|
|
| (138 intermediate revisions by 17 users not shown) |
| Line 1: |
Line 1: |
| − | {{Template:Stub}}
| + | #REDIRECT [[:Category:Java]] |
| − | | |
| − | ==About==
| |
| − | | |
| − | The OWASP Java Project's goal is to enable Java and J2EE developers to build secure applications efficiently. See the [[OWASP Java Project Roadmap]] for more information on our plans.
| |
| − | | |
| − | ==Joining the Project==
| |
| − | | |
| − | Stephen de Vries and Rohyt Belani lead the project. We're currently building out the [[OWASP Java Project Roadmap]]. Please submit your ideas for where we should spend our efforts there.
| |
| − | | |
| − | We're in the process of creating the email list for the OWASP project. Stay tuned for more details.
| |
| − | | |
| − | ==Java Security Overview==
| |
| − | | |
| − | While Java and J2EE contain many security technologies, it is not easy to produce an application without security vulnerabilities. Most application security [[:Category:Vulnerability|Vulnerabilities]] apply to Java applications just like other environments. The notable exception is [[Buffer overflow|buffer overflow]] and related issues that do not apply to Java applications.
| |
| − | | |
| − | ==Securing the Java Environment==
| |
| − | Verifier and Sandbox
| |
| − | JRE vs. JDK (precompile JSPs)
| |
| − | | |
| − | | |
| − | ==Securing Java Application Code==
| |
| − | Common vulnerabilities like...Runtime.exec, Statement, readline()
| |
| − | Dangers of native code, dynamic code, and reflection
| |
| − | Tools like PMD and FindBugs
| |
| − | Security mechanisms like cryptography, logging, encryption, error handling
| |
| − | | |
| − | ==Securing the J2EE Environment==
| |
| − | Minimize attack surface in web.xml
| |
| − | Configure error handlers
| |
| − | | |
| − | ==Securing J2EE Application Code==
| |
| − | Vulnerabilities like...
| |
| − | Using J2EE filters for protection
| |
| − | Mechanisms like input validation, encoding
| |
| − | Common vulnerabilities like...
| |
| − | | |
| − | [[Category:Platform]]
| |
| − | [[Category:OWASP Project]]
| |
