This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:Java"

From OWASP
Jump to: navigation, search
m (All pages moved categories, so this list is now empty)
 
(13 intermediate revisions by 3 users not shown)
Line 20: Line 20:
 
* Provide a stream of security related information, like vulnerabilities and security patches, related to the Java and JVM universe.
 
* Provide a stream of security related information, like vulnerabilities and security patches, related to the Java and JVM universe.
 
* Build an ecosystem allowing to all actors interested to discuss, share and learn.
 
* Build an ecosystem allowing to all actors interested to discuss, share and learn.
 
 
  
 
== Licensing ==
 
== Licensing ==
Line 28: Line 26:
  
 
Oracle® and Java™ are [http://www.oracle.com/us/legal/trademarks/index.html|registered trademarks of Oracle] and/or its affiliates. Other names may be trademarks of their respective owners.
 
Oracle® and Java™ are [http://www.oracle.com/us/legal/trademarks/index.html|registered trademarks of Oracle] and/or its affiliates. Other names may be trademarks of their respective owners.
 
  
 
== What's Hot! ==
 
== What's Hot! ==
  
 
See the "Tasks and Roadmap" tab for more information.  
 
See the "Tasks and Roadmap" tab for more information.  
 
[[OWASP Java Project WIPRO 1 2015|Wiki Pages Review Operation - 2015/2016]]
 
 
 
  
 
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
  
 
[[File:OWASP_Java_Wiki_logo.png|frame]]
 
[[File:OWASP_Java_Wiki_logo.png|frame]]
Line 75: Line 67:
  
 
|}
 
|}
 
= Resources =
 
 
== Mailing List ==
 
 
[http://lists.owasp.org/mailman/listinfo/java-project OWASP Java and JVM Technologies Mailing List]
 
 
== Code Repository ==
 
 
[https://github.com/owasp GitHub OWASP Global Repository]
 
 
== Related Project Resources ==
 
 
[[OWASP_Project|OWASP Project Repository]]
 
 
[[Language|Languages Repository]]
 
 
[[OWASP_.NET_Project|.NET Project]]
 
 
[[Ruby|Ruby Technology Knowledge Base]]
 
 
[[PHP|PHP Technology Knowledge Base]]
 
 
[[Perl|Perl Technology Knowledge Base]]
 
 
[[Python|Python Technology Knowledge Base]]
 
 
[[JavaScript|JavaScript Technology Knowledge Base]]
 
 
[[C/C++|C/C++ Technology Knowledge Base]]
 
 
[[SQL|SQL, PL/SQL and DB Scripting Technology Knowledge Base]]
 
 
[[OWASP_Internet_of_Things_Project|OWASP IoT Security Project]]
 
 
[[OWASP_Mobile_Security_Project|OWASP Mobile Security Project]]
 
  
 
= Related OWASP Projects =
 
= Related OWASP Projects =
Line 131: Line 87:
  
 
{| width="100%"  
 
{| width="100%"  
 +
|-
 +
| colspan="2" | [[OWASP_AppSensor_Project|OWASP AppSensor]]
 +
|-
 +
| width="20" |  
 +
| The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications.
 
|-
 
|-
 
| colspan="2" | [[CSRFGuard|OWASP CSRFGuard]]
 
| colspan="2" | [[CSRFGuard|OWASP CSRFGuard]]
Line 175: Line 136:
  
 
==Enterprise==
 
==Enterprise==
* [http://shiro.apache.org/ Apache Shiro] is a Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.
+
* [http://shiro.apache.org/ Apache Shiro] is a Java security framework that performs authentication, authorization, cryptography, and session management.  
* [http://projects.spring.io/spring-security/ Spring Security] provides comprehensive security services for Java EE-based enterprise software applications. Services include authentication, authorization and protection against attacks like session fixation, clickjacking and cross site request forgery. There is a particular emphasis on supporting projects built using the Spring Framework, but it is a powerful security solution for standard Java EE applications as well.
+
* [http://projects.spring.io/spring-security/ Spring Security] provides security services for Java EE-based enterprise software applications. Services include authentication, authorization and protection against attacks like session fixation, clickjacking and cross site request forgery.  
 
* [http://www.hdiv.org/ HDIV] A web application security framework that provides a number of functions.
 
* [http://www.hdiv.org/ HDIV] A web application security framework that provides a number of functions.
  
 
== Access Control (Authentication and Authorization) ==
 
== Access Control (Authentication and Authorization) ==
* [http://sourceforge.net/projects/jguard jGuard] - jGuard is written in Java. Its goal is to provide a security framework based on JAAS (Java Authentication and Authorization Security). The framework is written for web and standalone applications, to easily provide solutions for access control problems.
+
* [http://oaccframework.org/ OACC] is an application security framework for Java designed for fine grained (object level) access control. OACC uses the abstraction of a ''resource'' for the application objects being secured. This key abstraction enables OACC to provide a rich API that includes grant, revoke and query capabilities for storing and managing the application's security relationships.
* [http://oaccframework.org/ OACC] - OACC is an application security framework for Java designed for fine grained (object level) access control. OACC uses the abstraction of a ''resource'' for the application objects being secured. This key abstraction enables OACC to provide a rich API that includes grant, revoke and query capabilities for storing and managing the application's security relationships.
+
* [http://picketlink.org/appsecurity/ PicketLink]  provides authentication, single sign on, permission based access control and other security features.
  
 
== Encryption ==
 
== Encryption ==
 
* [https://github.com/google/keyczar Keyczar] is an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. Keyczar supports authentication and encryption with both symmetric and asymmetric keys.
 
* [https://github.com/google/keyczar Keyczar] is an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. Keyczar supports authentication and encryption with both symmetric and asymmetric keys.
* [http://www.bouncycastle.org/ Bouncycastle] - Lightweight Java cryptography API <i>provider</i>.
+
* [http://www.bouncycastle.org/ Bouncycastle] is a lightweight Java cryptography API <i>provider</i>.
* [http://www.jasypt.org/ Jasypt] - Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.
+
* [http://www.jasypt.org/ Jasypt] is a Java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.
  
 
== XML Security ==
 
== XML Security ==
Line 193: Line 154:
 
== Validation ==
 
== Validation ==
 
* [http://www.sapia-oss.org/projects/vlad/home.html Vlad] stands for "validation". This projects indeed aims at offering a simple, high-level, extensible, generic validation framework that can easily be integrated into existing applications.
 
* [http://www.sapia-oss.org/projects/vlad/home.html Vlad] stands for "validation". This projects indeed aims at offering a simple, high-level, extensible, generic validation framework that can easily be integrated into existing applications.
 +
* [https://www.owasp.org/index.php/Protect_FileUpload_Against_Malicious_File This OWASP article] and [https://github.com/righettod/document-upload-protection code snippet] proposes a way to protect a file upload feature against submission of files that may contain malicious code.
 +
* [http://commons.apache.org/proper/commons-validator/ The Apache Common's validator] can be used to perform validation.
 +
 +
= Resources =
 +
 +
== Mailing List ==
 +
 +
[http://lists.owasp.org/mailman/listinfo/java-project OWASP Java and JVM Technologies Mailing List]
 +
 +
== Code Repository ==
 +
 +
[https://github.com/owasp GitHub OWASP Global Repository]
 +
 +
== Related Project Resources ==
 +
 +
[[OWASP_Project|OWASP Project Repository]]
 +
 +
[[Language|Languages Repository]]
 +
 +
[[OWASP_.NET_Project|.NET Project]]
 +
 +
[[Ruby|Ruby Technology Knowledge Base]]
 +
 +
[[PHP|PHP Technology Knowledge Base]]
 +
 +
[[Perl|Perl Technology Knowledge Base]]
 +
 +
[[Python|Python Technology Knowledge Base]]
 +
 +
[[JavaScript|JavaScript Technology Knowledge Base]]
 +
 +
[[C/C++|C/C++ Technology Knowledge Base]]
 +
 +
[[SQL|SQL, PL/SQL and DB Scripting Technology Knowledge Base]]
 +
 +
[[OWASP_Internet_of_Things_Project|OWASP IoT Security Project]]
 +
 +
[[OWASP_Mobile_Security_Project|OWASP Mobile Security Project]]
  
 
= Tasks and Roadmap =
 
= Tasks and Roadmap =
 
  
 
== Roadmap ==
 
== Roadmap ==
  
* [[OWASP Java Project WIPRO 1 2015|Wiki Pages Review Operation - 2016]] General review of all Java and JVM related pages in the wiki.
 
 
* Build Java and JVM security related net resources guide
 
* Build Java and JVM security related net resources guide
 
* The OWASP Java and JVM Technology Knowledge Base is principally about creating deep, rich guidance for Java and JVM developers using all kind of security resources. The idea is to have an effort of building a internet resource guide for everything around the JVM universe. Information, blogs, articles, tools, test servers and more. Important however is that this list is seriously curated.
 
* The OWASP Java and JVM Technology Knowledge Base is principally about creating deep, rich guidance for Java and JVM developers using all kind of security resources. The idea is to have an effort of building a internet resource guide for everything around the JVM universe. Information, blogs, articles, tools, test servers and more. Important however is that this list is seriously curated.
Line 245: Line 242:
  
  
'''IMPORTANT: all pages of these project are currently under review. A lot are outdated and are in the process of being removed or updated.''' The review effort is coordinated on this page: [[OWASP Java Project WIPRO 1 2015|Wiki Pages Review Operation - 2015/2016]].
+
'''IMPORTANT: all pages of these project are currently under review. A lot are outdated and are in the process of being removed or updated.'''  
 
 
 
 
(The pages in the "old" category "OWASP Java Project" have to be moved into the category "Java". Work is in progress).
 
  
<categorytree mode=pages>OWASP Java Project</categorytree>
 
  
  

Latest revision as of 21:55, 10 November 2017

About

The OWASP Java™ and JVM Technology Knowledge Base is the clearing house for all information related to building secure web/distributed applications and services based on Java and JVM technologies. The focus of these pages is on guidance for developers and architects using Java frameworks and JVM based technologies for web application development, on OWASP components that use Java and on participation in OWASP projects that use Java and JVM technologies. Moreover, we aim to provide security related guidance for system administrators managing Java and JVM based applications and tools.

The project is not limited to Java. It aims to also address topics around the JVM in general.

Community content is key to security information. The project depends on content from developers throughout the Java and JVM ecosystem.

Purpose

  • Provide deep, rich guidance for Java developers in using the security features of Java and of Java frameworks.
  • Address security in relation to the Java Virtual Machine and derived technologies.
  • Guide system administrators in managing Java and JVM related components and applications.
  • Create guidance for use of OWASP components that are designed for use with Java or other JVM languages.
  • Focus on information about working with and on OWASP tools built using Java or other JVM technologies.
  • Provide a stream of security related information, like vulnerabilities and security patches, related to the Java and JVM universe.
  • Build an ecosystem allowing to all actors interested to discuss, share and learn.

Licensing

OWASP Java™ and JVM Technology Knowledge Base is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Oracle® and Java™ are trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

What's Hot!

See the "Tasks and Roadmap" tab for more information.

OWASP Java Wiki logo.png


Meta

Last Update: 11/10/2017


Other Resources

Mailing List

GitHub (OWASP)


Related Projects

Roadmap

  • Build Java and JVM security related net resources guide
  • The OWASP Java and JVM Technology Knowledge Base is principally about creating deep, rich guidance for Java and JVM developers using all kind of security resources. The idea is to have an effort of building a internet resource guide for everything around the JVM universe. Information, blogs, articles, tools, test servers and more. Important however is that this list is seriously curated.
  • Concrete guideline for Java and JVM developers
  • Clear checklists, around various topics, language, servers and frameworks.


The first step would be to establish contact with the project leaders and/or the entire team. This can be done using a direct and private message, or by joining the public mailing list to say hello.

When it comes to participating in project activities, everything depends on the time you are willing and able to invest. It is however very important to not jump into too many things at the beginning, later having to back out or to let unfinished things behind you. It is much better to start with small tasks, increasing intensity and investment over time.

Please also be patient with expecting the "merge" of your work into the existing project pages and code. As everywhere in live, trust has to be built-up.

The Java and JVM knowledge base has currently multiple tasks open, which can be found on the adequate section of this page. Not all tasks require a wiki account. Please take something you are interested in and start participating. Work load is not the only outcome when participating in open projects. You are getting a lot of things back: recognition, satisfaction, knowledge and contacts, sometime friends.

Sounds cool? Then jump in...

To get involved join the mailing list, follow this link: OWASP Java and JVM Mailing List



The previous version of this JAVA Project home page is archived here: OWASP Java Project Archive (8.2010)









IMPORTANT: all pages of these project are currently under review. A lot are outdated and are in the process of being removed or updated.