chrisisbeef@gmail.com
| contributor_username5 = Chris_Schmidt
| contributor_name6 = See "Members" under https://code.google.com/p/owasp-esapi-java/ for list of other contributors
| contributor_email6 =
| contributor_username6 =
| contributor_name7 =
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =
| pamphlet_link =
| presentation_link =
| mailing_list_name = esapi-dev
| links_url1 = https://search.maven.org/#search%7Cga%7C1%7Corg.owasp.esapi
| links_name1 = ESAPI 2.x Downloads
| links_url2 = https://code.google.com/p/owasp-esapi-java/downloads/list
| links_name2 = All previous ESAPI Downloads
| links_url3 = https://github.com/ESAPI/esapi-java-legacy
| links_name3 = GitHub code repository for ESAPI JAVA
| links_url4 = https://github.com/ESAPI/esapi-java-legacy/issues
| links_name4 = Report a bug!
| links_url5 = http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
| links_name5 = ESAPI 2.1.0 Javadocs
| links_url6 = http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/index.html
| links_name6 = ESAPI 1.4.4 Javadocs
| links_url7 = http://www.owasp.org/index.php/ESAPI-Building
| links_name7 = How to build ESAPI 2.0 with Maven
| links_url8 = http://www.owasp.org/index.php/ESAPI-BuildingWithEclipse
| links_name8 = How to build ESAPI 2.0 with Maven via Eclipse
| project_road_map =
| project_health_status =
| current_release_name =
| current_release_date =
| current_release_download_link =
| current_release_rating =
| current_release_leader_name =
| current_release_leader_email =
| current_release_leader_username =
| current_release_details =
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
| last_GPC_update = 4/10/2009
| GPC_Notes = Empty template (Java EE Version)
| project_home_page = :Category:OWASP_Enterprise_Security_API
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version
}}

Category:OWASP Enterprise Security API

2016-12-17T03:19:17Z

Kevin W. Wall: Replaced Chris Schmidt as project co-lead with Matt Seil, who is stepping in to replace him.

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project co-leads can be reached [mailto:kevin.w.wall@gmail.com here] and [mailto:xeno6696@gmail.com here].
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

|}

= Downloads =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

| valign="top" style="padding-left:25px;width:33%;border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[https://search.maven.org/#search|ga|1|esapi ESAPI for Java Downloads (binaries)]
*[https://github.com/ESAPI/esapi-java-legacy ESAPI for Java (source)]<br>
*{{#switchtablink:.NET|ESAPI for .NET}}<br>
*{{#switchtablink:Classic ASP|ESAPI for Classic ASP}}<br>
*{{#switchtablink:PHP|ESAPI for PHP}}<br>
*{{#switchtablink:ColdFusion.2FCFML|ESAPI for ColdFusion & CFML}}<br>
*{{#switchtablink:Python|ESAPI for Python}}<br>
*[http://code.google.com/p/owasp-esapi-js/downloads/detail?name=esapi4js-0.1.3.zip ESAPI for Javascript]<br>

| valign="top" style="padding-left:25px;width:33%;" |

[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0 JavaDocs])
*ESAPI for PHP interface documentation ([http://owasp-esapi-php.googlecode.com/svn/trunk_doc/latest/index.html phpdoc])

|}

= What I did with ESAPI =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Should I use ESAPI? =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[NOTE: The heretical opinions on this ESAPI tab are 100% my own and do not necessarily reflect the rest of other ESAPI contributors or the OWASP staff, leadership, community. --kevin wall]

Or, specifically, "Should I use ESAPI for Java?" since that's the only one run by OWASP that still shows any semblance of life.
Maintenance activities is down, way down in fact of its peak development activities. Some of us are still trying and haven't given up and volunteers are still welcome. But without active contributors, projects make slow progress.

The first question to ask is, are you already using ESAPI in your project, and if so, do you have a lot vested in it? If so, then the answer to "Should I use ESAPI?" probably is "yes". The second question you should ask, if I'm using it, why am I not contributing to it in some manner? But we won't go there.

If you are starting out on a new project or trying for the first time to secure an existing project, then _before_ you consider ESAPI, you should consider these possible alternatives:
* Output encoding: [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]
* General HTML sanitization: [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project OWASP Java HTML Sanitizer]
* Validation: [http://beanvalidation.org/ JSR-303/JSR-349 Bean Validation]
*Strong cryptography: [https://github.com/google/keyczar Keyczar]
* Authentication / authorization: [https://shiro.apache.org/ Apache Shiro]
* CSRF protection: [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP CSRFGuard Project] or [https://www.owasp.org/index.php/CSRFProtector_Project OWASP CSRFProtector Project]

Note that it not the suggestion to suggest that ESAPI is dead, but rather to acknowledge the fact that it isn't being as well-maintained as most F500 companies would like for their enterprise software. There may be alternatives, such as companies that you can purchase ESAPI support from. Those are not being considered here for various reasons, not the least of which is to remain vendor neutral. Rather, instead these recommendations should be taken as possible alternatives to secure your application. It is not a perfect world that we live in, but I would be remiss as an appsec guy if I were to plug ESAPI over other good security solutions simply because of my contributions to / involvement with ESAPI. I think that ESAPI has it's place and I will do my best to maintain it, but not to the exclusion of my family or day job. If you would like to volunteer to help, you know where to find me.

-[mailto:kevin.w.wall@gmail.com kevin wall]

= Glossary =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Project Details =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}
[[Category:Popular]]
[[Category:SAMM-SA-3]]

Talk:ESAPI-JavaStatus

2016-12-17T03:13:56Z

Kevin W. Wall: Delete this obsolete wiki page.

This page should be marked for deletion. It is no longer relevant. Adding pointer to the ESAPI issues list to the make ESAPI page on the JavaEE tab.

-kevin

Tribute to Paul Ritchie

2016-05-04T02:06:01Z

Kevin W. Wall: Initial page creation

This page is being created as a tribute to our former Executive Director, [[User:Paul_Ritchie|Paul Ritchie]].

As per announcement on OWASP Leaders, OWASP Community, and OWASP Board mailing lists the morning of May 3, 2016:

----

OWASP Community

May 3, 2016

Dear Friends,

It is with great sorrow that I must write to report the sad news of the death of our Executive Director, Paul Ritchie, after a short illness.

Paul first joined OWASP in August of 2014 and became the full time Executive Director in May 2015. He has helped the organization to grow globally and has made an enormous difference in our community. He will be greatly missed. He brought order and professionalism. He raised our own high expectations and delivered on the things he set out to do. He made all of us that worked closely with him better and more effective. He helped to set long term strategic goals and managed OWASP’s fiduciary responsibilities with ease.

On behalf of the Board of Directors, we will miss Paul for his leadership and friendly wry knowing smile as the board worked to make difficult choices. I doubt I can express my own sinking feeling of grief at the news, which came suddenly and too early.

Paul’s family asked that we direct those in the community that would like to show support or make a donation to do so in Paul Ritchie’s name to the Multiple Myeloma Research Foundation at https://www.themmrf.org.

Sincerely,

Matt Konda

On behalf of the OWASP Global Board

----

Paul meant a great deal to us as a leader and friend. Below, please share your sentiments, memories, and family condolences regarding Paul and at some point, we will make this link available to Paul's family as a lasting tribute. May you rest in peace!

-kevin w. wall

----

ESAPI-BuildingWithEclipse

2016-04-05T02:56:23Z

Kevin W. Wall: /* Spring Source ToolSuite */

==Prerequisites==
* JDK 1.6 or later [http://www.oracle.com/technetwork/java/javase/downloads/index.html download here]. Note that you need the JDK and not just the JRE.
* To support the latest versions of Maven, first download Maven [https://maven.apache.org/download.cgi here]. (Note: Maven 3.0 or later is required.)
* Eclipse IDE for Java EE Developers 3.3.x or later [http://www.eclipse.org/downloads/ download here]. Install EGit and m2e plug-ins via "Help->Install New Software...".
** EGit Plug-in for Eclipse - Instructions on installing EGit plug-in can be found [https://eclipse.github.io/ here]
** M2E - Maven Integration for Eclipse - You can install the latest version from within Eclipse using the following [https://eclipse.org/m2e/ update site]
** Note that other git and Maven plug-in combinations for Eclipse are possible.

==Spring Tool Suite==
STS is an eclipse distribution from the Spring foundation. If you just care about getting up and running, and don't care about bloat, download here: https://spring.io/tools/sts/all

On Windows and linux distros, all you should have to do after extracting the main STS folder, is to navigate into the folder, and double-clicking the file "STS" or "STS.exe"

It comes pre-packaged with a git plugin (so you can skip those instructions below) as well as its own versions of Ant and Maven. You should be able to follow the "EGit" section to clone/import ESAPI in STS as soon as you have it running. It still has a minimum dependency of java 1.6 jdk.

Detailed steps:

1. Right click on the "Package Explorer" pane, and select "import."

2. Filter on "git" and select "Projects from git."

3. Select "Clone URI"

4. Enter the URI: https://github.com/ESAPI/esapi-java-legacy.git (or, if you wish to contribute to ESAPI via "pull requests", the URI where you "forked" legacy ESAPI to, e.g. https://github.com/yourGitHubID/esapi-java-legacy)

5. Click "Next."

6. Click "Next" again.

7. Select where you want to store the cloned repo, it defaults to %USERPROFILE%\git\esapi-java-legacy on windows.

8. click "Next."

9. On the import wizard, cancel.

10. Right-click again on the package explorer, and click import, filter on "Maven" and click on "Existing Maven Projects."

11. Navigate to the folder you created in step 7. Select "esapi-java-legacy" and click next.

12. Click finish.

Congratulations! You are ready to develop!

==Configuration==
* For Winodws, create an Eclipse shortcut
* Right-Click your Eclipse shortcut and select Properties
* At the end of the line that says Target, add -vm "x" where x is the location of a JDK (e.g., "C:\Program Files\Java\jdk7\bin") - This step is necessary for the Maven plugin to work. (If you installed Eclipse under Linux distro after you already had a JDK installed, this probably was already done for you.)
* Restart Eclipse using the edited shortcut.

==Importing the ESAPI Source==

If you choose to use the ESAPI GitHub code,Import Existing Eclipse projects." follow the instructions at [[ESAPI-Building]]. Unless you have been added to the ESAPI project as a contributor, please use the submit fixes using [https://help.github.com/articles/using-pull-requests/ Git "pull requests"].

If you are using EGit, as recommended, open Eclipse and:
* Click ''File'' -> ''New'' -> ''Other....''.
* From the ''Git Folder'' select '"Checkout Projects from Git'' (this option will only be available if you have a Git plug-in installed) and hit ''Next >''.
* Click the ''Create a new repository location'' radio button.
* If you are not listed as a project contributor, insert ''https://github.com/ESAPI/esapi-java-legacy.git'' as the URL. If you are listed as a project contributor, check the github page for the URL to use.
* Once the directory structure appears in the window, click the URL at the top to download everything. Then hit ''Next >''
* Select your desired project options. For most people, the default options should be fine. When finished, click ''Next >''.
* Select your desired workspace options, then click ''Finish''. The latest ESAPI source files will then be downloaded to your workspace. This may take a few minutes.
* After the source code is finished downloading, ensure that the character type of all source code is UTF-8. In Eclipse, right click on the project directory root. At the bottom of the right-click list, choose PROPERTIES. From the PROPERTIES window, select the RESOURCES section (which is selected by default). Ensure that the "Text file encoding" section is set to OTHER->UTF 8. If if it is not, change it and click APPLY->OK.

==Project Setup==

Some configuration may be necessary for ESAPI to compile and build on your system.

ESAPI requires the Java JRE 6 or later.

* Once Java 6.0+ is installed, open the ''Navigator view'' in Eclipse. If this is currently hidden, from the toolbar click ''Window'' -> ''Show View'' -> ''Navigator''.
* Right-click on your ESAPI project in the Navigator, mouse over ''Maven'' and click ''Enable Dependency Management''
** ''Note:'' If Maven is not an option when you right-click on the project, be sure the Maven plugin for eclipse is installed, as described above.
** ''Note:'' If ''Enable Dependency Management'' is not an option, dependency management is probably already enabled, So this step can be skipped.
* ''Right-click on the ESAPI project root folder'' in the Navigator view and select ''Properties''.
* From the left column, select ''Java Build Path''. Under the ''Libraries'' tab, be sure a JRE or JDK is listed next to ''JRE System Library''. If there is a red X on next to the JRE, remove the current JRE and click ''Add Library'' and select an alternate JRE. If you are having trouble figuring out what version the current JRE is, select ''Installed JREs'' and look at the location to which each version is mapped.
* The Libraries tab should list ''JRE System Library'' and ''Maven Dependencies''. If anything else is listed, it is not necessary and should be removed. Maven now handles all dependencies.
* From the left column, select ''Java Compiler''. Be sure ''Compiler compliance level'', ''Generated .class files compatibility'', and ''Source compatibility'' are all set to ''1.6''. (Note: Most of us use JDK 7 or JDK 8 to build ESAPI, but we use '-source 1.6 -target 1.6' when we compile to still support really old web applications still using JDK 1.6.)
* Close the properties window.
* ''Right-click the ESAPI project root folder'' and select ''Refresh''.
* From the toolbar, select ''Project'' -> ''Clean..'' and select the ESAPI project. Click ''OK''.
* If errors remain, select ''Maven'' again, then ''Update Dependencies''.
* ESAPI should now be compiled.

==Building==

Building ESAPI should be easy with the new Maven integration.

Once your environment is set up, as specified above:
* Right-Click your ESAPI project root folder
* Select ''Run As...''
* Select ''Run Configurations''
* Double Click "Maven Build" from the options on the left to create a new configuration.
* Name your configuration at the top. This will be for building ESAPI without running JUnit tests.
* The "Base directory" should point to the root of your project
* The "Goals" field type "package"
* Any options not mentioned should be left as their default
* Click "Apply" to save your build configuration
* Click "Run" to run your configuration

''NOTE: Jars created through building are located in the directory called "target". ''

==Running Demo App==

The ESAPI Demo application has been named ''The ESAPI Swingset''. More information about Swingset is available [http://www.owasp.org/index.php/ESAPI_Swingset here].

__NOTOC__

[[Category:OWASP Enterprise Security API]]

ESAPI-BuildingWithEclipse

2016-04-05T01:04:47Z

Kevin W. Wall: Added reference about working with URI for "forked" version of ESAPI on GitHub.

==Prerequisites==
* JDK 1.6 or later [http://www.oracle.com/technetwork/java/javase/downloads/index.html download here]. Note that you need the JDK and not just the JRE.
* To support the latest versions of Maven, first download Maven [https://maven.apache.org/download.cgi here]. (Note: Maven 3.0 or later is required.)
* Eclipse IDE for Java EE Developers 3.3.x or later [http://www.eclipse.org/downloads/ download here]. Install EGit and m2e plug-ins via "Help->Install New Software...".
** EGit Plug-in for Eclipse - Instructions on installing EGit plug-in can be found [https://eclipse.github.io/ here]
** M2E - Maven Integration for Eclipse - You can install the latest version from within Eclipse using the following [https://eclipse.org/m2e/ update site]
** Note that other git and Maven plug-in combinations for Eclipse are possible.

==Spring Source ToolSuite==
STS is an eclipse distribution from the Spring foundation. If you just care about getting up and running, and don't care about bloat, download here: https://spring.io/tools/sts/all

On Windows and linux distros, all you should have to do after extracting the main STS folder, is to navigate into the folder, and double-clicking the file "STS" or "STS.exe"

It comes pre-packaged with a git plugin (so you can skip those instructions below) as well as its own versions of Ant and Maven. You should be able to follow the "EGit" section to clone/import ESAPI in STS as soon as you have it running. It still has a minimum dependency of java 1.6 jdk.

Detailed steps:

1. Right click on the "Package Explorer" pane, and select "import."

2. Filter on "git" and select "Projects from git."

3. Select "Clone URI"

4. Enter the URI: https://github.com/ESAPI/esapi-java-legacy.git (or, if you wish to contribute to ESAPI via "pull requests", the URI where you "forked" legacy ESAPI to, e.g. https://github.com/yourGitHubID/esapi-java-legacy)

5. Click "Next."

6. Click "Next" again.

7. Select where you want to store the cloned repo, it defaults to %USERPROFILE%\git\esapi-java-legacy on windows.

8. click "Next."

9. On the import wizard, cancel.

10. Right-click again on the package explorer, and click import, filter on "Maven" and click on "Existing Maven Projects."

11. Navigate to the folder you created in step 7. Select "esapi-java-legacy" and click next.

12. Click finish.

Congratulations! You are ready to develop!

==Configuration==
* For Winodws, create an Eclipse shortcut
* Right-Click your Eclipse shortcut and select Properties
* At the end of the line that says Target, add -vm "x" where x is the location of a JDK (e.g., "C:\Program Files\Java\jdk7\bin") - This step is necessary for the Maven plugin to work. (If you installed Eclipse under Linux distro after you already had a JDK installed, this probably was already done for you.)
* Restart Eclipse using the edited shortcut.

==Importing the ESAPI Source==

If you choose to use the ESAPI GitHub code,Import Existing Eclipse projects." follow the instructions at [[ESAPI-Building]]. Unless you have been added to the ESAPI project as a contributor, please use the submit fixes using [https://help.github.com/articles/using-pull-requests/ Git "pull requests"].

If you are using EGit, as recommended, open Eclipse and:
* Click ''File'' -> ''New'' -> ''Other....''.
* From the ''Git Folder'' select '"Checkout Projects from Git'' (this option will only be available if you have a Git plug-in installed) and hit ''Next >''.
* Click the ''Create a new repository location'' radio button.
* If you are not listed as a project contributor, insert ''https://github.com/ESAPI/esapi-java-legacy.git'' as the URL. If you are listed as a project contributor, check the github page for the URL to use.
* Once the directory structure appears in the window, click the URL at the top to download everything. Then hit ''Next >''
* Select your desired project options. For most people, the default options should be fine. When finished, click ''Next >''.
* Select your desired workspace options, then click ''Finish''. The latest ESAPI source files will then be downloaded to your workspace. This may take a few minutes.
* After the source code is finished downloading, ensure that the character type of all source code is UTF-8. In Eclipse, right click on the project directory root. At the bottom of the right-click list, choose PROPERTIES. From the PROPERTIES window, select the RESOURCES section (which is selected by default). Ensure that the "Text file encoding" section is set to OTHER->UTF 8. If if it is not, change it and click APPLY->OK.

==Project Setup==

Some configuration may be necessary for ESAPI to compile and build on your system.

ESAPI requires the Java JRE 6 or later.

* Once Java 6.0+ is installed, open the ''Navigator view'' in Eclipse. If this is currently hidden, from the toolbar click ''Window'' -> ''Show View'' -> ''Navigator''.
* Right-click on your ESAPI project in the Navigator, mouse over ''Maven'' and click ''Enable Dependency Management''
** ''Note:'' If Maven is not an option when you right-click on the project, be sure the Maven plugin for eclipse is installed, as described above.
** ''Note:'' If ''Enable Dependency Management'' is not an option, dependency management is probably already enabled, So this step can be skipped.
* ''Right-click on the ESAPI project root folder'' in the Navigator view and select ''Properties''.
* From the left column, select ''Java Build Path''. Under the ''Libraries'' tab, be sure a JRE or JDK is listed next to ''JRE System Library''. If there is a red X on next to the JRE, remove the current JRE and click ''Add Library'' and select an alternate JRE. If you are having trouble figuring out what version the current JRE is, select ''Installed JREs'' and look at the location to which each version is mapped.
* The Libraries tab should list ''JRE System Library'' and ''Maven Dependencies''. If anything else is listed, it is not necessary and should be removed. Maven now handles all dependencies.
* From the left column, select ''Java Compiler''. Be sure ''Compiler compliance level'', ''Generated .class files compatibility'', and ''Source compatibility'' are all set to ''1.6''. (Note: Most of us use JDK 7 or JDK 8 to build ESAPI, but we use '-source 1.6 -target 1.6' when we compile to still support really old web applications still using JDK 1.6.)
* Close the properties window.
* ''Right-click the ESAPI project root folder'' and select ''Refresh''.
* From the toolbar, select ''Project'' -> ''Clean..'' and select the ESAPI project. Click ''OK''.
* If errors remain, select ''Maven'' again, then ''Update Dependencies''.
* ESAPI should now be compiled.

==Building==

Building ESAPI should be easy with the new Maven integration.

Once your environment is set up, as specified above:
* Right-Click your ESAPI project root folder
* Select ''Run As...''
* Select ''Run Configurations''
* Double Click "Maven Build" from the options on the left to create a new configuration.
* Name your configuration at the top. This will be for building ESAPI without running JUnit tests.
* The "Base directory" should point to the root of your project
* The "Goals" field type "package"
* Any options not mentioned should be left as their default
* Click "Apply" to save your build configuration
* Click "Run" to run your configuration

''NOTE: Jars created through building are located in the directory called "target". ''

==Running Demo App==

The ESAPI Demo application has been named ''The ESAPI Swingset''. More information about Swingset is available [http://www.owasp.org/index.php/ESAPI_Swingset here].

__NOTOC__

[[Category:OWASP Enterprise Security API]]

ESAPI Javadocs

2016-04-05T00:23:36Z

Kevin W. Wall: Update link for ESAPI javadoc to use javadoc.io

==Latest Javadocs==
The latest Javadocs for the ESAPI can be found [https://www.javadoc.io/doc/org.owasp.esapi/esapi/ here].

[[Category:OWASP Enterprise Security API]]

GSOC2016 Ideas

2016-02-20T06:19:54Z

Kevin W. Wall: /* Advanced padding oracle testing and exploitation */

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check the Hackademic wiki page linked above
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]

== OWASP Hackademic Challenges ==

[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.

=== REST API for the sandbox ===

'''Brief Explanation:'''

During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances.
What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.

Ideas on the project:
Since the sandbox is written in python, you can use microframeworks such as flask to implement the api.
The endpoint authorization can be done via certificates or plain signature or username/password type authentication.
However the communication between the two has to be over a secure channel.

'''Expected Results:'''
* A REST style api which allows an authenticated remote entity control the sandbox engine.
* PEP8 compliant code
* Acceptable unit test coverage

'''Knowledge Prerequisites:'''

Python, test driven developmen, some idea what REST is, some security knowledge would be preferable.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== New CMS ===

'''Brief Explanation:'''

The CMS part of the project is really old and has accumulated a significant amount of technical debt.
In addition many design decisions are either outdated or could be improved.
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.
The new cms can be written in php or python using any compoennts we agree are necesary and based on the framework we agree on.

'''Expected Results:'''
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.
* REST endpoints in addition to classic ones
* tests covering all routes implemented
* PSR/PEP 8 code

''' Note: '''
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.
If you decide to take on this project contact us and we can agree on a list of routes.
If you don't decide to take on this project contact us.
Generally contact us, we like it when students have insightful questions and the community is active

'''Knowledge Prerequisites:'''
Python or PHP, the framework suggested, what REST is, the technologies used, some security knowledge would be nice.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== First Course Type Challenge ===

'''Brief Explanation:'''
We have a wonderful sandbox engine which allows for complex guided challenges to be implemented.
We'd like to build a challenge that guides the user through a series of steps to an end goal and teaches more information on the subject matter on the way.
This is a very open-ended project on purpose to allow creative student to come up with nice ideas.
Bellow you will find some examples that we thought might be interesting.

Ideas on the project:
* Purposefully vulnerable web page that guides the user via javascript tooltips and hints to exploiting it using ZAP. ( Bonus: using ZAP via the ZAP api). The challenge is solved when the the student submits the contents of a text file located on the disk (obtained by exploited an RCE)

* Reversing a provided binary to extract information by providing step by step instructions to reversing using any popular reversing tool (well, you can't use IDA so gdb should have to do). Challenge is solved when the keys are extracted from the binary and submitted. Bonus points if each binary donwloaded has different keys.

* Guide to exploiting the TOP10. (Using ZAP?)

* Defensive Type challenges -- Here's how to create a patch for this kind of vulnerability -- Challenge is solved when the unit tests are run and the vulnerability isn't there.

'''Expected Results:'''

* One or more Course - style challenges provided either as a docker container or as a vagrant box.
* Concrete documentation on how to build a challenge like this.

'''Knowledge Prerequisites:'''
The technologies used.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Advanced Sandboxed Challenges ===

'''Brief Explanation:'''

In the spirit of the challenges above, we're looking for true ctf type challenges.
This is an open ended task. We're expecting awesome fresh ideas.

Ideas on the project:
* An application vulnerable to one or more TOP 10 elements.
* A logic flaws based ctf
* Your idea here

'''Expected Results:'''
Docker containers or Vagrant boxes that contain complete new challenges.

'''Knowledge Prerequisites:'''
Knowledge of the technologies used

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Your idea ===

'''Brief Explanation:'''

Amazing students, in our experience the best, most creative and unique ideas show up when we let students suggest their own feature in relation to the project.
The above should give you a general idea where we're going but don't let them constrain you.
Do you wanna do something that would fit into Hackademic? Send us an email!

Ideas on the project:
No idea, that's your turn to shine!

'''Expected Results:'''
If it's code, code according to our coding standards.
If it's challenges, something new and interesting.
If it's something else, then written like the person who's going to maintain your code is a raging psychopath with an axe who knows where you live.

In short we'd like some quality. ;-)

'''Knowledge Prerequisites:'''

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

== OWASP OWTF ==

=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===

'''Brief explanation:'''

Background problem to solve:

We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date.

Proposed solution:

We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.

A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf

VMS will have the following features:
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.

[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - HTTP Request Translator Improvements ===

'''Brief explanation:'''

Problem to solve:

There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.

Proposed solution:

An HTTP request translator, a *standalone* *tool* that can:

1) Be used from inside OR outside of OWTF.

2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts

3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)
* Transforms with boundary strings? (TBD)
* Individually or in bulk? (TBD)

'''Essential Function: "--output" argument'''

CRITICAL: The command/script should be generated so that the request is sent as literally as possible.

Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.

NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)
* http request in => curl command out
* http request in => bash script out
* http request in => python script out
* http request in => php script out
* http request in => ruby script out
* http request in => PowerShell script out

'''Basic additional arguments:'''

- "--proxy" argument: generates the command/script with the relevant proxy option

NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)

- "--string-search" argument: generates the command/script so that it:

1) performs the request

2) then searches for something in the response (i.e. literal match)

- "--regex-search" argument: generates the command/script so that it:
1) performs the request

2) then searches for something in the response (i.e. regex match)

'''OWTF integration'''

The idea here, is to invoke this tool from:

1) Single HTTP transactions:

For example, have a button to "export http request" + then show options equivalent to the flags

2) Multiple HTTP transactions:

Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).

'''Desired input formats:'''

* Read raw HTTP request from stdin -Suggested default behaviour! :)-

Example: cat path/to/http_request.txt | http-request-translator.py --output

* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"

Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"

Example:

1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)

2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"

3) User pastes a raw HTTP requests + hits enter

4) Tool outputs whatever is relevant for the flags + http request given

* For bulk processing: Maybe a directory of raw http request files?

'''Nice to have: Transforms'''

In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.

Example:

NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"

Step 1) The user provides a raw HTTP request like this:

GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test
Host: target.com
...

Step 2) The tool generates a bash script like the following:

#!/bin/bash

PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")
curl ...... "http://target.com/path/to/$PARAM1/test"

OR a "curl command" like the following:
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"

This feature can be valuable to shave a bit more time in script writing.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - JavaScript Library Sniper Improvements ===

'''Brief explanation:'''
This is a project that tries to resolve a very common problem during penetration tests:

The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.

To solve this problem, we propose a *standalone* *tool* that can:

1) Be run BOTH from inside AND outside of OWTF

2) Build and *update* a fingerprint JavaScript library database of:
* Library File hashes => JavaScript Library version
* Library File lengths => JavaScript Library version
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)

3) Build and *update* a vulnerability database of:
* JavaScript Library version => CVE - CVSS score - Vulnerability info

4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:
* JavaScript Library version
* List of vulnerabilities sorted in descending CVSS score order

5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:
* ALL Library/vulnerability matches described on 4)

Once the standalone tool is built and verified to be working, OWTF should be able to:

Feature 1) GREP plugin improvement (Web Application Fingerprint):

Step 1) Lookup file lengths and hashes in the "JavaScript library database"

Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user

Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):

1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-

2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)

Potential projects worth having a look for potential overlap/inspiration:
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]

How many JavaScript libraries should be included?
* As many as possible, but especially the major ones: jQuery, knockout, etc.
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-

Common JavaScript library fingerprinting techniques include:
* Parse the JavaScript file and grab the version from there
* Determine the JavaScript version based on a hash of the file
* Determine the JavaScript version based on the length of the file

Other Challenges:
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"
* When the JavaScript file does not match a specific version:
1) The commit that matches the closest should (ideally) be found
2) The NEXT library version after that commit (if present) should be found
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Off-line HTTP traffic uploader ===

'''Brief explanation:'''

Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:

* Tools that OWTF has trouble proxying right now: skipfish, hoppy
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler

This project is about implementing an off-line utility able to parse HTTP traffic:

1) Figure out how to read output files from various tools like:
skipfish, hoppy, w3af, arachni, etc.
Nice to have: ZAP database, Burp database

2) Translate that into the following clearly defined fields:

* HTTP request
* HTTP response status code
* HTTP response headers
* HTTP response body

3) IMPORTANT: Implement a plugin-based uploader system

4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database

5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.

6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)

Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)

CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Health Monitor ===

'''Brief explanation:'''

In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.

For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:

'''Feature 1) Alerting mechanisms'''

When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:
* Playing an mp3 song (both local and possibly remote locations)
* Scan status overview on the CLI
* Scan status overview on the GUI

NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.

'''Feature 2) Corrective mechanisms'''

Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:
* Stop this tool
* Freeze this process (to continue later)
* Freeze the whole scan (to continue later)

Additional mechanisms:
* Show a ranking of files that take the most space

'''Feature 3) Target monitor'''

Brief overview:

All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).

Potential approach: Check if length of 1st page changes every 60 seconds.

NOTE: It might be needed to change this on the fly.

More background

Consider the following scenario:

Current Situation aka "problem to solve":

1) Website X goes down during a scan

2) the customer notices

3) the customer tells the boss

4) the boss tells the pentester

5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)

Desired situation aka "solution":

It would be much more professional AND efficient that:

1) The pentester notices

2) The pentester tells the boss

3) The boss tells the customer

4) OWTF stops the tool because it knows that website is DEAD anyway

A target monitor could easily do this with heartbeat requests + playing mp3s

The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"

'''Feature 4) Disk space monitor'''

Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).

Proposed solution:

Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).

'''Feature 5) Network/Internet Connectivity monitor'''

Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:

1) Detects the lack of connectivity

2) Freezes all the tools (read: processes) in progress

3) Resumes the scan when the connectivity is back.

'''Feature 6) Tool crash detection'''

Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)

'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''

OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Installation Improvements and Package manager ===

'''Brief explanation:'''

This project is to implement what was suggested in the following github issue:
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]

Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?
Having a private server with:
* pre-installed files for VMs
* pre-configured and patched tools
* Merged Lists
* Pre-configured certificates
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.
Additional ideas are welcome.

-- They could be hosted on Dropbox or a private VPS :)

2 Installation Modes
* For high speed connections (Downloading the files uncompressed)
* For low speed connections (Downloading the files compressed)
and the installation crashed because i runned out of space in the vm
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Testing Framework Improvements ===

'''Brief explanation:'''

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.

'''Top features'''

In this improvement phase, the Testing Framework should:
* (Top Prio) Focus more on functional tests
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)
* (Top Prio) Put together a great wiki documentation section for contributors
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.
* (Top Prio) Fix the current Travis issues :)
* (Nice to have) Bring the unit tests up to speed with the codebase
This will be challenging but very worth trying after top priorities.
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.

'''General background'''

The Unit Test Framework should be able to:
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")
* Allow to regression test by test categories (i.e. "test only web plugins")
* Allow to regression test everything (i.e. plugins + framework core: "test all")
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF
* Perform well so that we can run as many tests as possible in a given period of time
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Performant and automated regression testing
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Tool utilities module ===

'''Brief explanation:'''

The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.

'''Feature 1) Vulnerable software version database:'''

Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).

Example:
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]

'''Feature 2) Nmap output file merger:'''

Unify nmap files *without* losing data: XML, text and greppable formats
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).

'''Feature 3) Nmap output file vulnerability mapper'''

From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):

1) CVEs in reverse order of CVSS score, with links.

2) Metasploit modules available for each CVE / issue

NOTE: Can supply an *old* shell script for reference

3) Servers/ports affected (i.e. all server / port combinations using that software version)

'''Feature 4) URL target list creator:'''

Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF

'''Feature 5) Hydra command creator:'''

nmap file in => Hydra command list out

grep http auth / login pages in output files to identify login interfaces => Hydra command list out

'''Feature 6) WP-scan command creator:'''

look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

''' OWASP Mentors '''

== OWASP ZAP ==

ZAP is one of the top OWASP projects and the most active open source web security tools.

You can follow (and join in) the GSoC discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ

=== Bug tracker support ===

This would allow ZAP users to raise issues in bug trackers directly within ZAP. Ideally it would be implemented as an extension with a generic framework and then adaptors for specific trackers, like github and bugzilla.

The info included in the issues raised should be as configurable as possible so that users can include whatever they want, and set things like custom fields.

''' Expected Results '''

* Raise issues in github and bugzilla from alerts within the ZAP UI
* Support for raising alerts using the ZAP API
* High level of customization so that users can tune to their requirements

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Field enumeration ===

This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.

The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.

''' Expected Results '''

* User able to specify a specific field to enumerate via the ZAP UI
* A list of all valid characters to be returned from the sets of characters the user specifies
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Form Handling ===

The ZAP traditional and Ajax spiders explore an application by putting basic default values in all forms. These may often not be valid values, for example using "ZAP" when an email address is required.

The enhancement would allow the user to define default values based on pattern matching against the field names and/or ids.

It would also be very useful if it could show the user all forms and their associated fields for an application, and then allow the user to update the default values.

''' Expected Results '''

* User able to specify default values for all forms used by the ZAP spiders
* Display all of the forms and fields for an application and allow the user to update the default values to be used
* Full support for defining default values via the API

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Automated authentication detection and configuration ===

ZAP has extensive support for supporting application authentication, but configuring this is a manual process which can be tricky to get right.

The enhancement would allow ZAP to detect as many forms of authentication as possible and automatically configure them using the existing ZAP functionality.

''' Expected Results '''

* Automatically detect a wide range of authentication mechanisms
* Automatically configure ZAP to handle them
* Full support via the API

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Advanced padding oracle testing and exploitation ===

ZAP has currently has very minimal support in it's the (beta) [https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/ascanrulesBeta/PaddingOraclePlugin.java PaddingOraclePlugin] for identifying potential [https://en.wikipedia.org/wiki/Padding_oracle_attack padding oracle] vulnerabilities. Specifically, it only examines two indicators for possible oracles (changing the last byte of padding by XORing it with 0x1 and resubmitting the HTTP request with the new altered parameter to see if the HTTP response contains some error patter or to check if the returned HTTP status is a 500 error. Furthermore, it is limited to checking parameters, but encrypted values that may be susceptible to padding oracle attacks may also be in HTTP cookies or even HTTP request / response values. (In the latter case, these custom headers are usually manipulated via AJAX.) Lastly SOAP messages using [https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html W3C XML Encryption] and JSON are other potential sources of padding oracle vulnerabilities that might be examined.

The enhancement would extend the support to more a broader attack surface such as new attack vectors like cookies, HTTP headers, and possibly XML or JSON and also expand the identification of potential new oracles to not just keywords, but to any minute difference in responses (at least for idempotent GETs) or significant variations in time. Lastly, we would like to add the ability to exploit padding oracle vulnerabilities discovered which could lead to whole lot of other interesting discoveries.

''' Expected Results '''

* Detect oracle padding vulnerabilities in more situations
** Expanded attack vectors: cookies, HTTP headers, XML, JSON
** Expanded variation of recognized potential oracles: ''any'' output differences when padding correct vs. incorrect (takes much more than flipping a single padding bit), significant differences in timing, etc.
* Add the option to actually attempt to exploit discovered potential padding oracle vulnerabilities and report additional subsequent findings once the ciphertext is actually decrypted.
* Build test code to illustrate a working proof of concept

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential. Reading up on basic details of how padding oracle attacks operate would also be extremely helpful.

''' Mentors '''
Kevin Wall (cryptography subject matter expert) and other members of the ZAP core team

=== Zest text representation and parser ===

Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.

A standardized text representation and parser would be very useful and help its adoption.

''' Expected Results '''

* A documented definition of a text representation for Zest
* A parser that converts the text representation into a working Zest script
* An option in the Zest java implementation to output Zest scripts text format

''' Knowledge Prerequisite: '''
The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Your idea ===

We're always open to students coming up with their own suggestions for ZAP projects, so if you have something you think would make ZAP better then please get in touch!

''' Expected Results '''

* That depends on your project, but clearly defined goals will be necessary

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

== OWASP AppSensor ==

[[OWASP AppSensor Project]] provides real-time application layer intrusion detection.

* Check the AppSensor wiki page linked above
* Contact us through the mailing list.
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]
* Also see our [http://www.appsensor.org appsensor website]

=== Dashboard UI Expansion ===

'''Brief Explanation:'''

AppSensor provides a solid base of functionality to applications, and we currently have a minimal application for data display. This project will involve expanding the default/standard UI for the AppSensor project. As part of the project, you will learn about the domain model, iterating your mockup designs and share those with the project leader(s) and the community for feedback. The existing stack is based on spring boot and reactjs. There are lots of features to be added, and you'll work with the project leader(s) and the community to build the most-needed and requested capabilities.

'''Expected Results:'''

The existing dashboard application will be expanded and will involve features like:
* Search (could involve significant back-end work to configure indexing, etc.)
* Policy Management (edit server configuration in real-time)
* Data visualization / dashboarding

Source code, tests, and associated documentation for both the back-end and UI will be delivered for this effort.

'''Knowledge Prerequisites:'''

Comfortable with UI design and development, particularly building dashboards. Comfortable with Java (with some assistance). Basic familiarity with security concepts related to intrusion detection and prevention as this is the domain.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

=== Trend Monitoring Analysis Engine ===

'''Brief Explanation:'''

AppSensor currently supports a basic policy-driven analysis engine to determine if a series of events represents an attack (if a user triggers 5 of this type of event in 10 minutes, it's an attack). While this supports many use cases, there are times when it would be helpful to know trending information. If a particular function of the application begins to see 10 times its normal amount of traffic, that might represent an attack. This project would add an additional analysis engine to support "trend monitoring". Development of this feature would require some initial research on alternative implementation strategies, followed by the development and testing of the feature in AppSensor.

'''Expected Results:'''

The project should produce:
* A trend monitoring analysis engine to be used either in place of or in addition to the existing policy-driven analysis engine
* Associated configuration mechanism to specify the trending rules/policy
* A small full sample demo application showing usage of the trend monitoring feature

Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it.

'''Knowledge Prerequisites:'''

Comfortable in Java and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

=== Expand language support for clients ===

'''Brief Explanation:'''

AppSensor supports various modes for communication with the server. The language and framework of the client application are required only to support the given mode. This flexibility is desirable, but having pre-built clients in various languages is useful for our user-base. This project would involve working with various popular languages and frameworks to build support for communicating with the appsensor server backend.

'''Expected Results:'''

The project should produce:
* Clients in multiple popular languages for interaction with appsensor server
* Evaluate the possibility for generating clients from specification as opposed to writing and maintaining the code (ie. swagger for REST)
* At a minimum, coverage for the HTTP/REST mode should be supported. Other modes (thrift, soap, kafka, etc.) will be produced as time allows.
* Several small demo applications showing usage of the given APIs

Source code and tests for the feature will be created, along with the associated end user documentation for how to setup and configure it.

'''Knowledge Prerequisites:'''

Comfortable working in multiple popular languages and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

=== Implement Detection Points in Reverse Proxy ===

'''Brief Explanation:'''

AppSensor works by tracking events that are created by "detection points", essentially locations in the processing pipeline where suspicious or malicious intent is observed. This often requires business-specific detection within the application. However, the project has defined a number of detection points (https://www.owasp.org/index.php/AppSensor_DetectionPoints) and responses (https://www.owasp.org/index.php/AppSensor_ResponseActions), some of which can be generically applied across a broader set of applications, including those that are common to an entire organization or even cross-organization. For that reason, a sub-project has been created (https://github.com/jtmelton/appsensor-reverse-proxy) that provides support for detection points and responses that are generic enough to be broadly applicable. This project would expand support for these detection points and responses.

'''Expected Results:'''

The project should produce:
* New detection points and responses
* Documentation for how to deploy the project and any end-user considerations
* Load testing each function as this project front-ends applications, and traffic throughput characteristics are important to our user-base.
* A small sample demo application showing the utility of the proxy. A recording of the usage for community viewing would be beneficial.

Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it.

'''Knowledge Prerequisites:'''

Comfortable in golang and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

== OWASP Seraphimdroid [[OWASP_SeraphimDroid_Project| ]] ==

=== Behavioral malware and intrusion analysis ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.

'''Expected Results:'''

* Reviewing scientific literature and find feasible approach we can take
* Implement and possibly improve the approach in Seraphimdroid
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it
* Documenting approach as a technical report

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML
* Basic knowledge and interest in machine learning

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

=== Framework for plugin development ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed.

'''Expected Results:'''

* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid
* Providing GUI integration with third party components
* Develop at least one test plugin
* Document the development process and API

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

=== Educational component ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.

'''Expected Results:'''

* Develop uneatable knowledge base and GUI for it
* Develop web server where the knowledge base can be updated
* Improve current educational reporting
* Develop methodology for monitoring users and notifying them about risky activities

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

== OWASP ZSC Tool ==

'''Brief Explanation:'''

[[OWASP_ZSC_Tool_Project|OWASP ZSC]] is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python.

'''Expected Results:'''

Please take a look of our TODO list in Github to get some ideas:
https://github.com/Ali-Razmjoo/OWASP-ZSC/issues

Another ideas:
* Help us develop shellcode module for windows
* Develop shellcode module for OSX

Read about the project here:
https://ali-razmjoo.gitbooks.io/owasp-zsc/content/

Recommended reading:
http://www.vividmachines.com/shellcode/shellcode.html

'''Knowledge Prerequisites:'''
* Python
* Basic knowledge about Shellcode and assembly language

'''Mentors:'''
*Christo and Timo Goosen and Brian Beaudry- OWASP ZSC Contributors

Contact us through our mailing list for questions:
https://groups.google.com/d/forum/owasp-zsc

== OWASP-SKF (Security Knowledge Framework) ==

'''Brief Explanation:'''
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX under python.

The 4 Core usage of SKF:

Security Requirements OWASP ASVS for development and for third party vendor applications
Security knowledge reference (Code examples/ Knowledge Base items)
Security is part of design with the pre-development functionality in SKF
Security post-development functionality in SKF for verification with the OWASP ASVS

'''Expected Results:'''

More code examples for different languages
Better quality of the knowledge base items
More items in the pre-development phase
Editable checklists in the post-development phase

We really would love to improve the quality of the knowledge base items further, also we would love to have more code examples in the different languages like: Perl, Hack, Go, Node.js and more.

Please take a look of our TODO list in Github to get some ideas:
https://github.com/blabla1337/skf-flask/issues

Another ideas:
* Help us with stuff you think is missing in the SKF project

Read about the project here:
https://skf.readme.io

Recommended reading (here you find a link to the Online Demo):
https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework

'''Knowledge Prerequisites:'''
* Python, PHP, Hack, .NET, GO, Ruby, Perl, Java, Node.js
* Basic knowledge about programming in one of the above languages

'''Mentors:'''
*Glenn and Riccardo ten Cate- OWASP-SKF project leaders

GSOC2016 Ideas

2016-02-20T06:18:37Z

Kevin W. Wall: /* Advanced padding oracle testing and exploitation */

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check the Hackademic wiki page linked above
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]

== OWASP Hackademic Challenges ==

[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.

=== REST API for the sandbox ===

'''Brief Explanation:'''

During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances.
What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.

Ideas on the project:
Since the sandbox is written in python, you can use microframeworks such as flask to implement the api.
The endpoint authorization can be done via certificates or plain signature or username/password type authentication.
However the communication between the two has to be over a secure channel.

'''Expected Results:'''
* A REST style api which allows an authenticated remote entity control the sandbox engine.
* PEP8 compliant code
* Acceptable unit test coverage

'''Knowledge Prerequisites:'''

Python, test driven developmen, some idea what REST is, some security knowledge would be preferable.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== New CMS ===

'''Brief Explanation:'''

The CMS part of the project is really old and has accumulated a significant amount of technical debt.
In addition many design decisions are either outdated or could be improved.
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.
The new cms can be written in php or python using any compoennts we agree are necesary and based on the framework we agree on.

'''Expected Results:'''
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.
* REST endpoints in addition to classic ones
* tests covering all routes implemented
* PSR/PEP 8 code

''' Note: '''
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.
If you decide to take on this project contact us and we can agree on a list of routes.
If you don't decide to take on this project contact us.
Generally contact us, we like it when students have insightful questions and the community is active

'''Knowledge Prerequisites:'''
Python or PHP, the framework suggested, what REST is, the technologies used, some security knowledge would be nice.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== First Course Type Challenge ===

'''Brief Explanation:'''
We have a wonderful sandbox engine which allows for complex guided challenges to be implemented.
We'd like to build a challenge that guides the user through a series of steps to an end goal and teaches more information on the subject matter on the way.
This is a very open-ended project on purpose to allow creative student to come up with nice ideas.
Bellow you will find some examples that we thought might be interesting.

Ideas on the project:
* Purposefully vulnerable web page that guides the user via javascript tooltips and hints to exploiting it using ZAP. ( Bonus: using ZAP via the ZAP api). The challenge is solved when the the student submits the contents of a text file located on the disk (obtained by exploited an RCE)

* Reversing a provided binary to extract information by providing step by step instructions to reversing using any popular reversing tool (well, you can't use IDA so gdb should have to do). Challenge is solved when the keys are extracted from the binary and submitted. Bonus points if each binary donwloaded has different keys.

* Guide to exploiting the TOP10. (Using ZAP?)

* Defensive Type challenges -- Here's how to create a patch for this kind of vulnerability -- Challenge is solved when the unit tests are run and the vulnerability isn't there.

'''Expected Results:'''

* One or more Course - style challenges provided either as a docker container or as a vagrant box.
* Concrete documentation on how to build a challenge like this.

'''Knowledge Prerequisites:'''
The technologies used.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Advanced Sandboxed Challenges ===

'''Brief Explanation:'''

In the spirit of the challenges above, we're looking for true ctf type challenges.
This is an open ended task. We're expecting awesome fresh ideas.

Ideas on the project:
* An application vulnerable to one or more TOP 10 elements.
* A logic flaws based ctf
* Your idea here

'''Expected Results:'''
Docker containers or Vagrant boxes that contain complete new challenges.

'''Knowledge Prerequisites:'''
Knowledge of the technologies used

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Your idea ===

'''Brief Explanation:'''

Amazing students, in our experience the best, most creative and unique ideas show up when we let students suggest their own feature in relation to the project.
The above should give you a general idea where we're going but don't let them constrain you.
Do you wanna do something that would fit into Hackademic? Send us an email!

Ideas on the project:
No idea, that's your turn to shine!

'''Expected Results:'''
If it's code, code according to our coding standards.
If it's challenges, something new and interesting.
If it's something else, then written like the person who's going to maintain your code is a raging psychopath with an axe who knows where you live.

In short we'd like some quality. ;-)

'''Knowledge Prerequisites:'''

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

== OWASP OWTF ==

=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===

'''Brief explanation:'''

Background problem to solve:

We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date.

Proposed solution:

We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.

A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf

VMS will have the following features:
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.

[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - HTTP Request Translator Improvements ===

'''Brief explanation:'''

Problem to solve:

There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.

Proposed solution:

An HTTP request translator, a *standalone* *tool* that can:

1) Be used from inside OR outside of OWTF.

2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts

3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)
* Transforms with boundary strings? (TBD)
* Individually or in bulk? (TBD)

'''Essential Function: "--output" argument'''

CRITICAL: The command/script should be generated so that the request is sent as literally as possible.

Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.

NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)
* http request in => curl command out
* http request in => bash script out
* http request in => python script out
* http request in => php script out
* http request in => ruby script out
* http request in => PowerShell script out

'''Basic additional arguments:'''

- "--proxy" argument: generates the command/script with the relevant proxy option

NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)

- "--string-search" argument: generates the command/script so that it:

1) performs the request

2) then searches for something in the response (i.e. literal match)

- "--regex-search" argument: generates the command/script so that it:
1) performs the request

2) then searches for something in the response (i.e. regex match)

'''OWTF integration'''

The idea here, is to invoke this tool from:

1) Single HTTP transactions:

For example, have a button to "export http request" + then show options equivalent to the flags

2) Multiple HTTP transactions:

Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).

'''Desired input formats:'''

* Read raw HTTP request from stdin -Suggested default behaviour! :)-

Example: cat path/to/http_request.txt | http-request-translator.py --output

* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"

Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"

Example:

1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)

2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"

3) User pastes a raw HTTP requests + hits enter

4) Tool outputs whatever is relevant for the flags + http request given

* For bulk processing: Maybe a directory of raw http request files?

'''Nice to have: Transforms'''

In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.

Example:

NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"

Step 1) The user provides a raw HTTP request like this:

GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test
Host: target.com
...

Step 2) The tool generates a bash script like the following:

#!/bin/bash

PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")
curl ...... "http://target.com/path/to/$PARAM1/test"

OR a "curl command" like the following:
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"

This feature can be valuable to shave a bit more time in script writing.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - JavaScript Library Sniper Improvements ===

'''Brief explanation:'''
This is a project that tries to resolve a very common problem during penetration tests:

The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.

To solve this problem, we propose a *standalone* *tool* that can:

1) Be run BOTH from inside AND outside of OWTF

2) Build and *update* a fingerprint JavaScript library database of:
* Library File hashes => JavaScript Library version
* Library File lengths => JavaScript Library version
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)

3) Build and *update* a vulnerability database of:
* JavaScript Library version => CVE - CVSS score - Vulnerability info

4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:
* JavaScript Library version
* List of vulnerabilities sorted in descending CVSS score order

5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:
* ALL Library/vulnerability matches described on 4)

Once the standalone tool is built and verified to be working, OWTF should be able to:

Feature 1) GREP plugin improvement (Web Application Fingerprint):

Step 1) Lookup file lengths and hashes in the "JavaScript library database"

Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user

Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):

1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-

2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)

Potential projects worth having a look for potential overlap/inspiration:
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]

How many JavaScript libraries should be included?
* As many as possible, but especially the major ones: jQuery, knockout, etc.
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-

Common JavaScript library fingerprinting techniques include:
* Parse the JavaScript file and grab the version from there
* Determine the JavaScript version based on a hash of the file
* Determine the JavaScript version based on the length of the file

Other Challenges:
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"
* When the JavaScript file does not match a specific version:
1) The commit that matches the closest should (ideally) be found
2) The NEXT library version after that commit (if present) should be found
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Off-line HTTP traffic uploader ===

'''Brief explanation:'''

Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:

* Tools that OWTF has trouble proxying right now: skipfish, hoppy
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler

This project is about implementing an off-line utility able to parse HTTP traffic:

1) Figure out how to read output files from various tools like:
skipfish, hoppy, w3af, arachni, etc.
Nice to have: ZAP database, Burp database

2) Translate that into the following clearly defined fields:

* HTTP request
* HTTP response status code
* HTTP response headers
* HTTP response body

3) IMPORTANT: Implement a plugin-based uploader system

4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database

5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.

6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)

Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)

CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Health Monitor ===

'''Brief explanation:'''

In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.

For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:

'''Feature 1) Alerting mechanisms'''

When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:
* Playing an mp3 song (both local and possibly remote locations)
* Scan status overview on the CLI
* Scan status overview on the GUI

NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.

'''Feature 2) Corrective mechanisms'''

Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:
* Stop this tool
* Freeze this process (to continue later)
* Freeze the whole scan (to continue later)

Additional mechanisms:
* Show a ranking of files that take the most space

'''Feature 3) Target monitor'''

Brief overview:

All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).

Potential approach: Check if length of 1st page changes every 60 seconds.

NOTE: It might be needed to change this on the fly.

More background

Consider the following scenario:

Current Situation aka "problem to solve":

1) Website X goes down during a scan

2) the customer notices

3) the customer tells the boss

4) the boss tells the pentester

5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)

Desired situation aka "solution":

It would be much more professional AND efficient that:

1) The pentester notices

2) The pentester tells the boss

3) The boss tells the customer

4) OWTF stops the tool because it knows that website is DEAD anyway

A target monitor could easily do this with heartbeat requests + playing mp3s

The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"

'''Feature 4) Disk space monitor'''

Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).

Proposed solution:

Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).

'''Feature 5) Network/Internet Connectivity monitor'''

Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:

1) Detects the lack of connectivity

2) Freezes all the tools (read: processes) in progress

3) Resumes the scan when the connectivity is back.

'''Feature 6) Tool crash detection'''

Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)

'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''

OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Installation Improvements and Package manager ===

'''Brief explanation:'''

This project is to implement what was suggested in the following github issue:
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]

Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?
Having a private server with:
* pre-installed files for VMs
* pre-configured and patched tools
* Merged Lists
* Pre-configured certificates
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.
Additional ideas are welcome.

-- They could be hosted on Dropbox or a private VPS :)

2 Installation Modes
* For high speed connections (Downloading the files uncompressed)
* For low speed connections (Downloading the files compressed)
and the installation crashed because i runned out of space in the vm
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Testing Framework Improvements ===

'''Brief explanation:'''

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.

'''Top features'''

In this improvement phase, the Testing Framework should:
* (Top Prio) Focus more on functional tests
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)
* (Top Prio) Put together a great wiki documentation section for contributors
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.
* (Top Prio) Fix the current Travis issues :)
* (Nice to have) Bring the unit tests up to speed with the codebase
This will be challenging but very worth trying after top priorities.
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.

'''General background'''

The Unit Test Framework should be able to:
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")
* Allow to regression test by test categories (i.e. "test only web plugins")
* Allow to regression test everything (i.e. plugins + framework core: "test all")
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF
* Perform well so that we can run as many tests as possible in a given period of time
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Performant and automated regression testing
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Tool utilities module ===

'''Brief explanation:'''

The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.

'''Feature 1) Vulnerable software version database:'''

Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).

Example:
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]

'''Feature 2) Nmap output file merger:'''

Unify nmap files *without* losing data: XML, text and greppable formats
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).

'''Feature 3) Nmap output file vulnerability mapper'''

From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):

1) CVEs in reverse order of CVSS score, with links.

2) Metasploit modules available for each CVE / issue

NOTE: Can supply an *old* shell script for reference

3) Servers/ports affected (i.e. all server / port combinations using that software version)

'''Feature 4) URL target list creator:'''

Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF

'''Feature 5) Hydra command creator:'''

nmap file in => Hydra command list out

grep http auth / login pages in output files to identify login interfaces => Hydra command list out

'''Feature 6) WP-scan command creator:'''

look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

''' OWASP Mentors '''

== OWASP ZAP ==

ZAP is one of the top OWASP projects and the most active open source web security tools.

You can follow (and join in) the GSoC discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ

=== Bug tracker support ===

This would allow ZAP users to raise issues in bug trackers directly within ZAP. Ideally it would be implemented as an extension with a generic framework and then adaptors for specific trackers, like github and bugzilla.

The info included in the issues raised should be as configurable as possible so that users can include whatever they want, and set things like custom fields.

''' Expected Results '''

* Raise issues in github and bugzilla from alerts within the ZAP UI
* Support for raising alerts using the ZAP API
* High level of customization so that users can tune to their requirements

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Field enumeration ===

This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.

The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.

''' Expected Results '''

* User able to specify a specific field to enumerate via the ZAP UI
* A list of all valid characters to be returned from the sets of characters the user specifies
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Form Handling ===

The ZAP traditional and Ajax spiders explore an application by putting basic default values in all forms. These may often not be valid values, for example using "ZAP" when an email address is required.

The enhancement would allow the user to define default values based on pattern matching against the field names and/or ids.

It would also be very useful if it could show the user all forms and their associated fields for an application, and then allow the user to update the default values.

''' Expected Results '''

* User able to specify default values for all forms used by the ZAP spiders
* Display all of the forms and fields for an application and allow the user to update the default values to be used
* Full support for defining default values via the API

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Automated authentication detection and configuration ===

ZAP has extensive support for supporting application authentication, but configuring this is a manual process which can be tricky to get right.

The enhancement would allow ZAP to detect as many forms of authentication as possible and automatically configure them using the existing ZAP functionality.

''' Expected Results '''

* Automatically detect a wide range of authentication mechanisms
* Automatically configure ZAP to handle them
* Full support via the API

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Advanced padding oracle testing and exploitation ===

ZAP has currently has very minimal support in it's the (beta) [https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/ascanrulesBeta/PaddingOraclePlugin.java PaddingOraclePlugin] for identifying potential [https://en.wikipedia.org/wiki/Padding_oracle_attack padding oracle] vulnerabilities. Specifically, it only examines two indicators for possible oracles (changing the last byte of padding by XORing it with 0x1 and resubmitting the HTTP request with the new altered parameter to see if the HTTP response contains some error patter or to check if the returned HTTP status is a 500 error. Furthermore, it is limited to checking parameters, but encrypted values that may be susceptible to padding oracle attacks may also be in HTTP cookies or even HTTP request / response values. (In the latter case, these custom headers are usually manipulated via AJAX.) Lastly SOAP messages using [https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html W3C XML Encryption] and JSON are other potential sources of padding oracle vulnerabilities that might be examined.

The enhancement would extend the support to more a broader attack surface such as new attack vectors like cookies, HTTP headers, and possibly XML or JSON and also expand the identification of potential new oracles to not just keywords, but to any minute difference in responses (at least for idempotent GETs) or significant variations in time. Lastly, we would like to add the ability to exploit padding oracle vulnerabilities discovered which could lead to whole lot of other interesting discoveries.

''' Expected Results '''

* Detect oracle padding vulnerabilities in more situations
** Expanded attack vectors: cookies, HTTP headers, XML, JSON
** Expanded variation of recognized potential oracles: ''any'' output differences when padding correct vs. incorrect (takes much more than flipping a single padding bit), significant differences in timing, etc.
* Add the option to actually attempt to exploit discovered potential padding oracle vulnerabilities and report additional subsequent findings once the ciphertext is actually decrypted.
* Build test code to illustrate a working proof of concept

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential. Reading up on basic details of how padding oracle attacks operate would also be extremely helpful.

''' Mentors '''
Kevin Wall and other members of the ZAP core team

=== Zest text representation and parser ===

Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.

A standardized text representation and parser would be very useful and help its adoption.

''' Expected Results '''

* A documented definition of a text representation for Zest
* A parser that converts the text representation into a working Zest script
* An option in the Zest java implementation to output Zest scripts text format

''' Knowledge Prerequisite: '''
The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Your idea ===

We're always open to students coming up with their own suggestions for ZAP projects, so if you have something you think would make ZAP better then please get in touch!

''' Expected Results '''

* That depends on your project, but clearly defined goals will be necessary

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

== OWASP AppSensor ==

[[OWASP AppSensor Project]] provides real-time application layer intrusion detection.

* Check the AppSensor wiki page linked above
* Contact us through the mailing list.
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]
* Also see our [http://www.appsensor.org appsensor website]

=== Dashboard UI Expansion ===

'''Brief Explanation:'''

AppSensor provides a solid base of functionality to applications, and we currently have a minimal application for data display. This project will involve expanding the default/standard UI for the AppSensor project. As part of the project, you will learn about the domain model, iterating your mockup designs and share those with the project leader(s) and the community for feedback. The existing stack is based on spring boot and reactjs. There are lots of features to be added, and you'll work with the project leader(s) and the community to build the most-needed and requested capabilities.

'''Expected Results:'''

The existing dashboard application will be expanded and will involve features like:
* Search (could involve significant back-end work to configure indexing, etc.)
* Policy Management (edit server configuration in real-time)
* Data visualization / dashboarding

Source code, tests, and associated documentation for both the back-end and UI will be delivered for this effort.

'''Knowledge Prerequisites:'''

Comfortable with UI design and development, particularly building dashboards. Comfortable with Java (with some assistance). Basic familiarity with security concepts related to intrusion detection and prevention as this is the domain.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

=== Trend Monitoring Analysis Engine ===

'''Brief Explanation:'''

AppSensor currently supports a basic policy-driven analysis engine to determine if a series of events represents an attack (if a user triggers 5 of this type of event in 10 minutes, it's an attack). While this supports many use cases, there are times when it would be helpful to know trending information. If a particular function of the application begins to see 10 times its normal amount of traffic, that might represent an attack. This project would add an additional analysis engine to support "trend monitoring". Development of this feature would require some initial research on alternative implementation strategies, followed by the development and testing of the feature in AppSensor.

'''Expected Results:'''

The project should produce:
* A trend monitoring analysis engine to be used either in place of or in addition to the existing policy-driven analysis engine
* Associated configuration mechanism to specify the trending rules/policy
* A small full sample demo application showing usage of the trend monitoring feature

Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it.

'''Knowledge Prerequisites:'''

Comfortable in Java and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

=== Expand language support for clients ===

'''Brief Explanation:'''

AppSensor supports various modes for communication with the server. The language and framework of the client application are required only to support the given mode. This flexibility is desirable, but having pre-built clients in various languages is useful for our user-base. This project would involve working with various popular languages and frameworks to build support for communicating with the appsensor server backend.

'''Expected Results:'''

The project should produce:
* Clients in multiple popular languages for interaction with appsensor server
* Evaluate the possibility for generating clients from specification as opposed to writing and maintaining the code (ie. swagger for REST)
* At a minimum, coverage for the HTTP/REST mode should be supported. Other modes (thrift, soap, kafka, etc.) will be produced as time allows.
* Several small demo applications showing usage of the given APIs

Source code and tests for the feature will be created, along with the associated end user documentation for how to setup and configure it.

'''Knowledge Prerequisites:'''

Comfortable working in multiple popular languages and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

=== Implement Detection Points in Reverse Proxy ===

'''Brief Explanation:'''

AppSensor works by tracking events that are created by "detection points", essentially locations in the processing pipeline where suspicious or malicious intent is observed. This often requires business-specific detection within the application. However, the project has defined a number of detection points (https://www.owasp.org/index.php/AppSensor_DetectionPoints) and responses (https://www.owasp.org/index.php/AppSensor_ResponseActions), some of which can be generically applied across a broader set of applications, including those that are common to an entire organization or even cross-organization. For that reason, a sub-project has been created (https://github.com/jtmelton/appsensor-reverse-proxy) that provides support for detection points and responses that are generic enough to be broadly applicable. This project would expand support for these detection points and responses.

'''Expected Results:'''

The project should produce:
* New detection points and responses
* Documentation for how to deploy the project and any end-user considerations
* Load testing each function as this project front-ends applications, and traffic throughput characteristics are important to our user-base.
* A small sample demo application showing the utility of the proxy. A recording of the usage for community viewing would be beneficial.

Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it.

'''Knowledge Prerequisites:'''

Comfortable in golang and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

== OWASP Seraphimdroid [[OWASP_SeraphimDroid_Project| ]] ==

=== Behavioral malware and intrusion analysis ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.

'''Expected Results:'''

* Reviewing scientific literature and find feasible approach we can take
* Implement and possibly improve the approach in Seraphimdroid
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it
* Documenting approach as a technical report

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML
* Basic knowledge and interest in machine learning

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

=== Framework for plugin development ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed.

'''Expected Results:'''

* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid
* Providing GUI integration with third party components
* Develop at least one test plugin
* Document the development process and API

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

=== Educational component ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.

'''Expected Results:'''

* Develop uneatable knowledge base and GUI for it
* Develop web server where the knowledge base can be updated
* Improve current educational reporting
* Develop methodology for monitoring users and notifying them about risky activities

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

== OWASP ZSC Tool ==

'''Brief Explanation:'''

[[OWASP_ZSC_Tool_Project|OWASP ZSC]] is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python.

'''Expected Results:'''

Please take a look of our TODO list in Github to get some ideas:
https://github.com/Ali-Razmjoo/OWASP-ZSC/issues

Another ideas:
* Help us develop shellcode module for windows
* Develop shellcode module for OSX

Read about the project here:
https://ali-razmjoo.gitbooks.io/owasp-zsc/content/

Recommended reading:
http://www.vividmachines.com/shellcode/shellcode.html

'''Knowledge Prerequisites:'''
* Python
* Basic knowledge about Shellcode and assembly language

'''Mentors:'''
*Christo and Timo Goosen and Brian Beaudry- OWASP ZSC Contributors

Contact us through our mailing list for questions:
https://groups.google.com/d/forum/owasp-zsc

== OWASP-SKF (Security Knowledge Framework) ==

'''Brief Explanation:'''
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX under python.

The 4 Core usage of SKF:

Security Requirements OWASP ASVS for development and for third party vendor applications
Security knowledge reference (Code examples/ Knowledge Base items)
Security is part of design with the pre-development functionality in SKF
Security post-development functionality in SKF for verification with the OWASP ASVS

'''Expected Results:'''

More code examples for different languages
Better quality of the knowledge base items
More items in the pre-development phase
Editable checklists in the post-development phase

We really would love to improve the quality of the knowledge base items further, also we would love to have more code examples in the different languages like: Perl, Hack, Go, Node.js and more.

Please take a look of our TODO list in Github to get some ideas:
https://github.com/blabla1337/skf-flask/issues

Another ideas:
* Help us with stuff you think is missing in the SKF project

Read about the project here:
https://skf.readme.io

Recommended reading (here you find a link to the Online Demo):
https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework

'''Knowledge Prerequisites:'''
* Python, PHP, Hack, .NET, GO, Ruby, Perl, Java, Node.js
* Basic knowledge about programming in one of the above languages

'''Mentors:'''
*Glenn and Riccardo ten Cate- OWASP-SKF project leaders

ESAPI-BuildingWithEclipse

2016-02-09T06:09:01Z

Kevin W. Wall: First set of changes to update to JDK 6 or later and git/GitHub.

==Prerequisites==
* JDK 1.6 or later [http://www.oracle.com/technetwork/java/javase/downloads/index.html download here]. Note that you need the JDK and not just the JRE.
* To support the latest versions of Maven, first download Maven [https://maven.apache.org/download.cgi here]. (Note: Maven 3.0 or later is required.)
* Eclipse IDE for Java EE Developers 3.3.x or later [http://www.eclipse.org/downloads/ download here]. Install EGit and m2e plug-ins via "Help->Install New Software...".
** EGit Plug-in for Eclipse - Instructions on installing EGit plug-in can be found [https://eclipse.github.io/ here]
** M2E - Maven Integration for Eclipse - You can install the latest version from within Eclipse using the following [https://eclipse.org/m2e/ update site]
** Note that other git and Maven plug-in combinations for Eclipse are possible.

==Configuration==
* For Winodws, create an Eclipse shortcut
* Right-Click your Eclipse shortcut and select Properties
* At the end of the line that says Target, add -vm "x" where x is the location of a JDK (e.g., "C:\Program Files\Java\jdk7\bin") - This step is necessary for the Maven plugin to work. (If you installed Eclipse under Linux distro after you already had a JDK installed, this probably was already done for you.)
* Restart Eclipse using the edited shortcut.

==Importing the ESAPI Source==

If you choose to use the ESAPI GitHub code, follow the instructions at [[ESAPI-Building]]. Unless you have been added to the ESAPI project as a contributor, please use the submit fixes using [https://help.github.com/articles/using-pull-requests/ Git "pull requests"].

If you are using EGit, as recommended, open Eclipse and:
* Click ''File'' -> ''New'' -> ''Other....''.
* From the ''Git Folder'' select '"Checkout Projects from Git'' (this option will only be available if you have a Git plug-in installed) and hit ''Next >''.
* Click the ''Create a new repository location'' radio button.
* If you are not listed as a project contributor, insert ''http://owasp-esapi-java.googlecode.com/svn/trunk/'' as the URL. If you are listed as a project contributor, check the Google Code page for the URL to use. (Note: if you are a contributor, when prompted for your SVN password, use your Google generated password, available from the Google Code Source page.)
* Once the directory structure appears in the window, click the URL at the top to download everything. Then hit ''Next >''
* Select your desired project options. For most people, the default options should be fine. When finished, click ''Next >''.
* Select your desired workspace options, then click ''Finish''. The latest ESAPI source files will then be downloaded to your workspace. This may take a few minutes.
* After the source code is finished downloading, ensure that the character type of all source code is UTF-8. In Eclipse, right click on the project directory root. At the bottom of the right-click list, choose PROPERTIES. From the PROPERTIES window, select the RESOURCES section (which is selected by default). Ensure that the "Text file encoding" section is set to OTHER->UTF 8. If if it is not, change it and click APPLY->OK.

==Project Setup==

Some configuration may be necessary for ESAPI to compile and build on your system.

ESAPI requires the Java JRE 6 or later.

* Once Java 6.0+ is installed, open the ''Navigator view'' in Eclipse. If this is currently hidden, from the toolbar click ''Window'' -> ''Show View'' -> ''Navigator''.
* Right-click on your ESAPI project in the Navigator, mouse over ''Maven'' and click ''Enable Dependency Management''
** ''Note:'' If Maven is not an option when you right-click on the project, be sure the Maven plugin for eclipse is installed, as described above.
** ''Note:'' If ''Enable Dependency Management'' is not an option, dependency management is probably already enabled, So this step can be skipped.
* ''Right-click on the ESAPI project root folder'' in the Navigator view and select ''Properties''.
* From the left column, select ''Java Build Path''. Under the ''Libraries'' tab, be sure a JRE or JDK is listed next to ''JRE System Library''. If there is a red X on next to the JRE, remove the current JRE and click ''Add Library'' and select an alternate JRE. If you are having trouble figuring out what version the current JRE is, select ''Installed JREs'' and look at the location to which each version is mapped.
* The Libraries tab should list ''JRE System Library'' and ''Maven Dependencies''. If anything else is listed, it is not necessary and should be removed. Maven now handles all dependencies.
* From the left column, select ''Java Compiler''. Be sure ''Compiler compliance level'', ''Generated .class files compatibility'', and ''Source compatibility'' are all set to ''1.6''. (Note: Most of us use JDK 7 or JDK 8 to build ESAPI, but we use '-source 1.6 -target 1.6' when we compile to still support really old web applications still using JDK 1.6.)
* Close the properties window.
* ''Right-click the ESAPI project root folder'' and select ''Refresh''.
* From the toolbar, select ''Project'' -> ''Clean..'' and select the ESAPI project. Click ''OK''.
* If errors remain, select ''Maven'' again, then ''Update Dependencies''.
* ESAPI should now be compiled.

==Building==

Building ESAPI should be easy with the new Maven integration.

Once your environment is set up, as specified above:
* Right-Click your ESAPI project root folder
* Select ''Run As...''
* Select ''Run Configurations''
* Double Click "Maven Build" from the options on the left to create a new configuration.
* Name your configuration at the top. This will be for building ESAPI without running JUnit tests.
* The "Base directory" should point to the root of your project
* The "Goals" field type "package"
* Any options not mentioned should be left as their default
* Click "Apply" to save your build configuration
* Click "Run" to run your configuration

''NOTE: Jars created through building are located in the directory called "target". ''

==Running Demo App==

The ESAPI Demo application has been named ''The ESAPI Swingset''. More information about Swingset is available [http://www.owasp.org/index.php/ESAPI_Swingset here].

__NOTOC__

[[Category:OWASP Enterprise Security API]]

ESAPI-Building

2016-02-09T05:30:21Z

Kevin W. Wall: Change references from using svn and Google Code to git and GitHub.

ESAPI is easy to build yourself using [https://git-scm.com/ Git] and [http://maven.apache.org/ Maven]. Ensure that you are using UTF-8 for all source code.

$ git clone https://github.com/ESAPI/esapi-java-legacy.git # This will clone the 'develop' branch.
$ cd esapi-java-legacy
$ mvn -Dmaven.test.skip=true package # Build ESAPI

Maven will generate a "target" directory that contains the ESAPI jar file.

To generate project reports use:

$ mvn site

To generate documentation use:

$ mvn javadoc:jar

__NOTOC__

[[Category:OWASP Enterprise Security API]]

Category:OWASP Enterprise Security API

2015-12-17T02:30:03Z

Kevin W. Wall: Add new tab to ESAPI page

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project co-leads can be reached [mailto:chris.schmidt@owasp.org here] and [mailto:kevin.w.wall@gmail.com here].
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

|}

= Downloads =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

| valign="top" style="padding-left:25px;width:33%;border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[https://search.maven.org/#search|ga|1|esapi ESAPI for Java Downloads (binaries)]
*[https://github.com/ESAPI/esapi-java-legacy ESAPI for Java (source)]<br>
*{{#switchtablink:.NET|ESAPI for .NET}}<br>
*{{#switchtablink:Classic ASP|ESAPI for Classic ASP}}<br>
*{{#switchtablink:PHP|ESAPI for PHP}}<br>
*{{#switchtablink:ColdFusion.2FCFML|ESAPI for ColdFusion & CFML}}<br>
*{{#switchtablink:Python|ESAPI for Python}}<br>
*[http://code.google.com/p/owasp-esapi-js/downloads/detail?name=esapi4js-0.1.3.zip ESAPI for Javascript]<br>

| valign="top" style="padding-left:25px;width:33%;" |

[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0 JavaDocs])
*ESAPI for PHP interface documentation ([http://owasp-esapi-php.googlecode.com/svn/trunk_doc/latest/index.html phpdoc])

|}

= What I did with ESAPI =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Should I use ESAPI? =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[NOTE: The heretical opinions on this ESAPI tab are 100% my own and do not necessarily reflect the rest of other ESAPI contributors or the OWASP staff, leadership, community. --kevin wall]

Or, specifically, "Should I use ESAPI for Java?" since that's the only one run by OWASP that still shows any semblance of life.
Maintenance activities is down, way down in fact of its peak development activities. Some of us are still trying and haven't given up and volunteers are still welcome. But without active contributors, projects make slow progress.

The first question to ask is, are you already using ESAPI in your project, and if so, do you have a lot vested in it? If so, then the answer to "Should I use ESAPI?" probably is "yes". The second question you should ask, if I'm using it, why am I not contributing to it in some manner? But we won't go there.

If you are starting out on a new project or trying for the first time to secure an existing project, then _before_ you consider ESAPI, you should consider these possible alternatives:
* Output encoding: [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]
* General HTML sanitization: [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project OWASP Java HTML Sanitizer]
* Validation: [http://beanvalidation.org/ JSR-303/JSR-349 Bean Validation]
*Strong cryptography: [https://github.com/google/keyczar Keyczar]
* Authentication / authorization: [https://shiro.apache.org/ Apache Shiro]
* CSRF protection: [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP CSRFGuard Project] or [https://www.owasp.org/index.php/CSRFProtector_Project OWASP CSRFProtector Project]

Note that it not the suggestion to suggest that ESAPI is dead, but rather to acknowledge the fact that it isn't being as well-maintained as most F500 companies would like for their enterprise software. There may be alternatives, such as companies that you can purchase ESAPI support from. Those are not being considered here for various reasons, not the least of which is to remain vendor neutral. Rather, instead these recommendations should be taken as possible alternatives to secure your application. It is not a perfect world that we live in, but I would be remiss as an appsec guy if I were to plug ESAPI over other good security solutions simply because of my contributions to / involvement with ESAPI. I think that ESAPI has it's place and I will do my best to maintain it, but not to the exclusion of my family or day job. If you would like to volunteer to help, you know where to find me.

-[mailto:kevin.w.wall@gmail.com kevin wall]

= Glossary =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Project Details =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}
[[Category:Popular]]
[[Category:SAMM-SA-3]]

GPC Project Details/OWASP Enterprise Security API Java EE Version

2015-12-16T01:02:43Z

Kevin W. Wall: Let's try percent encoding.

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude>
| project_name = OWASP ESAPI for Java EE
| project_description = This is the Java EE language version of OWASP ESAPI. The ESAPI for Java EE is the baseline ESAPI design.
* The current release of this project '''is''' suitable for production use
* The ESAPI 2.x branch supports Java 1.5 and above. You may view the Javadocs here http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
* The ESAPI 1.4 branch supports Java 1.4 and above. Complete information on latest 1.4 branch dependencies can be found here http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/site/dependencies.html
* The OWASP AppSensor-ESAPI integration guide is out! [[AppSensor_GettingStarted]]



| project_license = [http://en.wikipedia.org/wiki/BSD_license BSD license]
| leader_name = Kevin Wall & Chris Schmidt
| leader_email = kevin.w.wall@gmail.com
| leader_username = Kevin_W._Wall
| past_leaders_special_contributions = Jeff_Williams
| maintainer_name = ESAPI-Dev mailing list
| maintainer_email = esapi-dev@lists.owasp.org
| maintainer_username =
| contributor_name1 = Chris Schmidt
| contributor_email1 = chrisisbeef@gmail.com
| contributor_username1 = Chris_Schmidt
| contributor_name2 = Kevin W. Wall
| contributor_email2 = kevin.w.wall@gmail.com
| contributor_username2 = Kevin_W._Wall
| contributor_name3 = Jeff Williams
| contributor_email3 = Jeff.Williams@owasp.org
| contributor_username3 = Jeff_Williams
| contributor_name4 = Jim Manico
| contributor_email4 = Jim.Manico@owasp.org
| contributor_username4 = Jmanico
| contributor_name5 = See "Members" under https://code.google.com/p/owasp-esapi-java/ for list of other contributors
| contributor_email5 =
| contributor_username5 =
| contributor_name6 =
| contributor_email6 =
| contributor_username6 =
| contributor_name7 =
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =
| pamphlet_link =
| presentation_link =
| mailing_list_name = esapi-dev
| links_url1 = https://search.maven.org/#search%7Cga%7C1%7Corg.owasp.esapi
| links_name1 = ESAPI 2.x Downloads
| links_url2 = https://code.google.com/p/owasp-esapi-java/downloads/list
| links_name2 = All previous ESAPI Downloads
| links_url3 = https://github.com/ESAPI/esapi-java-legacy
| links_name3 = GitHub code repository for ESAPI JAVA
| links_url4 = https://github.com/ESAPI/esapi-java-legacy/issues
| links_name4 = Report a bug!
| links_url5 = http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
| links_name5 = ESAPI 2.1.0 Javadocs
| links_url6 = http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/index.html
| links_name6 = ESAPI 1.4.4 Javadocs
| links_url7 = http://www.owasp.org/index.php/ESAPI-Building
| links_name7 = How to build ESAPI 2.0 with Maven
| links_url8 = http://www.owasp.org/index.php/ESAPI-BuildingWithEclipse
| links_name8 = How to build ESAPI 2.0 with Maven via Eclipse
| project_road_map =
| project_health_status =
| current_release_name =
| current_release_date =
| current_release_download_link =
| current_release_rating =
| current_release_leader_name =
| current_release_leader_email =
| current_release_leader_username =
| current_release_details =
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
| last_GPC_update = 4/10/2009
| GPC_Notes = Empty template (Java EE Version)
| project_home_page = :Category:OWASP_Enterprise_Security_API
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version
}}

GPC Project Details/OWASP Enterprise Security API Java EE Version

2015-12-16T00:51:50Z

Kevin W. Wall: Try to fix downloads link.

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude>
| project_name = OWASP ESAPI for Java EE
| project_description = This is the Java EE language version of OWASP ESAPI. The ESAPI for Java EE is the baseline ESAPI design.
* The current release of this project '''is''' suitable for production use
* The ESAPI 2.x branch supports Java 1.5 and above. You may view the Javadocs here http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
* The ESAPI 1.4 branch supports Java 1.4 and above. Complete information on latest 1.4 branch dependencies can be found here http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/site/dependencies.html
* The OWASP AppSensor-ESAPI integration guide is out! [[AppSensor_GettingStarted]]



| project_license = [http://en.wikipedia.org/wiki/BSD_license BSD license]
| leader_name = Kevin Wall & Chris Schmidt
| leader_email = kevin.w.wall@gmail.com
| leader_username = Kevin_W._Wall
| past_leaders_special_contributions = Jeff_Williams
| maintainer_name = ESAPI-Dev mailing list
| maintainer_email = esapi-dev@lists.owasp.org
| maintainer_username =
| contributor_name1 = Chris Schmidt
| contributor_email1 = chrisisbeef@gmail.com
| contributor_username1 = Chris_Schmidt
| contributor_name2 = Kevin W. Wall
| contributor_email2 = kevin.w.wall@gmail.com
| contributor_username2 = Kevin_W._Wall
| contributor_name3 = Jeff Williams
| contributor_email3 = Jeff.Williams@owasp.org
| contributor_username3 = Jeff_Williams
| contributor_name4 = Jim Manico
| contributor_email4 = Jim.Manico@owasp.org
| contributor_username4 = Jmanico
| contributor_name5 = See "Members" under https://code.google.com/p/owasp-esapi-java/ for list of other contributors
| contributor_email5 =
| contributor_username5 =
| contributor_name6 =
| contributor_email6 =
| contributor_username6 =
| contributor_name7 =
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =
| pamphlet_link =
| presentation_link =
| mailing_list_name = esapi-dev
| links_url1 = https://search.maven.org/#search\|ga\|1\|org.owasp.esapi
| links_name1 = ESAPI 2.x Downloads
| links_url2 = https://code.google.com/p/owasp-esapi-java/downloads/list
| links_name2 = All previous ESAPI Downloads
| links_url3 = https://github.com/ESAPI/esapi-java-legacy
| links_name3 = GitHub code repository for ESAPI JAVA
| links_url4 = https://github.com/ESAPI/esapi-java-legacy/issues
| links_name4 = Report a bug!
| links_url5 = http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
| links_name5 = ESAPI 2.1.0 Javadocs
| links_url6 = http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/index.html
| links_name6 = ESAPI 1.4.4 Javadocs
| links_url7 = http://www.owasp.org/index.php/ESAPI-Building
| links_name7 = How to build ESAPI 2.0 with Maven
| links_url8 = http://www.owasp.org/index.php/ESAPI-BuildingWithEclipse
| links_name8 = How to build ESAPI 2.0 with Maven via Eclipse
| project_road_map =
| project_health_status =
| current_release_name =
| current_release_date =
| current_release_download_link =
| current_release_rating =
| current_release_leader_name =
| current_release_leader_email =
| current_release_leader_username =
| current_release_details =
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
| last_GPC_update = 4/10/2009
| GPC_Notes = Empty template (Java EE Version)
| project_home_page = :Category:OWASP_Enterprise_Security_API
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version
}}

GPC Project Details/OWASP Enterprise Security API Java EE Version

2015-12-16T00:42:12Z

Kevin W. Wall: More cleanup to get rid of as many Google Code links as possible.

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude>
| project_name = OWASP ESAPI for Java EE
| project_description = This is the Java EE language version of OWASP ESAPI. The ESAPI for Java EE is the baseline ESAPI design.
* The current release of this project '''is''' suitable for production use
* The ESAPI 2.x branch supports Java 1.5 and above. You may view the Javadocs here http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
* The ESAPI 1.4 branch supports Java 1.4 and above. Complete information on latest 1.4 branch dependencies can be found here http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/site/dependencies.html
* The OWASP AppSensor-ESAPI integration guide is out! [[AppSensor_GettingStarted]]



| project_license = [http://en.wikipedia.org/wiki/BSD_license BSD license]
| leader_name = Kevin Wall & Chris Schmidt
| leader_email = kevin.w.wall@gmail.com
| leader_username = Kevin_W._Wall
| past_leaders_special_contributions = Jeff_Williams
| maintainer_name = ESAPI-Dev mailing list
| maintainer_email = esapi-dev@lists.owasp.org
| maintainer_username =
| contributor_name1 = Chris Schmidt
| contributor_email1 = chrisisbeef@gmail.com
| contributor_username1 = Chris_Schmidt
| contributor_name2 = Kevin W. Wall
| contributor_email2 = kevin.w.wall@gmail.com
| contributor_username2 = Kevin_W._Wall
| contributor_name3 = Jeff Williams
| contributor_email3 = Jeff.Williams@owasp.org
| contributor_username3 = Jeff_Williams
| contributor_name4 = Jim Manico
| contributor_email4 = Jim.Manico@owasp.org
| contributor_username4 = Jmanico
| contributor_name5 = See "Members" under https://code.google.com/p/owasp-esapi-java/ for list of other contributors
| contributor_email5 =
| contributor_username5 =
| contributor_name6 =
| contributor_email6 =
| contributor_username6 =
| contributor_name7 =
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =
| pamphlet_link =
| presentation_link =
| mailing_list_name = esapi-dev
| links_url1 = https://search.maven.org/#search|ga|1|org.owasp.esapi
| links_name1 = ESAPI 2.x Downloads
| links_url2 = https://code.google.com/p/owasp-esapi-java/downloads/list
| links_name2 = All previous ESAPI Downloads
| links_url3 = https://github.com/ESAPI/esapi-java-legacy
| links_name3 = GitHub code repository for ESAPI JAVA
| links_url4 = https://github.com/ESAPI/esapi-java-legacy/issues
| links_name4 = Report a bug!
| links_url5 = http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
| links_name5 = ESAPI 2.1.0 Javadocs
| links_url6 = http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/index.html
| links_name6 = ESAPI 1.4.4 Javadocs
| links_url7 = http://www.owasp.org/index.php/ESAPI-Building
| links_name7 = How to build ESAPI 2.0 with Maven
| links_url8 = http://www.owasp.org/index.php/ESAPI-BuildingWithEclipse
| links_name8 = How to build ESAPI 2.0 with Maven via Eclipse
| project_road_map =
| project_health_status =
| current_release_name =
| current_release_date =
| current_release_download_link =
| current_release_rating =
| current_release_leader_name =
| current_release_leader_email =
| current_release_leader_username =
| current_release_details =
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
| last_GPC_update = 4/10/2009
| GPC_Notes = Empty template (Java EE Version)
| project_home_page = :Category:OWASP_Enterprise_Security_API
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version
}}

GPC Project Details/OWASP Enterprise Security API Java EE Version

2015-12-16T00:28:57Z

Kevin W. Wall:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude>
| project_name = OWASP ESAPI for Java EE
| project_description = This is the Java EE language version of OWASP ESAPI. The ESAPI for Java EE is the baseline ESAPI design.
* The current release of this project '''is''' suitable for production use
* The ESAPI 2.x branch supports Java 1.5 and above. You may view the Javadocs here http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
* The ESAPI 1.4 branch supports Java 1.4 and above. Complete information on latest 1.4 branch dependencies can be found here http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/site/dependencies.html
* The OWASP AppSensor-ESAPI integration guide is out! [[AppSensor_GettingStarted]]



| project_license = [http://en.wikipedia.org/wiki/BSD_license BSD license]
| leader_name = Kevin Wall & Chris Schmidt
| leader_email = kevin.w.wall@gmail.com
| leader_username = Kevin_W._Wall
| past_leaders_special_contributions = Jeff_Williams
| maintainer_name = ESAPI-Dev mailing list
| maintainer_email = esapi-dev@lists.owasp.org
| maintainer_username =
| contributor_name1 = Chris Schmidt
| contributor_email1 = chrisisbeef@gmail.com
| contributor_username1 = Chris_Schmidt
| contributor_name2 = Kevin W. Wall
| contributor_email2 = kevin.w.wall@gmail.com
| contributor_username2 = Kevin_W._Wall
| contributor_name3 = Jeff Williams
| contributor_email3 = Jeff.Williams@owasp.org
| contributor_username3 = Jeff_Williams
| contributor_name4 = Jim Manico
| contributor_email4 = Jim.Manico@owasp.org
| contributor_username4 = JManico
| contributor_name5 = See "Members" under https://code.google.com/p/owasp-esapi-java/ for list of other contributors
| contributor_email5 =
| contributor_username5 =
| contributor_name6 =
| contributor_email6 =
| contributor_username6 =
| contributor_name7 =
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =
| pamphlet_link =
| presentation_link =
| mailing_list_name = esapi-dev
| links_url1 = http://code.google.com/p/owasp-esapi-java/downloads/list
| links_name1 = All ESAPI Downloads
| links_url2 = http://owasp-esapi-java.googlecode.com/files/ESAPI-1.4.4.zip
| links_name2 = ESAPI 1.4.4 - complete zip (Java 1.4+)
| links_url3 = http://code.google.com/p/owasp-esapi-java
| links_name3 = Google code repository for ESAPI JAVA
| links_url4 = http://code.google.com/p/owasp-esapi-java/issues/list
| links_name4 = Report a bug! (requires Google account)
| links_url5 = http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
| links_name5 = ESAPI 2.1.0 Javadocs
| links_url6 = http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/index.html
| links_name6 = ESAPI 1.4.4 Javadocs
| links_url7 = http://www.owasp.org/index.php/ESAPI-Building
| links_name7 = How to build ESAPI 2.0 with Maven
| links_url8 = http://www.owasp.org/index.php/ESAPI-BuildingWithEclipse
| links_name8 = How to build ESAPI 2.0 with Maven via Eclipse
| project_road_map =
| project_health_status =
| current_release_name =
| current_release_date =
| current_release_download_link =
| current_release_rating =
| current_release_leader_name =
| current_release_leader_email =
| current_release_leader_username =
| current_release_details =
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
| last_GPC_update = 4/10/2009
| GPC_Notes = Empty template (Java EE Version)
| project_home_page = :Category:OWASP_Enterprise_Security_API
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version
}}

GPC Project Details/OWASP Enterprise Security API Java EE Version

2015-12-16T00:25:36Z

Kevin W. Wall:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude>
| project_name = OWASP ESAPI for Java EE
| project_description = This is the Java EE language version of OWASP ESAPI. The ESAPI for Java EE is the baseline ESAPI design.
* The current release of this project '''is''' suitable for production use
* The ESAPI 2.x branch supports Java 1.5 and above. You may view the Javadocs here http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
* The ESAPI 1.4 branch supports Java 1.4 and above. Complete information on latest 1.4 branch dependencies can be found here http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/site/dependencies.html
* The OWASP AppSensor-ESAPI integration guide is out! [[AppSensor_GettingStarted]]



| project_license = [http://en.wikipedia.org/wiki/BSD_license BSD license]
| leader_name = Kevin Wall & Chris Schmidt
| leader_email = kevin.w.wall@gmail.com
| leader_username = Kevin_W._Wall
| past_leaders_special_contributions = Jeff Williams
| maintainer_name = ESAPI-Dev mailing list
| maintainer_email = esapi-dev@lists.owasp.org
| maintainer_username =
| contributor_name1 = Chris Schmidt
| contributor_email1 = chrisisbeef@gmail.com
| contributor_username1 = Chris_Schmidt
| contributor_name2 = Kevin W. Wall
| contributor_email2 = kevin.w.wall@gmail.com
| contributor_username2 = Kevin_W._Wall
| contributor_name3 = Jeff Williams
| contributor_email3 = Jeff.Williams@owasp.org
| contributor_username3 = Jeff_Williams
| contributor_name4 = Jim Manico
| contributor_email4 = Jim.Manico@owasp.org
| contributor_username4 = Jim_Manico
| contributor_name5 = See "Members" under https://code.google.com/p/owasp-esapi-java/ for list of other contributors
| contributor_email5 =
| contributor_username5 =
| contributor_name6 =
| contributor_email6 =
| contributor_username6 =
| contributor_name7 =
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =
| pamphlet_link =
| presentation_link =
| mailing_list_name = esapi-dev
| links_url1 = http://code.google.com/p/owasp-esapi-java/downloads/list
| links_name1 = All ESAPI Downloads
| links_url2 = http://owasp-esapi-java.googlecode.com/files/ESAPI-1.4.4.zip
| links_name2 = ESAPI 1.4.4 - complete zip (Java 1.4+)
| links_url3 = http://code.google.com/p/owasp-esapi-java
| links_name3 = Google code repository for ESAPI JAVA
| links_url4 = http://code.google.com/p/owasp-esapi-java/issues/list
| links_name4 = Report a bug! (requires Google account)
| links_url5 = http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0
| links_name5 = ESAPI 2.1.0 Javadocs
| links_url6 = http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/index.html
| links_name6 = ESAPI 1.4.4 Javadocs
| links_url7 = http://www.owasp.org/index.php/ESAPI-Building
| links_name7 = How to build ESAPI 2.0 with Maven
| links_url8 = http://www.owasp.org/index.php/ESAPI-BuildingWithEclipse
| links_name8 = How to build ESAPI 2.0 with Maven via Eclipse
| project_road_map =
| project_health_status =
| current_release_name =
| current_release_date =
| current_release_download_link =
| current_release_rating =
| current_release_leader_name =
| current_release_leader_email =
| current_release_leader_username =
| current_release_details =
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
| last_GPC_update = 4/10/2009
| GPC_Notes = Empty template (Java EE Version)
| project_home_page = :Category:OWASP_Enterprise_Security_API
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version
}}

Category:OWASP Enterprise Security API

2015-12-15T05:56:08Z

Kevin W. Wall: Updated project lead.

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project co-leads can be reached [mailto:chris.schmidt@owasp.org here] and [mailto:kevin.w.wall@gmail.com here].
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

|}

= Downloads =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

| valign="top" style="padding-left:25px;width:33%;border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[https://search.maven.org/#search|ga|1|esapi ESAPI for Java Downloads (binaries)]
*[https://github.com/ESAPI/esapi-java-legacy ESAPI for Java (source)]<br>
*{{#switchtablink:.NET|ESAPI for .NET}}<br>
*{{#switchtablink:Classic ASP|ESAPI for Classic ASP}}<br>
*{{#switchtablink:PHP|ESAPI for PHP}}<br>
*{{#switchtablink:ColdFusion.2FCFML|ESAPI for ColdFusion & CFML}}<br>
*{{#switchtablink:Python|ESAPI for Python}}<br>
*[http://code.google.com/p/owasp-esapi-js/downloads/detail?name=esapi4js-0.1.3.zip ESAPI for Javascript]<br>

| valign="top" style="padding-left:25px;width:33%;" |

[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0 JavaDocs])
*ESAPI for PHP interface documentation ([http://owasp-esapi-php.googlecode.com/svn/trunk_doc/latest/index.html phpdoc])

|}

= What I did with ESAPI =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Glossary =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Project Details =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}
[[Category:Popular]]
[[Category:SAMM-SA-3]]

Category:OWASP Enterprise Security API

2015-12-15T05:46:52Z

Kevin W. Wall: Get rid of more references to Google Code site.

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project lead can be reached [mailto:jeff.williams@owasp.org here].

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

|}

= Downloads =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

| valign="top" style="padding-left:25px;width:33%;border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[https://search.maven.org/#search|ga|1|esapi ESAPI for Java Downloads (binaries)]
*[https://github.com/ESAPI/esapi-java-legacy ESAPI for Java (source)]<br>
*{{#switchtablink:.NET|ESAPI for .NET}}<br>
*{{#switchtablink:Classic ASP|ESAPI for Classic ASP}}<br>
*{{#switchtablink:PHP|ESAPI for PHP}}<br>
*{{#switchtablink:ColdFusion.2FCFML|ESAPI for ColdFusion & CFML}}<br>
*{{#switchtablink:Python|ESAPI for Python}}<br>
*[http://code.google.com/p/owasp-esapi-js/downloads/detail?name=esapi4js-0.1.3.zip ESAPI for Javascript]<br>

| valign="top" style="padding-left:25px;width:33%;" |

[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://www.javadoc.io/doc/org.owasp.esapi/esapi/2.1.0 JavaDocs])
*ESAPI for PHP interface documentation ([http://owasp-esapi-php.googlecode.com/svn/trunk_doc/latest/index.html phpdoc])

|}

= What I did with ESAPI =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Glossary =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Project Details =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}
[[Category:Popular]]
[[Category:SAMM-SA-3]]

Category:OWASP Enterprise Security API

2015-12-14T23:51:03Z

Kevin W. Wall: Added GitHub link to Downloads tab

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project lead can be reached [mailto:jeff.williams@owasp.org here].

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

|}

= Downloads =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

| valign="top" style="padding-left:25px;width:33%;border-right: 1px dotted gray;padding-right:25px;" |

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[http://code.google.com/p/owasp-esapi-java/downloads/list ESAPI for Java Downloads (binaries)]
*[https://github.com/ESAPI/esapi-java-legacy ESAPI for Java (source)]<br>
*{{#switchtablink:.NET|ESAPI for .NET}}<br>
*{{#switchtablink:Classic ASP|ESAPI for Classic ASP}}<br>
*{{#switchtablink:PHP|ESAPI for PHP}}<br>
*{{#switchtablink:ColdFusion.2FCFML|ESAPI for ColdFusion & CFML}}<br>
*{{#switchtablink:Python|ESAPI for Python}}<br>
*[http://code.google.com/p/owasp-esapi-js/downloads/detail?name=esapi4js-0.1.3.zip ESAPI for Javascript]<br>

| valign="top" style="padding-left:25px;width:33%;" |

[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html JavaDocs])
*ESAPI for PHP interface documentation ([http://owasp-esapi-php.googlecode.com/svn/trunk_doc/latest/index.html phpdoc])

|}

= What I did with ESAPI =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Glossary =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Project Details =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}
[[Category:Popular]]
[[Category:SAMM-SA-3]]

Education/Free Training

2015-12-05T00:56:42Z

Kevin W. Wall: Inflating attendance stats!!! But according to MeetUp, there were 18.

[[image:Owasp banner web edu.jpg |1000px]]

The following courses either have been offered or are being offered free of charge courtesy of the trainers and the OWASP Foundation to anyone interested in learning about application security. Additionally, the training slides/coursework is available under an open source license and we encourage you to use it to set up your own training event!

If you are interested in setting up a training event through OWASP, [http://www.tfaforms.com/301382 submit your request here], we also have funding available to community members who may need help with travel, a venue or other logistics to get the event up and running. [https://www.owasp.org/index.php/Funding Click here for more information.]

Here are some general guidelines we have set up for free training courses within the OWASP Community:

# Use free and local when possible - donated venues or universities as well as trainers that are near by will help save on overhead costs
# Use open source training materials - we ask that you make your training materials available after the course, preferably in an editable format
# Use [https://www.owasp.org/images/5/5d/PPT_2013_Toolbox.zip OWASP template] for slides and keep any company branding to one bio slide
# Do an open call for training when possible to avoid giving preference to any one vendor/trainer and give others in the community a chance to participate
# If possible, do the training in a way and time that doesn't compete with paid training (especially at Global AppSec Conferences)

'''Credits:
A sincere thank you to Eoin Keary, Jim Manico, Dan Cornell, Josh Sokol and others who generously donated training content referenced below.'''

{| style="width:100%" border="0" cellpadding="1" align="center"
|-
| style="width:100%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="6" | '''Training Courses, Trainer Data, and Material'''
|- valign="bottom"
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Training Name/Topic'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Trainer Name(s)'''
| style="width:15%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Training Materials'''
| style="width:15%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Training Location'''
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Training Date'''
| style="width:15%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Number of Attendees'''
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Analyzing (Java) Source Code for Cryptographic Weaknesses- Editable slides (ODP), with speaker's notes, and non-editable (PDF), without speaker's notes
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Kevin W. Wall | Kevin W. Wall]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[File:kwwall-owasp-prezo-CryptoCodeWeaknesses--2015-12-03.odp]] and [[File:kwwall-owasp-prezo-CryptoCodeWeaknesses--2015-12-03.pdf]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Columbus, OH OWASP Chapter
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Dec 03, 2015
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |18
|-
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Introduction to Application Security - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jsokol | Josh Sokol]], [[user:Dancornell | Dan Cornell]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/f/f2/LASCON_2015_-_Web_Application_Developer_Security_Training.pptx Training Slides]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [http://www.lascon.org LASCON 2015]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | October 21, 2015
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |100
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Application Security – Where do I start?
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]], [[user:MichaelCoates | Michael Coates]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/4/44/OWASP-SF-2014.pdf Training Slides]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Jillians <br> San Francisco, CA
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Feb 24, 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | 200
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/4/4e/How_Do_I_Approach_Application_Security-1.pptx How_Do_I_Approach_Application_Security-1]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/c/ce/HTTP_Basics_-_2.pptx HTTP Basics]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/f/fb/Secure_Storage_-_3.pptx Secure Storage]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/c/cf/Injection-4.pptx Injection]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/e/e7/XSS_-_5.pptx XSS]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/9/9d/ClickJacking_-_6.pptx UI Redress]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/8/8e/Risks_of_Insecure_Communication_-7.pptx SSL-TLS]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]], [[user:Cassio_Goldschmidt | Cassio Goldschmidt]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/8/82/OWASP_HTTPS_Talk_v3.pptx HTTPS Best Practices]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | AppSec Cali 2015, SoCal 2015
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |500+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/6/6e/Virtual_Patching_-8.pptx Virtual Patching / WAF]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/a/a8/Web_App_Access_-_9.pptx Access Control]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
|}
[[Category:SAMM-EG-1]]

Education/Free Training

2015-12-05T00:49:37Z

Kevin W. Wall: Added date

[[image:Owasp banner web edu.jpg |1000px]]

The following courses either have been offered or are being offered free of charge courtesy of the trainers and the OWASP Foundation to anyone interested in learning about application security. Additionally, the training slides/coursework is available under an open source license and we encourage you to use it to set up your own training event!

If you are interested in setting up a training event through OWASP, [http://www.tfaforms.com/301382 submit your request here], we also have funding available to community members who may need help with travel, a venue or other logistics to get the event up and running. [https://www.owasp.org/index.php/Funding Click here for more information.]

Here are some general guidelines we have set up for free training courses within the OWASP Community:

# Use free and local when possible - donated venues or universities as well as trainers that are near by will help save on overhead costs
# Use open source training materials - we ask that you make your training materials available after the course, preferably in an editable format
# Use [https://www.owasp.org/images/5/5d/PPT_2013_Toolbox.zip OWASP template] for slides and keep any company branding to one bio slide
# Do an open call for training when possible to avoid giving preference to any one vendor/trainer and give others in the community a chance to participate
# If possible, do the training in a way and time that doesn't compete with paid training (especially at Global AppSec Conferences)

'''Credits:
A sincere thank you to Eoin Keary, Jim Manico, Dan Cornell, Josh Sokol and others who generously donated training content referenced below.'''

{| style="width:100%" border="0" cellpadding="1" align="center"
|-
| style="width:100%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="6" | '''Training Courses, Trainer Data, and Material'''
|- valign="bottom"
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Training Name/Topic'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Trainer Name(s)'''
| style="width:15%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Training Materials'''
| style="width:15%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Training Location'''
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Training Date'''
| style="width:15%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Number of Attendees'''
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Analyzing (Java) Source Code for Cryptographic Weaknesses- Editable slides (ODP), with speaker's notes, and non-editable (PDF), without speaker's notes
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Kevin W. Wall | Kevin W. Wall]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[File:kwwall-owasp-prezo-CryptoCodeWeaknesses--2015-12-03.odp]] and [[File:kwwall-owasp-prezo-CryptoCodeWeaknesses--2015-12-03.pdf]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Columbus, OH OWASP Chapter
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Dec 03, 2015
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |16
|-
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Introduction to Application Security - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jsokol | Josh Sokol]], [[user:Dancornell | Dan Cornell]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/f/f2/LASCON_2015_-_Web_Application_Developer_Security_Training.pptx Training Slides]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [http://www.lascon.org LASCON 2015]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | October 21, 2015
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |100
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Application Security – Where do I start?
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]], [[user:MichaelCoates | Michael Coates]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/4/44/OWASP-SF-2014.pdf Training Slides]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Jillians <br> San Francisco, CA
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Feb 24, 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | 200
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/4/4e/How_Do_I_Approach_Application_Security-1.pptx How_Do_I_Approach_Application_Security-1]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/c/ce/HTTP_Basics_-_2.pptx HTTP Basics]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/f/fb/Secure_Storage_-_3.pptx Secure Storage]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/c/cf/Injection-4.pptx Injection]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/e/e7/XSS_-_5.pptx XSS]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/9/9d/ClickJacking_-_6.pptx UI Redress]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/8/8e/Risks_of_Insecure_Communication_-7.pptx SSL-TLS]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]], [[user:Cassio_Goldschmidt | Cassio Goldschmidt]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/8/82/OWASP_HTTPS_Talk_v3.pptx HTTPS Best Practices]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | AppSec Cali 2015, SoCal 2015
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |500+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/6/6e/Virtual_Patching_-8.pptx Virtual Patching / WAF]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/a/a8/Web_App_Access_-_9.pptx Access Control]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
|}
[[Category:SAMM-EG-1]]

Education/Free Training

2015-12-05T00:32:22Z

Kevin W. Wall: Added presentation given to Columbus, OH OWASP Chapter on finding crypto weaknesses in Java source code.

[[image:Owasp banner web edu.jpg |1000px]]

The following courses either have been offered or are being offered free of charge courtesy of the trainers and the OWASP Foundation to anyone interested in learning about application security. Additionally, the training slides/coursework is available under an open source license and we encourage you to use it to set up your own training event!

If you are interested in setting up a training event through OWASP, [http://www.tfaforms.com/301382 submit your request here], we also have funding available to community members who may need help with travel, a venue or other logistics to get the event up and running. [https://www.owasp.org/index.php/Funding Click here for more information.]

Here are some general guidelines we have set up for free training courses within the OWASP Community:

# Use free and local when possible - donated venues or universities as well as trainers that are near by will help save on overhead costs
# Use open source training materials - we ask that you make your training materials available after the course, preferably in an editable format
# Use [https://www.owasp.org/images/5/5d/PPT_2013_Toolbox.zip OWASP template] for slides and keep any company branding to one bio slide
# Do an open call for training when possible to avoid giving preference to any one vendor/trainer and give others in the community a chance to participate
# If possible, do the training in a way and time that doesn't compete with paid training (especially at Global AppSec Conferences)

'''Credits:
A sincere thank you to Eoin Keary, Jim Manico, Dan Cornell, Josh Sokol and others who generously donated training content referenced below.'''

{| style="width:100%" border="0" cellpadding="1" align="center"
|-
| style="width:100%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="6" | '''Training Courses, Trainer Data, and Material'''
|- valign="bottom"
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Training Name/Topic'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Trainer Name(s)'''
| style="width:15%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Training Materials'''
| style="width:15%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Training Location'''
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Training Date'''
| style="width:15%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" | '''Number of Attendees'''
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Introduction to Application Security - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jsokol | Josh Sokol]], [[user:Dancornell | Dan Cornell]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/f/f2/LASCON_2015_-_Web_Application_Developer_Security_Training.pptx Training Slides]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [http://www.lascon.org LASCON 2015]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | October 21, 2015
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |100
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Application Security – Where do I start?
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]], [[user:MichaelCoates | Michael Coates]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/4/44/OWASP-SF-2014.pdf Training Slides]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Jillians <br> San Francisco, CA
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Feb 24, 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | 200
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/4/4e/How_Do_I_Approach_Application_Security-1.pptx How_Do_I_Approach_Application_Security-1]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/c/ce/HTTP_Basics_-_2.pptx HTTP Basics]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/f/fb/Secure_Storage_-_3.pptx Secure Storage]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/c/cf/Injection-4.pptx Injection]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/e/e7/XSS_-_5.pptx XSS]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/9/9d/ClickJacking_-_6.pptx UI Redress]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/8/8e/Risks_of_Insecure_Communication_-7.pptx SSL-TLS]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]], [[user:Cassio_Goldschmidt | Cassio Goldschmidt]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/8/82/OWASP_HTTPS_Talk_v3.pptx HTTPS Best Practices]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | AppSec Cali 2015, SoCal 2015
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |500+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/6/6e/Virtual_Patching_-8.pptx Virtual Patching / WAF]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Approaching App Sec - Editable slides (pptx)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Jmanico | Jim Manico]], [[user:EoinKeary | Eoin Keary]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [https://www.owasp.org/images/a/a8/Web_App_Access_-_9.pptx Access Control]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | RSA 2013 EU, RSA 2013 USA, Lascon 2013, OWASP AsiaPac 2014
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |1000+
|- valign="bottom"
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Analyzing (Java) Source Code for Cryptographic Weaknesses- Editable slides (ODP), with speaker's notes, and non-editable (PDF), without speaker's notes
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[user:Kevin W. Wall | Kevin W. Wall]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | [[File:kwwall-owasp-prezo-CryptoCodeWeaknesses--2015-12-03.odp]] and [[File:kwwall-owasp-prezo-CryptoCodeWeaknesses--2015-12-03.pdf]]
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" | Columbus, OH OWASP Chapter (2015-12-03)
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" |16
|-
|}
[[Category:SAMM-EG-1]]

User:Kevin W. Wall

2015-12-05T00:22:04Z

Kevin W. Wall: /* Day job */

=== Involved in OWASP ESAPI for Java EE project, starting in July, 2009. ===

*Completely rewrote the [[ESAPI]] 2.0 symmetric encryption<br>
*General ESAPI 2.0 code clean-up and bug fixes.
*Project owner of ESAPI for Java prohect

=== Involved in OWASP ESAPI for C++ (since May, 2011) ===
* Troublesome meddler (aka, tor-mentor)
* Working on porting ESAPI 2.0's crypto to C++ along with Jeff Walton.
* I swore I'd never do C++ again; I must be out of my freakin' mind.

=== Day job ===
* Currently Information Security Engineer at Wells Fargo, part of Secure Code Review team
* Formerly Staff Security Engineer at CenturyLink (f/k/a Qwest)
* Formerly tech lead of Application Security Team at Qwest for 11 years
* Full-time husband and father

=== Memberships and certifications ===
* Member of ACM, IEEE Computer Society, OWASP, and InfraGuard
* ISC^2 CISSP
* GIAC Certified Web Application Security Defender (GWEB)

=== Other ===

* Active participant in following mailing lists: Security Coding, Web Application Security, IPCop-Users, OWASP-ESAPI, cryptography
* Interests include reading, soccer (futbol), cryptography, and computer security
* Blog: [[http://off-the-wall-security.blogspot.com/ Off-the-Wall Security]]
* My OWASP Wiki contributions: [[Special:Contributions/Kevin_W._Wall]]

File:Kwwall-owasp-prezo-CryptoCodeWeaknesses--2015-12-03.pdf

2015-12-04T23:45:32Z

Kevin W. Wall: Presentation by Kevin W. Wall to the Columbus, OH OWASP Chapter Title: Analyzing (Java) Source Code for Cryptographic Weaknesses Format: Slide (PDF), no speaker's notes Licensed under CC BY-NC-SA 3.0 US.

Presentation by Kevin W. Wall to the Columbus, OH OWASP Chapter
Title: Analyzing (Java) Source Code for Cryptographic Weaknesses
Format: Slide (PDF), no speaker's notes
Licensed under CC BY-NC-SA 3.0 US.

File:Kwwall-owasp-prezo-CryptoCodeWeaknesses--2015-12-03.odp

2015-12-04T23:44:02Z

Kevin W. Wall: Presentation by Kevin W. Wall to the Columbus, OH OWASP Chapter Title: Analyzing (Java) Source Code for Cryptographic Weaknesses Format: Slide (ODP format), with speaker's notes Licensed under CC BY-NC-SA 3.0 US.

Presentation by Kevin W. Wall to the Columbus, OH OWASP Chapter
Title: Analyzing (Java) Source Code for Cryptographic Weaknesses
Format: Slide (ODP format), with speaker's notes
Licensed under CC BY-NC-SA 3.0 US.

GPC Project Details/OWASP Enterprise Security API Java EE Version

2015-01-21T04:43:21Z

Kevin W. Wall:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude>
| project_name = OWASP ESAPI for Java EE
| project_description = This is the Java EE language version of OWASP ESAPI. The ESAPI for Java EE is the baseline ESAPI design.
* The current release of this project '''is''' suitable for production use
* The ESAPI 2.x branch supports Java 1.5 and above. You may view the Javadocs here http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/index.html
* The ESAPI 1.4 branch supports Java 1.4 and above. Complete information on latest 1.4 branch dependencies can be found here http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/site/dependencies.html
* The OWASP AppSensor-ESAPI integration guide is out! [[AppSensor_GettingStarted]]



| project_license = [http://en.wikipedia.org/wiki/BSD_license BSD license]
| leader_name = Jeff Williams
| leader_email = jeff.williams@owasp.org
| leader_username = Jeff_Williams
| past_leaders_special_contributions =
| maintainer_name =
| maintainer_email =
| maintainer_username =
| contributor_name1 = Chris Schmidt
| contributor_email1 = chrisisbeef@gmail.com
| contributor_username1 = Chris_Schmidt
| contributor_name2 = Kevin W. Wall
| contributor_email2 = kevin.w.wall@gmail.com
| contributor_username2 = Kevin_W._Wall
| contributor_name3 =
| contributor_email3 =
| contributor_username3 =
| contributor_name4 =
| contributor_email4 =
| contributor_username4 =
| contributor_name5 =
| contributor_email5 =
| contributor_username5 =
| contributor_name6 =
| contributor_email6 =
| contributor_username6 =
| contributor_name7 =
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =
| pamphlet_link =
| presentation_link =
| mailing_list_name = esapi-dev
| links_url1 = http://code.google.com/p/owasp-esapi-java/downloads/list
| links_name1 = All ESAPI Downloads
| links_url2 = http://owasp-esapi-java.googlecode.com/files/ESAPI-1.4.4.zip
| links_name2 = ESAPI 1.4.4 - complete zip (Java 1.4+)
| links_url3 = http://code.google.com/p/owasp-esapi-java
| links_name3 = Google code repository for ESAPI JAVA
| links_url4 = http://code.google.com/p/owasp-esapi-java/issues/list
| links_name4 = Report a bug! (requires Google account)
| links_url5 = http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/index.html
| links_name5 = ESAPI 2.0.1 Javadocs
| links_url6 = http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/index.html
| links_name6 = ESAPI 1.4.4 Javadocs
| links_url7 = http://www.owasp.org/index.php/ESAPI-Building
| links_name7 = How to build ESAPI 2.0 with Maven
| links_url8 = http://www.owasp.org/index.php/ESAPI-BuildingWithEclipse
| links_name8 = How to build ESAPI 2.0 with Maven via Eclipse
| project_road_map =
| project_health_status =
| current_release_name =
| current_release_date =
| current_release_download_link =
| current_release_rating =
| current_release_leader_name =
| current_release_leader_email =
| current_release_leader_username =
| current_release_details =
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
| last_GPC_update = 4/10/2009
| GPC_Notes = Empty template (Java EE Version)
| project_home_page = :Category:OWASP_Enterprise_Security_API
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version
}}

Winter Code Sprint

2014-10-12T03:15:06Z

Kevin W. Wall: Added 4 ESAPI related project proposals

[[File:WinterCode.png|500px|right]]
== OWASP Winter Code Sprint ==

== Foreword ==

The OWASP Winter Code Sprint (OWCS) is a program to involve students with Security projects. By participating in OWCS a student can get real life experience while contributing to an open source project and getting university credits.

== Benefits ==

You get to work for a popular project.
Since the project is open source your work is publicly visible.
You get university credits while doing so.
You are supervised by a person with real-world experience on security
You make excellent contacts and you participate in an international team

== Perks ==

Students who successfully(*) participate in the project will get:

* An OWASP annual individual membership. More info here: http://owasp.com/index.php/Individual_Member
* An OWASP Winter Code Sprint t-shirt.
* An OWASP conference pass (no flight/accommodation - just an OWASP conference pass of choice)

(*) successful participation means a passing score granted by University authorities.

== How it works: ==

Any project that will give you university credits can participate in OCWS. Each project will be guided by an OWASP mentor along with a professor. Students are graded by their University, based on success criteria identified at the beginning of the project.

Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source. Universities are free to specify their own requirements to projects, such as written reports. OWASP does not influence the way grades are allocated. The OWASP advisers will provide any information professors need in order to grade their students.

Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language.

== How you can participate: ==

=== As a Student ===

1. Review the list of OWASP Projects currently participating in OWCS

2. Get in touch with the OWASP Project mentor of your choice.

3. Agree deliverables with OWASP mentor and university professor.

4. Work away during Autumn/Winter 2014

5. Rise to Open Source Development Glory :-)

(Students apply now!)https://docs.google.com/forms/d/1CFPzLIRje6Wb34MHq-8HwG0pjlkDixHA3xITVssN_Jw/viewform

=== As a Professor ===

1. Review the list of OWASP Projects currently participating in OWCS

2. Get in touch with the OWASP Project mentor of your choice.

3. Promote the participating OWASP Projects among students. Here is a handy slide deck that could be useful: [https://www.owasp.org/images/3/3c/WinterCodeSprint.pdf Slides]

4. Review student progress with help from OWASP mentors.

5. Grade student work according to university scoring system.

6. Provide student grade results to OWASP mentor/s.

=== As an OWASP Project Leader ===

1. Edit this page adding your project and some proposed tasks as per the examples

2. Promote the initiative to your academic contacts

== Mailing List ==

Please subscribe to the following mailing list to receive updates or ask any particular questions:

[https://groups.google.com/forum/#!forum/owasp-winter-code-sprint OWASP Winter Code Sprint Google Group]

== How to Apply ==

Please fill up this form before the deadline.

https://docs.google.com/forms/d/1CFPzLIRje6Wb34MHq-8HwG0pjlkDixHA3xITVssN_Jw/viewform

== Deadlines ==

To facilitate the participation in the initiative for as many universities as possible, there are 2 deadlines for applying. The first one is 15 September 2014 and the next one is 15 October 2014.
The double deadline means that OWASP Leaders will review the submissions and announce the choosen projects two times.
Once at the end of September and once at the end of October.

== Participating OWASP Projects ==

=== OWASP OWTF - VMS - OWTF Vulnerability Management System (FREE!) ===

'''Brief explanation:'''

Background problem to solve:

We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date.

Proposed solution:

We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.

A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf

VMS will have the following features:
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.

[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - HTTP Request Translator (FREE!) ===

'''Brief explanation:'''

Problem to solve:

There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.

Proposed solution:

An HTTP request translator, a *standalone* *tool* that can:

1) Be used from inside OR outside of OWTF.

2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts

3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)
* Transforms with boundary strings? (TBD)
* Individually or in bulk? (TBD)

'''Essential Function: "--output" argument'''

CRITICAL: The command/script should be generated so that the request is sent as literally as possible.

Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.

NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)
* http request in => curl command out
* http request in => bash script out
* http request in => python script out
* http request in => php script out
* http request in => ruby script out
* http request in => PowerShell script out

'''Basic additional arguments:'''

- "--proxy" argument: generates the command/script with the relevant proxy option

NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)

- "--string-search" argument: generates the command/script so that it:

1) performs the request

2) then searches for something in the response (i.e. literal match)

- "--regex-search" argument: generates the command/script so that it:
1) performs the request

2) then searches for something in the response (i.e. regex match)

'''OWTF integration'''

The idea here, is to invoke this tool from:

1) Single HTTP transactions:

For example, have a button to "export http request" + then show options equivalent to the flags

2) Multiple HTTP transactions:

Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).

'''Desired input formats:'''

* Read raw HTTP request from stdin -Suggested default behaviour! :)-

Example: cat path/to/http_request.txt | http-request-translator.py --output

* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"

Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"

Example:

1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)

2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"

3) User pastes a raw HTTP requests + hits enter

4) Tool outputs whatever is relevant for the flags + http request given

* For bulk processing: Maybe a directory of raw http request files?

'''Nice to have: Transforms'''

In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.

Example:

NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"

Step 1) The user provides a raw HTTP request like this:

GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test
Host: target.com
...

Step 2) The tool generates a bash script like the following:

#!/bin/bash

PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")
curl ...... "http://target.com/path/to/$PARAM1/test"

OR a "curl command" like the following:
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"

This feature can be valuable to shave a bit more time in script writing.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - JavaScript Library Sniper (FREE!) ===

'''Brief explanation:'''
This is a project that tries to resolve a very common problem during penetration tests:

The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.

To solve this problem, we propose a *standalone* *tool* that can:

1) Be run BOTH from inside AND outside of OWTF

2) Build and *update* a fingerprint JavaScript library database of:
* Library File hashes => JavaScript Library version
* Library File lengths => JavaScript Library version
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)

3) Build and *update* a vulnerability database of:
* JavaScript Library version => CVE - CVSS score - Vulnerability info

4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:
* JavaScript Library version
* List of vulnerabilities sorted in descending CVSS score order

5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:
* ALL Library/vulnerability matches described on 4)

Once the standalone tool is built and verified to be working, OWTF should be able to:

Feature 1) GREP plugin improvement (Web Application Fingerprint):

Step 1) Lookup file lengths and hashes in the "JavaScript library database"

Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user

Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):

1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-

2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)

Potential projects worth having a look for potential overlap/inspiration:
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]

How many JavaScript libraries should be included?
* As many as possible, but especially the major ones: jQuery, knockout, etc.
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-

Common JavaScript library fingerprinting techniques include:
* Parse the JavaScript file and grab the version from there
* Determine the JavaScript version based on a hash of the file
* Determine the JavaScript version based on the length of the file

Other Challenges:
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"
* When the JavaScript file does not match a specific version:
1) The commit that matches the closest should (ideally) be found
2) The NEXT library version after that commit (if present) should be found
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - Off-line HTTP traffic uploader (FREE!) ===

'''Brief explanation:'''

Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:

* Tools that OWTF has trouble proxying right now: skipfish, hoppy
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler

This project is about implementing an off-line utility able to parse HTTP traffic:

1) Figure out how to read output files from various tools like:
skipfish, hoppy, w3af, arachni, etc.
Nice to have: ZAP database, Burp database

2) Translate that into the following clearly defined fields:

* HTTP request
* HTTP response status code
* HTTP response headers
* HTTP response body

3) IMPORTANT: Implement a plugin-based uploader system

4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database

5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.

6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)

Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)

CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - Health Monitor (FREE!) ===

'''Brief explanation:'''

In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.

For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:

'''Feature 1) Alerting mechanisms'''

When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:
* Playing an mp3 song (both local and possibly remote locations)
* Scan status overview on the CLI
* Scan status overview on the GUI

NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.

'''Feature 2) Corrective mechanisms'''

Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:
* Stop this tool
* Freeze this process (to continue later)
* Freeze the whole scan (to continue later)

Additional mechanisms:
* Show a ranking of files that take the most space

'''Feature 3) Target monitor'''

Brief overview:

All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).

Potential approach: Check if length of 1st page changes every 60 seconds.

NOTE: It might be needed to change this on the fly.

More background

Consider the following scenario:

Current Situation aka "problem to solve":

1) Website X goes down during a scan

2) the customer notices

3) the customer tells the boss

4) the boss tells the pentester

5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)

Desired situation aka "solution":

It would be much more professional AND efficient that:

1) The pentester notices

2) The pentester tells the boss

3) The boss tells the customer

4) OWTF stops the tool because it knows that website is DEAD anyway

A target monitor could easily do this with heartbeat requests + playing mp3s

The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"

'''Feature 4) Disk space monitor'''

Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).

Proposed solution:

Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).

'''Feature 5) Network/Internet Connectivity monitor'''

Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:

1) Detects the lack of connectivity

2) Freezes all the tools (read: processes) in progress

3) Resumes the scan when the connectivity is back.

'''Feature 6) Tool crash detection'''

Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)

'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''

OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - Installation Improvements and Package manager (FREE!) ===

'''Brief explanation:'''

This project is to implement what was suggested in the following github issue:
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]

Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?
Having a private server with:
* pre-installed files for VMs
* pre-configured and patched tools
* Merged Lists
* Pre-configured certificates
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.
Additional ideas are welcome.

-- They could be hosted on Dropbox or a private VPS :)

2 Installation Modes
* For high speed connections (Downloading the files uncompressed)
* For low speed connections (Downloading the files compressed)
and the installation crashed because i runned out of space in the vm
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - GSoC project extension ===

'''Brief explanation:'''

This is a wildcard entry for all those GSoC project improvements that you had in mind.
The actual work performed will depend on the GSoC project you would like to extend.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Prerequisite:'''

Ideally be the author of the relevant GSoC project you would like to extend :)

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - Testing Framework Improvements (TAKEN!) ===

'''WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply'''

'''Brief explanation:'''

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.

'''Top features'''

In this improvement phase, the Testing Framework should:
* (Top Prio) Focus more on functional tests
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)
* (Top Prio) Put together a great wiki documentation section for contributors
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.
* (Top Prio) Fix the current Travis issues :)
* (Nice to have) Bring the unit tests up to speed with the codebase
This will be challenging but very worth trying after top priorities.
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.

'''General background'''

The Unit Test Framework should be able to:
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")
* Allow to regression test by test categories (i.e. "test only web plugins")
* Allow to regression test everything (i.e. plugins + framework core: "test all")
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF
* Perform well so that we can run as many tests as possible in a given period of time
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Performant and automated regression testing
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - Tool utilities module (TAKEN!) ===

'''WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply'''

'''Brief explanation:'''

The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.

'''Feature 1) Vulnerable software version database:'''

Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).

Example:
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]

'''Feature 2) Nmap output file merger:'''

Unify nmap files *without* losing data: XML, text and greppable formats
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).

'''Feature 3) Nmap output file vulnerability mapper'''

From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):

1) CVEs in reverse order of CVSS score, with links.

2) Metasploit modules available for each CVE / issue

NOTE: Can supply an *old* shell script for reference

3) Servers/ports affected (i.e. all server / port combinations using that software version)

'''Feature 4) URL target list creator:'''

Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF

'''Feature 5) Hydra command creator:'''

nmap file in => Hydra command list out

grep http auth / login pages in output files to identify login interfaces => Hydra command list out

'''Feature 6) WP-scan command creator:'''

look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP Hackademic Challenges - Source Code testing environment ===

'''Brief Explanation:'''

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

'''Expected Results:'''

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''OWASP Hackademic Mentors:'''
Konstantinos Papapanagiotou, Spyros Gasteratos - Contact: Konstantinos@owasp.org / spyros.gasteratos@owasp.org

=== OWASP Hackademic Challenges - Challenge Sandbox ===

Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend,
we'd like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected.
Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.

Ideas on the project:

''' *Administrator's point of view* '''

Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s).
Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server.
The student is expected to provide configuration scripts that do the above

''' *Coder's Way* '''

This is better explained with an example:
In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function.
The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.).
The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).

''' * Your solution here * '''

''' Expected results '''

You should be able to upload a trully vulnerable web application as a hackademic challenge without compromising the server outside the sandbox.

=== OWASP Hackademic Challenges - CMS improvements ===

'''Brief Explanation:'''

The new CMS was created during 2012 GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.
For a complete list you can take a look at the issues in our github page here https://github.com/Hackademic/hackademic
Some ideas to get you started:
Ideas on this project:

* ''' Template''' *

Since it's creation the project has received a good number of new features, but the visual/ux/ui part has never gotten much love.
It would be good if we had a new template with proper ui design.

* '''Questionaire creation plugin''' *

We'd like the admin to be able to create questionaires, assign rules for each question (e.g. correct answer +2pts incorrect answer -2, no answer 0) and assign them to students as homework/exams.
The grading can either be done automatically (for multiple choice) or be submitted to the creator of the questionaire.

* '''Ability to show different articles on the user's home screen'''

Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.

* '''Gamification of the user's progress''' *

A series of plugins and a template which allow the user to earn badges as they solve challenges and a better visual representation of their progress.

* '''Ability to define series of challenges'''

The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.

* ''' Tagging of articles, users, challenges '''

A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher.
Also the user should be able to search according to the tags.

* '''Your idea here'''

We welcome new ideas to make the project look awesome.

'''Expected Results:'''

New features and security improvements on the CMS part of the project.

'''Knowledge Prerequisites:'''

Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements.

'''OWASP Hackademic Mentors:'''
Konstantinos Papapanagiotou, Spyros Gasteratos - Contact: Konstantinos@owasp.org / spyros.gasteratos@owasp.org

=== OWASP Hackademic Challenges - Fix issues ===

Hackdemic has an issues page [here | https://github.com/Hackademic/hackademic/issues] some of the issues are small projects which can be solved in an afternoon, others need more work. If your professor agrees with the workload, you can fix one or multiple issues as part of OWCS. Additionally, you can open some issues that later you can fix, or propose new features.

''' Knowledge Prerequisites '''
PHP and optionally some knowledge of application security.

''' NOTE '''

This "project" was added to encourage students to be creative and participate, we do accept projects outside the ones proposed if they can be integraded to the platform and are relevant to the purpose of Hackademic.

=== OWASP ZAP - Web UI ===

'''Brief explanation: '''

ZAP is already an extremely capable tool used by many different groups of users. Work has already been done to make ZAP useful in environments where it can't run interactively (e.g. via the API). ZAP main Swing UI doesn't provide convenient access to remote users; a UI which provides some functionality for for users in such environments would be very useful.

Adding a powerful HTML interface to ZAP would allow it to operate in an even wider range of situations.

'''Expected Results:'''

* A working example of an effective HTML UI that allows ZAP to be configured or used in a new way.

'''Optional:'''

Multi user / access controls, etc?

'''General background'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML, CSS and JavaScript. Some knowledge of application security would be useful, but not essential.

'''OWASP ZAP Mentor:'''
Simon Bennetts - Contact: psiinon@gmail.com

=== OWASP ZAP - Advanced reporting ===

'''Brief explanation:'''
OWASP ZAP has a limited reporting feature. The actual version can print only the 'Alerts' results into a simple pdf, html or in xml format.

'''Expected Results:'''
We want to be able to print more than the Alerts results , which includes many other outputs such as: Request and Response, Active Scan, Zest among others.

'''General background'''
During the Gsoc 2013, we did a research and a prototype module was created, using BIRT plugins for Advance reporting. Read more about the results of the explorative research : https://www.owasp.org/index.php/GSoC2013_Ideas/OWASP_ZAP_Exploring_Advanced_reporting_using_BIRT]

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''OWASP ZAP Mentor:'''
Johanna Curiel - Contact: johanna.curiel@owasp.org

=== OWASP ZAP - CI Integration ===

'''Brief explanation:'''

ZAP is ideally suited for performing security tests in a Continuous Integration environment.

Right now there are a lot of manual steps to perform. This development will be to investigate and implement code/plugins etc to make it much easier to integrate ZAP with tools like Selenium and Jenkins / Hudson.

'''Expected Results:'''

Code, plugins and documentation to make it as easy as possible to integrate ZAP with common CI tools.

'''General background'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''OWASP ZAP Mentor:'''
Simon Bennetts - Contact: psiinon@gmail.com

=== OWASP ESAPI - Build Apache Struts 2 component ===

'''Brief Explanation:'''

Struts2 is one of the most widely used Java MVC frameworks, users of ESAPI are regularly looking for pluggable components that they can drop into their application to utilize ESAPI within the context of their application framework. The goal of this task is to create a set of pluggable components that integrate ESAPI into Struts2 to utilize ESAPI Encoders, Validation, and Intrusion Detection with the least amount of manual work and configuration.

'''Expected Results:'''

A standalone project that uses ESAPI Components in a Struts2 add-on. This can
be placed with the 'contrib' section of ESAPI.

'''Knowledge Prerequisites:'''

A solid understanding of Java and Apache Struts, comfort developing unit tests in JUnit and functional tests using Selenium or HttpUnit as well as maintaining a Maven build.

'''OWASP ESAPI Mentor:'''
Kevin W. Wall - OWASP ESAPI for Java Project Leader - kevin.w.wall@gmail.com

===OWASP ESAPI -- Port OWASP Swingset Interactive to use ESAPI 2.x===

'''Brief explanation:'''

The ESAPI Swingset Interactive is a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library. The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI library and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities. The goal of this project is to adapt the Swingset Interactive to work with the ESAPI 2.x libraries.

'''Expected results:'''

Make the current Swingset Interactive application compatible with ESAPI 2.x. Swingset Interactive currently comes with ESAPI 1.4. Various changes and improvements were made with ESAPI 2.x and it is generally recommended not to use 1.4 any longer for Java EE Projects.

Additional relevant references:
Web site: https://www.owasp.org/index.php/Projects/OWASP_ESAPI_Swingset_Interactive_Project
Mailing List: http://lists.owasp.org/pipermail/owasp-esapi-swingset/

'''Knowledge Prerequisite:'''

A basic knowledge of Java, Java Servlets is necessary, as is knowledge of HTML.
A working knowledge of ESAPI would be helpful.

'''OWASP ESAPI Mentor:'''
Kevin W. Wall - OWASP ESAPI for Java Project Leader - kevin.w.wall@gmail.com

===OWASP ESAPI 2.x - Enhance Security Configuration===

'''Brief explanation:'''
There are currently more than a half-dozen of open Google Issues in ESAPI regarding the security configuration component (e.g., see ESAPI Security Configuration Issues).

The ESAPI interface for its configuration (SecurityConfiguration) is overly complicated; it has a 'getter' method specific to almost every ESAPI configuration property. The rules for how and where the ESAPI.properties file is found are overly complicated making questions about it one of the most frequently asked questions on forums such as Stack Exchange and the ESAPI mailing lists. This complication leads to a unduly intricate, non-modular reference implementation (DefaultSecurityConfiguration) that makes it difficult to extend in terms of new functionality.

A new, simpler security configuration interface and implementation is needed. Such an implementation would not only be useful for ESAPI 2.x, but could very well be used to build the configurator needed by ESAPI 3.

'''Expected results:'''
As part of this Winder Code Sprint project, expectations would not only to address as many of the open security configuration issues as possible, but to also go beyond this to allow a framework for additional extensions in terms of functionality.

Specific expectations include:
* An improved, but simpler API for the security configuration part of ESAPI.
* Alternate configuration stores other than Java properties files (e.g., XML, database), to be supported.
* The ability to split the ESAPI configuration data into smaller, more manageable chunks to result in more maintainability and allow for better enforcement of corporate security policies.
* Continued backward compatibility with ESAPI 2.1.x or an extremely simple migration path forward.

'''Knowledge Prerequisite:'''

Since the ESAPI 2.x project is written in Java, a good knowledge of Java is essential. A strong knowledge of JUnit will also be helpful in creating unit test cases. A working knowledge of XML or JDBC may also prove helpful.

'''OWASP ESAPI Mentor:'''
Kevin W. Wall - OWASP ESAPI for Java Project Leader - kevin.w.wall@gmail.com

===OWASP ESAPI 2.x - Miscellaneous multiple bug fixes===

'''Brief Explanation:'''

Fix at least 5 bugs listed in Google Issues.

There are currently (as of Oct 11, 2014) 170 open issues for ESAPI listed at https://code.google.com/p/owasp-esapi-java/issues/list.

Students would be expected to fix at least 5 bugs, including at least 3 bugs that do NOT have the "FirstBug" label.

'''Expected Results:'''
Students must write well documented code along with appropriate unit tests cases in JUnit. Code will be reviewed by mentor and must meet mentor's possibly subjective code review with respect to correctness, completeness, and quality.

'''Knowledge Prerequisites:'''
A solid understanding of Java and comfort developing unit tests in JUnit as well as a beginner understanding of OWASP Top 10 issues. An understanding of ESAPI security controls would also be helpful.

'''OWASP ESAPI Mentor:'''
Kevin W. Wall - OWASP ESAPI for Java Project Leader - kevin.w.wall@gmail.com

== Participating Universities, Professors ==

Here's a small and not complete list of professors who are accepting participants (If your professor wants to accept more than one team, and you want to help your classmates please add institute name and professor/course here)

== More info? ==
Please get in touch with the OWASP Winter Code Sprint Lead: spyros.gasteratos@owasp.org

Governance/ProjectProgramModels

2014-05-08T02:02:17Z

Kevin W. Wall: Kevin Wall added comments about these 3 options. There are more comments under the Discussion page.

= Purpose =
OWASP needs help from our community to define an OWASP Projects Program model that will meet the needs of our leaders. To do so we are engaging the community to discuss and flush out different options. We would like to have a vote on this to ensure that the community has a say in how the foundation moves forward.

= The Options =
''Please feel free to add additional bullets to any of the cells. Please do not remove existing items.''

{| {{table border=1}}
| align="center" style="background:#f0f0f0;"|'''Option'''
| align="center" style="background:#f0f0f0;"|'''1 - Flagships get majority of resources to increase quality.'''
| align="center" style="background:#f0f0f0;"|'''2 - Develop two separate programs: Quality focused and Innovation focused'''
| align="center" style="background:#f0f0f0;"|'''3 - Community project review centric model'''
|-
| '''Summary Description'''
||
Drop the Lab designation, and only have Incubator and Flagship projects. Flagship project status would be determined by community vote, and our resources would go towards developing Flagship projects, based on community input. Incubators would get less attention and support.
*Keeps both Flagships and Incubators under the same program (as official "OWASP Projects").
*Would remove resources from Incubators and funnel the majority of resources into the Flagship Projects.
||
Separate focus of OWASP projects into two separate programs. One will focus on increasing the quality of a handful of projects selected by the community, and the other program will focus on developing a platform for new leaders that facilitates innovation, research, and testing.
*Takes two community requests (increase quality, platform for innovation), and separate each request into to programs.
*Allows the foundation to have clearly defined goals for each program.
||
This is the approach we are currently using. This approach requires that the community conduct project reviews to graduate projects, and it requires a twice yearly project audit to demote projects that are currently inactive.
*Current approach
*Requires a large task force of community reviewers to make sure our project graduation process is functioning efficiently.
|-
| '''How are Flagships Selected?'''
||Community Vote
||Community Vote
||Community Project Health and Quality Reviews
|-
| '''New Project Designations'''
||
*Official OWASP Project: Projects that OWASP actively maintains and promotes. In reality, these are what flagship projects should be under the current system. The majority of our resources and time should be used to improve the quality and sustain these projects.
*OWASP Supported Projects: These would be similar to what the incubators are under our current system. Encourages innovation and it allows starting members to become engaged and involved. These can be managed in the same way we manage incubators now.
*OWASP Sunset Projects: Projects like ESAPI or WebScarab would fit under this title. These are projects that are still being used by consumers, but that we will not directly support as they are not actively maintained or being worked on.
||
*OWASP Flagship Project: Projects that OWASP actively maintains and promotes. The majority of our resources and time would be used to improve the quality and sustain these projects.
*OWASP Incubator Projects: These would be all of the rest of our projects. These can be managed in the same way we manage incubators and lab projects now.
*OWASP Sunset Projects: This is the same as Proposal 1. Projects like ESAPI or WebScarab would fit under this title. These are projects that are still being used by consumers, but that we will not directly support as they are not actively maintained or being worked on.
||
*OWASP Flagship Project: Projects that OWASP actively maintains (but does not manage) and promotes.
*OWASP Lab Projects: Projects with beta or stable release that wish to graduate to Lab.
*OWASP Incubator Projects: All new projects, managed the same way we manage incubators projects now.
*OWASP Sunset Projects: Projects like ESAPI or WebScarab would fit under this title. These are projects that are still being used by consumers, but that we will not directly support as they are not actively maintained or being worked on.
|-
| '''Project Quality'''
||
Consolidate Foundation resources to help improve quality of Flagship projects only. This will give the majority of our resources to a handful of projects.
||
*Flagship Project Program: As mentioned above, these projects would be the ones OWASP actively maintains and seeks to increase the quality of. We can re-name this program (if necessary). Recommended that we limit the number of projects in this program for any given year (i.e. no more than 6 projects). Additionally, Flagship projects would be voted on by the community (which projects should be flagship).
*'''Primary Goal of the Program''': To increase the quality of a select few number of OWASP projects selected by our community stakeholders and consumers.
*OWASP Projects Program: This would be similar to what we have now which is a platform for research and innovation. All projects under this platform would have the same designation unless they are sunset or inactive projects. They would get the same benefits they do now and the same opportunities.
*'''Primary Goal of the Program''': To maintain a research and innovation platform for our community to test ideas and theories.
||
The foundation has no direct influence over the quality of the project. The quality of the project is dependent on the project leader’s individual time, resources, and output.
|-
| '''Project Reviews'''
||
The Foundation facilitates a technical review of the community selected "Official" projects once a year, and the Incubator projects only get reviewed if they ask for one. The reviews are conducted by the community for supported projects.
||
*For the OWASP Projects Program, we would only conduct reviews for those projects that ask for them. The reviews will be primarily to give feedback to the leader about their research/ideas and on their project health.
*For the Flagship Program, reviews would be mandatory, and I recommend the new technical person conduct them. I further recommend they be done every quarter for each project. It is far more manageable since we would only have 6 or so projects in this program.
||
Project reviews are only done for those projects that want reviews, or that would like to graduate to the next level.
|-
| '''Resources and Funding'''
||
The majority of our resources and funding will go towards the development of higher quality Official OWASP projects. Supported projects will still have access to resources, but they will be minimal.
||
Each program would need to have their own budget. The Flagship program would only spend their funds on items that increase project quality. It would be required that flagship submit a detailed project plan and budget. The Projects Program would have a budget that would fund items like project dev work, the project summit, OSS, marketing/design costs, etc.
||
All projects get access to funding; however, Flagships get priority for funding for project development work. Funding items like project dev work, the project summit, OSS, marketing/design costs, etc are still available to all projects.
|-
| '''Positives of this approach'''
|| 
# Simplifies the process from an operational perspective as we would be primarily focusing on increasing the quality of a very small community selected group of projects.
# Increases community involvement.
# Incentivizes Leaders to make their projects user friendly, high quality, and highly volunteer engaged.
||
# Separates two different focus areas into two separate programs.
# Increases community involvement.
# Incentivizes Leaders to make their projects user friendly, high quality, and highly volunteer engaged.
||
# No adaptation needed in the operational and financial plan for 2014
|-
| '''Negatives of this approach'''
||
# Community vote might turn into a popularity contest.
# OWASP Official projects will take the majority of resources from all other projects.
# We will still have two separate focus areas under one program.
# Project development work will still be dependent on volunteer resources.
||
# Will require an additional foundation hire to manage Flagship Project Program.
# Project development work will still be dependent on volunteer resources.
||
# The model requires too many resources to manage efficiently.
# Foundation has no direct influence over project quality. Foundation can only suggest improvements.
|-
| '''Any other considerations'''
||
# Kevin Wall: Regarding "How are flagships selected?", I would view a community vote as a last resort. Rather I think a better option is to propose some objective criteria by which all projects (or at least projects of a specific type, such as software projects) can be measured. A "community vote" could them be used to vote of the proposed criteria. I think that such an approach is more work initially, but in the long run, I think it is less likely to turn into a popularity vote with the most visible projects becoming flagship projects.
# Kevin Wall: Under "New Project Designations", the first bullet states "Projects that OWASP actively maintains and promotes"...what ''specifically'' do you have in mind? This seems rather nebulous, kind of like "I'll know it when I see it" thing, but not everyone may have the same conceptual model in mind. If we are going to give funds to flagship projects, then I want to know details of how this will be done.
# Kevin Wall: Under "Project Quality", a similar statement. How exactly will the OWASP Foundation resources help to improve the quality. My personal belief is that whatever we've been doing has failed miserably. The key to sustaining a successful project is to have a sufficiently sized core of engaged OWASP volunteers working on this. I personally don't think that paying people to write code is going to help much. Case in point...I don't think that OWASP could afford the normal rates that any of the ESAPI contributors would normally get. So people have to contribute because they ''want'' to, because they're motivated. So how is the OWASP Foundation going to do that?
# Kevin Wall: Under reason #2 for "Positives of this approach"...my comment is REALLY??? How? Specifically, how is this different than Option #2?
# Kevin Wall: Under "Negatives of this approach", regarding statement #1. I don't think there is any 'might' about it.
||
# Kevin Wall: Same comment as comment #1 for Option 1.
# Kevin Wall: Also under "Summary Description", the lead in paragraphs...how is this DIFFERENT than Option #1?
# Kevin Wall: Regarding the 2nd bullet item under "Summary Description" for this option...this bullet is a MIST, but I don't see why it is exclusive to Option #2.
# Kevin Wall: Regarding "Resources and Funding", I think this is an excellent idea, but at a bare minimum, some board-given guidelines would be required. I don't think I'd want the project themselves having complete autonomy here. Also, for this to work I think each project would have to have some dedicated PM resources as developer generally are neither very good, nor found of doing things like the issues described here. (But perhaps this was already anticipated and what was in mind in #1 under "Negatives of this approach"???)
||
# Kevin Wall: Lead-in sentence under "Summary Description" for Option #3...if this is the approach that we are "currently using" than why have we not been doing regular (twice yearly!) community project reviews? I had not even heard about them until 3Q2013. And ''if'' we have been doing them, why have they been such a failure?
# Kevin Wall: Under the 2nd bullet for "New Project Designations"... did you mean to say "graduate to Flagship" rather than "graduate to Lab" since the context here was Lab projects?
# Kevin Wall: A comment on the 2nd sentence under "Project Quality" for this option: In reality, I believe that this will also be true for Options #1 and #2 for both Flagship and Lab projects. See my earlier comments regarding paid versus volunteer help under Option #1.
# Kevin Wall: Under "Project Reviews"... this statement is in contradiction to what was stated in the lead-in sentences under "Summary Description" for Option #3 where it discusses two mandatory reviews per year. So apparently I am confused or one or both of these statements need clarification.

|}

= Additional Comments =
Use this space to provide additional comments on any of the existing text. For example, perhaps you disagree with something that is above. Please note your thoughts in this section.

# James McGovern - I can't quite tell if this model will provide service equally to builders vs breakers vs defenders. Has OWASP looked at models that are role-aligned? For example stuff that CISOs care about vs developers vs project managers, etc
# Kevin Wall - James is absolutely right. I had only considered software vs. documentation projects, but that's another legitimate way to cut the pie.
# Kevin Wall - I have further comments under the Discussion page.

Talk:Governance/ProjectProgramModels

2014-05-08T01:25:54Z

Kevin W. Wall: Discussion page for ProjectProgramModels

I wanted to create this discussion page for general questions and discussions of this corresponding wiki page.

'''General Comments'''
* I don't even think this conversation can be started without a clear definition of terms, goals, benefits, and criteria of the different project types.
* Beyond that, I think that it is naive to think that projects like Top 10 or Dev Guide, etc. that are documentation projects which are only published every few years can be / should be treated similar to projects that are some software product. Perhaps the content of this wik page may only be referring to the later, but it is so nebulous in its wording that I can't be sure.

'''Content Comments'''
* I found the way these options were presented somewhat confusing. The differences between the options, and especially options #1 and #2 (i.e., columns 1 and 2) is in my opinion, rather nuanced because there seemed to be more similarities than differences.
* I feel that is wrong to try to shoehorn all the different project types into a single categorization. At the very least, I don't see how you can compare a documentation project that only is intended to have some tangible output every N years (e.g., the OWASP Top Ten, the OWASP Development Guide, etc.) with software projects where people are expecting regular updates. At best, that's an apples to oranges comparison. I'm not even sure we can measure it by "activity" because most of the documentation projects that only produce output every N years naturally are going to have a major lull in activity during the off years.
* I believe that the ''some'' consideration at least should be placed trying to understand the ''reasons'' that a project seems to be failing. As George Santayana said "Those who cannot remember the past are condemned to repeat it", so if nothing else, we should be collecting "lessons learned" with failed / sunset projects to understand the reasons for their demise.
* I too have a major concern that if put to community vote, this will become a popularity contest. In fact, in each of the options I see that both WebScarab and ESAPI were listed as "sunset" status, yet if all projects were given a place on the ballot for an OWASP community vote, I would not be surprised if ESAPI ended up getting sufficient votes to remain a flagship project. Should that happen, one has to ask "What then?" People will likely vote for the projects that they know the most about and ESAPI is definitely one of the most visible and widely used of all OWASP projects.
* I believe the terms "flagship", "lab", and "incubator" each carry too much political baggage to be useful. I would propose instead that we talk about having "Tier 1", "Tier 2", and "Tier 3" projects, as "Tier n" is much more neutral terminology.
* If we do wish to keep the same "flagship", "lab", and "incubator" terms, is there any reason why we cannot just steal / reuse the Apache Foundations project structure and their criteria for what it takes to obtain and maintain such a label?
* One last comment, and I apologize in advance for this sounding more negative than constructive... I am disappointed that this is all that the staff and/or board came up with as the initial cut, especially considering that there have been email threads kicking these ideas around not for several months. My expectations we elected the board in part to make the difficult decisions that the community itself seemed to be unable to make, yet to me the majority of these options seem to end up with "punting the decisions back to the community" by calling for a community vote as to which projects are deserving of flagship status, which should be lab projects, etc. I think it is fine to as the community to vote on the ''general approach''. I do '''not''' think it is okay to have them choose the projects. Case in point, I'm sure that there are a number of great OWASP projects that I've heard of. As an example, because I am more of a builder / defender than a breaker, I am not familiar as I'd like to be with many of the breaker projects. And to be honest, if it came to a vote, I am not going to spend more than 5 or 10 minutes familiarizing myself with any new projects--even if there were some project "short list". I am sure I am not the only one who operates that way, so in the end it will come down to familiarity rather than what is really best for OWASP in the long term.
* I will try to leave my other comments on the main wiki page.

--[[User:Kevin W. Wall|Kevin W. Wall]] ([[User talk:Kevin W. Wall|talk]]) 20:25, 7 May 2014 (CDT)

----

Category:OWASP Enterprise Security API

2014-05-01T03:10:37Z

Kevin W. Wall: Added the new OWASP project graphic across all the other ESAPI project tabs.

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project lead can be reached [mailto:jeff.williams@owasp.org here].

{| width="100%"
|-
! width="33%" |
! width="33%" |
! width="33%" |
|- valign="top"
|
== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

|

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

|
== Related resources ==

[[Image:Asvs-satellite.jpg]]{{Cheatsheet_Navigation}}
|}

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

= Downloads =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| width="100%"
|-
! width="33%" |
! width="33%" |
|- valign="top"
|
[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[http://code.google.com/p/owasp-esapi-java/downloads/list ESAPI for Java Downloads]
*{{#switchtablink:.NET|ESAPI for .NET}}<br>
*{{#switchtablink:Classic ASP|ESAPI for Classic ASP}}<br>
*{{#switchtablink:PHP|ESAPI for PHP}}<br>
*{{#switchtablink:ColdFusion.2FCFML|ESAPI for ColdFusion & CFML}}<br>
*{{#switchtablink:Python|ESAPI for Python}}<br>
*[http://code.google.com/p/owasp-esapi-js/downloads/detail?name=esapi4js-0.1.3.zip ESAPI for Javascript]<br>

|
[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html JavaDocs])
*ESAPI for PHP interface documentation ([http://owasp-esapi-php.googlecode.com/svn/trunk_doc/latest/index.html phpdoc])

|}

= What I did with ESAPI =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Glossary =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Dot NET =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_.NET_Version | OWASP Project Identification Tab}}

= Classic ASP =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_Classic_ASP_Version | OWASP Project Identification Tab}}

= PHP =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_PHP_Version | OWASP Project Identification Tab}}

= ColdFusion CFML =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>


{{:Projects/OWASP ESAPI for ColdFusion - CFML Project | Project About}}

= Python =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_Python_Version | OWASP Project Identification Tab}}

= JavaScript =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_JavaScript_Version | OWASP Project Identification Tab}}

= Objective C =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:Projects/OWASP ESAPI Objective - C Project | Project About}}

= Force com =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_Force.com_Version | OWASP Project Identification Tab}}

= Ruby =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:Projects/Owasp Esapi Ruby | Project About}}

= Swingset =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
The ESAPI Swingset Project divides itself into sub-projects, i.e., [[Projects/OWASP ESAPI Swingset Interactive Project|Swingset Interactive]] and [[Projects/OWASP ESAPI Swingset Demo Project|Swingset Demo]].

= ESAPI C =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:Projects/OWASP ESAPI C Project | Project About}}

= ESAPI CPP =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:Projects/OWASP ESAPI C++ Project | Project About}}

= ESAPI Perl =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:Projects/OWASP ESAPI Perl Project | Project About}}

= Project Details =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}

Category:OWASP Enterprise Security API

2014-05-01T03:03:30Z

Kevin W. Wall: Insert the DIV tag with the new OWASP graphic.

= Home =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.

*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.

The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute].

Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project lead can be reached [mailto:jeff.williams@owasp.org here].

{| width="100%"
|-
! width="33%" |
! width="33%" |
! width="33%" |
|- valign="top"
|
== Let's talk here ==

[[Image:Asvs-bulb.jpg]]'''ESAPI Communities'''

Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.

*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)]
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list]
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list]
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]

IRC Chat

If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.

*Server: irc.freenode.net
*Channel: #esapi

|

== Got developer cycles? ==

[[Image:Asvs-waiting.JPG]]'''ESAPI Coding'''

The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles.

*ESAPI for other languages developer onboarding instructions -- coming soon!

|
== Related resources ==

[[Image:Asvs-satellite.jpg]]{{Cheatsheet_Navigation}}
|}

== Project Sponsors ==

The ESAPI project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}

= Downloads =

{| width="100%"
|-
! width="33%" |
! width="33%" |
|- valign="top"
|
[[Image:Asvs-step1.jpg]]'''1. About ESAPI'''

*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word])
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint])
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])

[[Image:Asvs-step2.jpg]]'''2. Get ESAPI'''

*[http://code.google.com/p/owasp-esapi-java/downloads/list ESAPI for Java Downloads]
*{{#switchtablink:.NET|ESAPI for .NET}}<br>
*{{#switchtablink:Classic ASP|ESAPI for Classic ASP}}<br>
*{{#switchtablink:PHP|ESAPI for PHP}}<br>
*{{#switchtablink:ColdFusion.2FCFML|ESAPI for ColdFusion & CFML}}<br>
*{{#switchtablink:Python|ESAPI for Python}}<br>
*[http://code.google.com/p/owasp-esapi-js/downloads/detail?name=esapi4js-0.1.3.zip ESAPI for Javascript]<br>

|
[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI'''

*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)]
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application.
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF])
*ESAPI for Java interface documentation ([http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html JavaDocs])
*ESAPI for PHP interface documentation ([http://owasp-esapi-php.googlecode.com/svn/trunk_doc/latest/index.html phpdoc])

|}

= What I did with ESAPI =

*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]

*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]

*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&A requirements. --[mailto:dave.wichers@owasp.org Dave]

*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]

*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]

*I use ESAPI to be our security package for all our product, this way we can set one standard for all products. --[mailto:yairr@liveperson.com Yair]

*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br>

= Glossary =

[[Image:Asvs-letters.jpg]]'''ESAPI Terminology'''

*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization.
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact.
*'''codec''' - ESAPI encoder/decoder reference implementations.
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core.
*'''exception''' - ESAPI exception reference implementations.
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations.
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces.
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers.
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls.
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces.
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record).
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes.
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.

<br>

= Java EE =

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}}

= Dot NET =

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_.NET_Version | OWASP Project Identification Tab}}

= Classic ASP =

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_Classic_ASP_Version | OWASP Project Identification Tab}}

= PHP =

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_PHP_Version | OWASP Project Identification Tab}}

= ColdFusion CFML =


{{:Projects/OWASP ESAPI for ColdFusion - CFML Project | Project About}}

= Python =

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_Python_Version | OWASP Project Identification Tab}}

= JavaScript =

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_JavaScript_Version | OWASP Project Identification Tab}}

= Objective C =

{{:Projects/OWASP ESAPI Objective - C Project | Project About}}

= Force com =

{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_Force.com_Version | OWASP Project Identification Tab}}

= Ruby =

{{:Projects/Owasp Esapi Ruby | Project About}}

= Swingset =

The ESAPI Swingset Project divides itself into sub-projects, i.e., [[Projects/OWASP ESAPI Swingset Interactive Project|Swingset Interactive]] and [[Projects/OWASP ESAPI Swingset Demo Project|Swingset Demo]].

= ESAPI C =

{{:Projects/OWASP ESAPI C Project | Project About}}

= ESAPI CPP =

{{:Projects/OWASP ESAPI C++ Project | Project About}}

= ESAPI Perl =

{{:Projects/OWASP ESAPI Perl Project | Project About}}

= Project Details =

{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}}

__NOTOC__ <headertabs /> <br>

{{OWASP Builders}}

GSoC2014 Ideas

2014-02-13T02:45:09Z

Kevin W. Wall: Fix typos in other Hackademic Challenge ideas

==OWASP Project Requests==

=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===

'''Brief Explanation:'''

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.
New challenges need to be created in order to cover a broader set of vulnerabilities.
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:

* Simulated simple buffer overflows
* SQL injections
* Man in the middle simulation
* Bypassing regular expression filtering
* Your idea here

'''Expected Results:'''

New cool challenges

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== OWASP Hackademic Challenges - Source Code testing environment ===

'''Brief Explanation:'''

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

'''Expected Results:'''

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== OWASP Hackademic Challenges - Challenge Sandbox ===

Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend,
we'd like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected.
Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.

Ideas on the project:

''' *Administrator's point of view* '''

Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s).
Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server.
The student is expected to provide configuration scripts that do the above

''' *Coder's Way* '''

This is better explained with an example:
In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function.
The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.).
The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).

''' * Your solution here * '''

The above solutions are by no way complete,their intention is to start you thinking.
This is a difficult task so if you consider takling it talk to us early on so we can reach a good solution which is possible in the GSoC timeframe.

''' Expected results '''

You should be able to run a big enough subset of OWASP WebGoat PHP with minimal modification as a Hackademic Challenge

=== OWASP Hackademic Challenges - CMS improvements ===

'''Brief Explanation:'''

The new CMS was created during last year's GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.

Ideas on this project:

* ''' Template''' *

Since it's creation the project has received a good number of new features, but the visual/ux/ui part has never gotten much love.
It would be good if we had a new template with proper ui design.

* '''Questionaire creation plugin''' *

We'd like the admin to be able to create questionaires, assign rules for each question (e.g. correct answer +2pts incorrect answer -2, no answer 0) and assign them to students as homework/exams.
The grading can either be done automatically (for multiple choice) or be submitted to the creator of the questionaire.

* '''Ability to show different articles on the user's home screen'''

Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.

* '''Gamification of the user's progress''' *

A series of plugins and a template which allow the user to earn badges as they solve challenges and a better visual representation of their progress.

* '''Ability to define series of challenges'''

The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.

* ''' Tagging of articles, users, challenges '''

A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher.
Also the user should be able to search according to the tags.

* '''Your idea here'''

We welcome new ideas to make the project look awesome.

'''Expected Results:'''

New features and security improvements on the CMS part of the project.

'''Knowledge Prerequisites:'''

Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

===OWASP WebGoatPHP===
'''Description:'''
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions.
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.

If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).

'''Expected Results:''' WebGoatPHP will be a deliberately insecure PHP web application which operates in different modes. A contest mode where challenges are selected by an admin and the system starts a contest. Admins can open up hints for participants and manage everything. A workshop mode, where the educator has control of the most of application features, as well as feedback of user activities and is ideal for learning environments, and a single mode where someone can browse challenges and solve them.

'''Knowledge prerequisite:''' You just need to know PHP. You are supposed to define flawed systems, which is not the hardest thing. Familiarity with web application security and SQL is recommended.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP CSRF Guard===
'''Description:''' [[Cross-Site_Request_Forgery_(CSRF)|CSRF]] is a complicated yet very effective web attack. The most important thing about CSRF is that it's hard to properly defend against it, specially when it comes to Web 2 and AJAX. We have had discussions on means of mitigating CSRF for years at OWASP, and are now ready to develop libraries for it. Many of the key ideas of this library can be found at [http://www.cs.sunysb.edu/~rpelizzi/jcsrf.pdf].

'''Expected Results:''' A transparent Apache 2 module properly mitigating all POST CSRF attacks, as well as a lightweight PHP library doing the same.

'''Knowledge prerequisites:''' Knowing CSRF and at least one way to defend against it, PHP, C/C++, Linux.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary

===OWASP PHP Security Project===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.

'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.

'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary , Johanna Curiel

===OWASP RBAC Project===
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.

'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.

'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary

'''Skill Level:''' Advanced

For more info, visit [http://phprbac.net phprbac.net]

=== OWASP OWTF - Zest support ===

'''Brief explanation:'''

The Mozilla foundation has done great work with the Zest iniciative, this provides a great automated mechanism to replicate exploitation of security vulnerabilities in a format that makes tool communication easier: For example, ZAP supports Zest, so if OWTF can create a Zest script for a vulnerability in an automated fashion, this may in turn be easier to import into ZAP and other tools.

[https://developer.mozilla.org/en-US/docs/Zest More information on Zest can be found here]

The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* High performance
* Reliability
* Ease of use
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Some previous exposure to security concepts, penetration testing, Python and development in general is important for this project.

=== OWASP OWTF - Improved Plug-n-Hack support ===

'''Brief explanation:'''

The Mozilla foundation has done great work with the Plug-n-Hack standard, this provides greatly improved interaction with the web browser.
Although OWTF already supports Plug-n-Hack for MiTM purposes, there are many other features that could be implemented to leaverage Plug-n-Hack.
The aim of this project would be to try to cover as much as possible from the Plug-n-Hack standard as relevant to OWTF.

[https://www.youtube.com/watch?v=pYFtLA2yTR8 Please see this demo to see the newest Plug-n-Hack additions]

[https://blog.mozilla.org/security/2013/08/22/plug-n-hack/ For more information about plug and hack please see this]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* High performance
* Reliability
* Ease of use
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Stateful Browser with configurable authentication ===

'''Brief explanation:'''

The automated functionality of OWASP OWTF is currently limited to the non-authenticated portion of a website. We would like to implement authentication support through:

1) OWTF parameters

2) Configuration files

What we would like to do here is to leverage the [http://wwwsearch.sourceforge.net/mechanize/ powerful mechanize python library] and build at least support for the following authentication options:
* Basic authentication [https://github.com/7a/owtf/issues/9 Already implemented here]
* Cookie based authentication
* Form-based authentication

Additionally, we would welcome here a feature to detect when the user has been logged off, to log OWTF back in again before retrying the next request. <-- The proxy is probably a better place to implement this since external tools would also benefit from this. This feature will have to be coordinated with the MiTM proxy feature (already implemented).

The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* High performance
* Reliability
* Ease of use
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with the mechanize library or HTTP state is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - SQL database ===

'''Brief explanation:'''

OWASP OWTF scans may take a large amount of disk space due to saving information in text files, we would like to add an option to use a SQL database, probably using the sqlalchemy python library.
* Keep the current text file format as an option
* Add a database storage option using the sqlalchemy library

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Reliability: Both with the sql database option and the text file options.
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, sqlalchemy experience would be beneficial for this

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Unit Test Framework ===

'''Brief explanation:'''

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.

The Unit Test Framework should be able to:
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")
* Allow to regression test by test categories (i.e. "test only web plugins")
* Allow to regression test everything (i.e. plugins + framework core: "test all")
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF
* Perform well so that we can run as many tests as possible in a given period of time
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Performant and automated regression testing
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Python version upgrade and compatibility ===

'''Brief explanation:'''

Right now OWASP OWTF works on Python 2.6.5-2.7.3 (might work on surrounding versions too), the aim of this project would be to change the existing codebase so that it additionally works on newer python versions too, for example Python 3.3.
The intention here is to take advantage of improvements in newer python versions when available while letting OWASP OWTF work on older python versions too (i.e. 2.6.5) if that is the only option available.
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable due to compatibility.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Performant and reliable OWASP OWTF execution on multiple python versions, in particular the latest python version (i.e. 3.3.x) as well as the previous 2.6.5-2.7.3 range.
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with python version upgrades and python version compatibility implementations, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

===OWASP PCI TOOLKIT===
[[File:Pci-toolkit-items-small.gif]]<br> OWASP PCI toolkit is an Open Source project built using Google Engine App, that will help organizations scope the PCI-DSS requirements for their System Components. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

In order to comply with this standard, organizations need to understand the PCI-DSS requirements. Many of these requirements use OWASP guidelines as their baseline.

The OWASP PCI toolkit is a project focused on helping organization understand how OWASP guidelines apply to the PCI-DSS requirements.

'''Expected results:'''

4 complete modules built as a Google App Engine:
http://pci-toolkit.appspot.com/

'''Knowledge Prerequisite:'''

Skill Level: Easy-Medium
Python, HTML, CSS, Google App Engine.

Affinity with financial institutions, Web security and credit card-online transactions

'''OWASP project page:'''

https://www.owasp.org/index.php/Category:OWASP_PCI_Project

Mentor: Johanna Curiel - emai: firstname.lastname@owasp.org

=== OWASP iGoat ===

'''Brief explanation:'''

Right now OWASP iGoat works fine as a full universal iOS app on iPhone and iPads up to iOS 6.x and Xcode 4.x. It needs to be updated to properly function under iOS 7.x and Xcode 5.x, which will require some code maintenance, GUI changes, and so on.

Although it is primarily maintenance items that need the updating, the student will gain an intimate familiarity with how the iGoat platform works, including how to write and plug-in new exercise modules. Writing additional exercises, with all due credit, will also be encouraged in an optional second phase of this project.

For background on OWASP iGoat please see: https://www.owasp.org/index.php/OWASP_iGoat_Project

'''Expected results:'''

* iGoat functions properly in all current aspects under iOS 7.x, compiled under Xcode 5.x.
* All GUI, buttons, and other presentation layer aspects of iGoat are compliant with iOS 7.x look and feel.
* (Optionally) write one or more new iGoat exercise modules, based on existing design descriptions to be provided by the project mentor.

'''Knowledge Prerequisite:'''

iOS app development in Xcode using Objective C will be quite necessary. Familiarity with iOS 7.x user interface updates additionally helpful.

'''Mentor: Ken van Wyk - OWASP iGoat Project Leader - Contact: ken@krvw.com'''

=== [https://www.owasp.org/index.php/ZAP OWASP ZAP] - Advanced access control testing ===

'''Brief explanation:'''

Access control testing is typically difficult for security tools to automate. However previous Google Summer of Code projects have added session, authentication, user and role handling to ZAP, which provide an ideal basis for advanced access control testing.

ZAP is the [https://www.ohloh.net/orgs/OWASP most active OWASP project] and was voted the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ most popular security tool of 2013] by ToolsWatch.org reeaders.

'''Expected results:'''

This development would allow (semi) automated access control testing by:
* Maintaining and displaying different site trees (application maps) for different users/roles
* Providing tools which access all of the content accessible via one user/role which should not be accessible via another user/role
* Ideally allow resources to be tied to users/roles to allow enable horizontal privilege testing

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - OWASP ZAP Project Leader'''

=== [https://www.owasp.org/index.php/ZAP OWASP ZAP] - Scripted Add-ons ===

'''Brief explanation:'''

ZAP supports all JSR 223 scripting languages, but only for a limited number of purposes. This development would allow 'full' add-ons to be written in any JSR 223 language.

ZAP is the [https://www.ohloh.net/orgs/OWASP most active OWASP project] and was voted the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ most popular security tool of 2013] by ToolsWatch.org reeaders.

'''Expected results:'''

* Users will be able to 'full' add-ons in any JSR 233 scripting language
* A set of example add-ons demonstrating as much functionality as possible should be developed in at least Java Script, Jython and Jruby.

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - OWASP ZAP Project Leader'''

=== [https://www.owasp.org/index.php/ZAP OWASP ZAP] - AMF Support ===

'''Brief explanation:'''

ZAP has only very limited support for AMF and does not provide an effective graphical representation of it.
This development will add full support for AMF.

ZAP is the [https://www.ohloh.net/orgs/OWASP most active OWASP project] and was voted the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ most popular security tool of 2013] by ToolsWatch.org reeaders.

'''Expected results:'''

* De-serialise and display AMF messages in ZAP graphically (based on existing POC code)
* Expose the AMF data as parameters so that ZAP can scan them
* Add new AMF specific scan rules as required
* Implement in a way that makes it easier for ZAP to support other technologies (such as Java applets, Silverlight)

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Colm O'Flaherty - OWASP ZAP Core team'''

=== [https://www.owasp.org/index.php/ZAP OWASP ZAP] - Web Service (SOAP) scanning ===

'''Brief explanation:'''

ZAP has only very limited support for web service scanning and has no understanding of WSDL.
This development will add full support for exploring and scanning SOAP based web services.

ZAP is the [https://www.ohloh.net/orgs/OWASP most active OWASP project] and was voted the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ most popular security tool of 2013] by ToolsWatch.org reeaders.

'''Expected results:'''

The development will allow ZAP to parse WSDL and populate the Sites tree with all of the end points defined. It should also enhance the ZAP scanning capabilities to specifically attack the end points for as wide a range of vulnerabilities. Test cases should be written in [http://code.google.com/p/wavsep/ wavsep] format and contributed back to that project.

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - OWASP ZAP Project Leader'''

=== [https://www.owasp.org/index.php/ZAP OWASP ZAP] - As a long running service ===

'''Brief explanation:'''

ZAP started out as a GUI only desktop tool. It now supports a headless 'daemon' mode but it is still not suitable for running as a long running service. This will require much heavier use of the database, and ideally will allow different databases to be used.

ZAP is the [https://www.ohloh.net/orgs/OWASP most active OWASP project] and was voted the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ most popular security tool of 2013] by ToolsWatch.org reeaders.

'''Expected results:'''

ZAP able to run as a (very) long running service. There must be no memory leaks code and ideally there should still be very little latency while proxying through ZAP.

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - OWASP ZAP Project Leader'''

=== [https://www.owasp.org/index.php/ZAP OWASP ZAP] - GUI unit test framework ===

'''Brief explanation:'''

While ZAP does have some low level unit tests it doesnt have any unit tests for the UI. This means that sometimes changes can break the UI without being immediately apparent.

ZAP is the [https://www.ohloh.net/orgs/OWASP most active OWASP project] and was voted the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ most popular security tool of 2013] by ToolsWatch.org reeaders.

'''Expected results:'''

A unit test framework which will allow the GUI to be easily tested. A set of unit tests which test the main GUI features and can be easily extended.

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - OWASP ZAP Project Leader'''

=== [https://www.owasp.org/index.php/ESAPI OWASP ESAPI] 2.x - Security Configuration ===

'''Brief explanation:'''
There are currently more than a half-dozen of open Google Issues in ESAPI regarding the security configuration component (e.g., see [http://code.google.com/p/owasp-esapi-java/issues/list?q=component%3DSecurityConfiguration ESAPI Security Configuration Issues]).

The ESAPI interface for its configuration (SecurityConfiguration) is overly complicated; it has a 'getter' method specific to almost every ESAPI configuration property. The rules for how and where the ESAPI.properties file is found are overly complicated making questions about it one of the most frequently asked questions on forums such as Stack Exchange and the ESAPI mailing lists. This complication leads to a unduly intricate, non-modular reference implementation (DefaultSecurityConfiguration) that makes it difficult to extend in terms of new functionality.

A new, simpler security configuration interface and implementation is needed. Such an implementation would not only be useful for ESAPI 2.x, but could very well be used to build the configurator needed by ESAPI 3.

As part of this GSoC project, expectations would not only to address as many of the open security configuration issues as possible, but to also go beyond this to allow a framework for additional extensions in terms of functionality.

'''Expected results:'''
1) An improved, but simpler API for the security configuration part of ESAPI.
2) Alternate configuration stores other than Java properties files (e.g., XML, database), to be supported.
3) The ability to split the ESAPI configuration data into smaller, more manageable chunks to result in more maintainibility and allow for better enforcement of corporate security policies.
4) Continued backward compatibility with ESAPI 2.1.x or an extremely simple migration path forward.

'''Knowledge Prequisite:'''

Since the ESAPI 2.x project is written in Java, a good knowledge of Java is essential. A strong knowledge of JUnit will also be helpful in creating unit test cases. A working knowledge of XML or JDBC may also prove helpful.

'''Mentor: [https://www.owasp.org/index.php/User:Kevin_W._Wall Kevin W. Wall] - OWASP ESAPI for Java Project Leader'''