Difference between revisions of "Talk:OWASP Java Project Roadmap"

Latest revision as of 21:27, 11 March 2008

This is the discussion page for the Java Project Roadmap. You can add your thoughts and comments below. Please make them easy to read and end your entries with ~~~~ to sign your entries.

Ideas

I think we should consider revamping the roadmap with specific article titles and content that we'd like to get written. For example, I'm considering writing an article on how to set up Eclipse to do a code review. It would be nice to link that in here, but I'm not sure just where. I was thinking something like this....

Using Eclipse for security code review: This article will cover setting up Eclipse with plugins like FindBugs, jlint, PMD, and Metrics. Then it will explore how you can use the various search and code browsing functions to find and diagnose potential vulnerabilities. Jeff Williams 15:01, 22 June 2006 (EDT)

Sounds like some excellent content! Couldn't this fit in to the Code Analysis Tools section (even if we have to rename the section to something like "Code Analysis Techniques")? Since the Eclipse example is something core to the Java project, I think it should be placed under a real heading, but for other miscellaneous content, I've created a Resources section which could include external articles, books and other resources. Stephendv 04:18, 26 June 2006 (EDT)

J2EE Security for Architects

Deadline for first draft:	19/08/2006
Deadline for first review:	26/08/2006
Deadline for final draft:	11/09/2006
Deadline for final review:	20/09/2006

Design considerations

Objective:	Discuss the security implications of common J2EE architectures. This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection. Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost. Any other security concerns that should be addressed during the design phase should also be mentioned here.
Status:	Call for volunteers
Contributors:
Reviewers:

Architectural considerations
- EJB Middle tier
- Web Services Middle tier
- Spring Middle tier

Noteworthy Frameworks

Objective:	Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level, for example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks.
Status:	Call for volunteers
Contributors:
Reviewers:

Acegi
Commons validator
jGuard
Stinger seems to be parked for a while now, is this correct Jeff?
- Stinger is
- CVS HEAD is in a functional state; needs work on docs and new features Roman 00:15, 13 June 2006 (EDT)

Most web tier frameworks will prevent XSS attacks, so listing them all in this section is a bit verbose, would prefer to see them listed in the XSS section. --Stephendv 08:04, 12 June 2006 (EDT)

I think Struts should be covered too - Rohyt

Struts is important as a web framework, but there are many frameworks that provide the same functionality from a security point of view. I think it makes sense to discuss struts as a web framework in section on XSS below with the other popular web frameworks rather than give it a special place in this section which only covers security specific frameworks. --Stephendv 07:22, 18 June 2006 (EDT)

J2EE Security for Developers

Deadline for first draft:	19/08/2006
Deadline for first review:	26/08/2006
Deadline for final draft:	11/09/2006
Deadline for final review:	20/09/2006

Java Security Basics

Objective:	Provide an introduction into the basic security services provided by the Java language and environment. Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases.
Status:	Call for volunteers
Contributors:
Reviewers:

Class Loading
Bytecode verifier
The Security Manager and security.policy file

Input Validation

Overview

SQL Injection

Objective:	Provide cursory background information on SQL injection and refer to the Guide for more indepth coverage (no need to duplicate info in the Guide). This section should provide practical advise and real-world code examples for developers. If you feel that a popular persistence framework is not covered, please add it!
Status:	Call for volunteers
Contributors:
Reviewers:

Overview
Prevention
- White Listing
- Prepared Statements
- Stored Procedures
- Hibernate
- Ibatis
- Spring JDBC
- EJB 3.0?
- JDO?

Cross Site Scripting (XSS)

Objective:	Provide cursory background information on XSS and refer to the Guide for more indepth coverage. This section should provide practical advise and real-world code examples for developers. If you would like to see coverage of a web framework that's not listed, please add it!
Status:	Call for volunteers
Contributors:
Reviewers:

Overview
Prevention
- White Listing
- Manual HTML Encoding
- Preventing XSS in popular Web Frameworks
  - JSP/JSTL
  - Struts
  - Spring MVC
  - Java Server Faces
  - WebWork
  - Wicket
  - Tapestry
CSRF attack

LDAP Injection

Objective:	As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing LDAP injection.
Status:	Call for volunteers
Contributors:
Reviewers:

Overview
Prevention

XPATH Injection

Objective:	As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing XPATH injection.
Status:	Call for volunteers
Contributors:
Reviewers:

Overview
Prevention

Miscellaneous Injection Attacks

Objective:	Should contain practical real-world advise and code examples.
Status:	Call for volunteers
Contributors:
Reviewers:

HTTP Response splitting
Command injection - Runtime.getRuntime().exec()

Authentication

Objective:	Discuss authentication for Java and J2EE apps under the suggested headings below. Examples for container managed authentication of specific application servers are also welcome.
Status:	Call for volunteers
Contributors:
Reviewers:

Storing credentials
Hashing
SSL Best Practices
CAPTCHA systems (such as jcaptcha)
Container-managed authentication with Realms
JAAS Authentication
Password length & complexity

Session Management

Objective:	The generic problems and solutions for session management are covered in the Guide. This section should focus on Java specific examples.
Status:	Call for volunteers
Contributors:
Reviewers:

Logout
Session Timeout
Absolute Timeout
Session Fixation
Terminating sessions
- Terminating sessions when the browser window is closed

Authorization

Objective:	Java and J2EE specific discussion and examples.
Status:	Call for volunteers
Contributors:
Reviewers:

In presentation layer
In business logic
In data layer
Declarative v/s Programmatic
web.xml configuration
Forced browsing
JAAS
EJB Authorization
Acegi
JACC
Check horizontal privilege

Encryption

Objective:	Java and J2EE specific discussion and examples.
Status:	Call for volunteers
Contributors:
Reviewers:

JCE
Storing db secrets
Encrypting JDBC connections
JSSE
Random number generation

Error Handling & Logging

Objective:	Java and J2EE specific discussion and examples.
Status:	Call for volunteers
Contributors:
Reviewers:

Output Validation
Custom Errors
Logging - why log? what to log? log4j, etc.
Exception handling techniques
- fail-open/fail-closed
- resource cleanup
- finally block
- swallowing exceptions
Exception handling frameworks
- Servlet spec - web.xml
- JSP errorPage
Web application forensics and how it differs from conventional forensics. This will emphasize the importance of appropriate exception handling and logging - Rohyt

Web Services Security

Objective:	Discuss securely implementing Web Services using Java technologies. Examples using specific frameworks are welcome. The topic list is a bit light at the moment, please add more topics if they're relevant.
Status:	Call for volunteers
Contributors:
Reviewers:

SAML
(X)WS-Security
SunJWSDP
XML Signature (JSR 105)
XML Encryption (JSR 106)
...?

I think this section should also include WSS4J and a description of how XWS-Security and WSS4J can be integrated in the major Java Web Services Frameworks, such as Spring-WS, Axis, XFire, etc. (see also http://www.nljug.org/pages/events/content/jfall_2007/sessions/00028/) Eelco Klaver 08:59, 23 October 2007 (EDT)

Code Analysis Tools

Objective:	The introduction should cover the advantages and short comings of code analysis tools. An overview of the current state of the art and the available tools would go well here. As a start, only open source tools are listed, but if vendors of commercial tools adhere to the Tutorial guidelines, these submissions will be gladly received.
Status:	Call for volunteers
Contributors:
Reviewers:

Introduction
FindBugs
- Creating custom rules
PMD
- Creating custom rules
JLint
Jmetrics

   I proposed some guidelines for the entire OWASP site
   in the Tutorial page. What do you think?? Jeff Williams 15:01, 22 June 2006 (EDT)

   I didn't know this existed.  Replaced the above with a link to the Tutorial page.  --Stephendv 04:03, 26 June 2006 (EDT)

J2EE Security For Deployers

Deadline for first draft:	19/08/2006
Deadline for first review:	26/08/2006
Deadline for final draft:	11/09/2006
Deadline for final review:	20/09/2006

Securing Popular J2EE Servers

Objective:	Practical step-by-step guides to securing various J2EE servers. Examples of secure configurations can also be provided for download. If configurations are provided, they should be properly commented so that the rationale for configuration settings is clearly explained. Users of the configurations should be provided with enough information to make their own risk decisions.
Status:	Call for volunteers
Contributors:
Reviewers:

Securing Tomcat
Securing JBoss
Securing WebLogic
Securing WebSphere
Others...

Defining a Java Security Policy

Objective:	Practical information on creating a Java security policies for J2EE servers.
Status:	Call for volunteers
Contributors:
Reviewers:

Jeff's tool? --Stephendv 08:37, 12 June 2006 (EDT)
jChains (www.jchains.org)

Protecting Binaries

Objective:	This should be focussed on web applications, so examples should include applets and web start apps.
Status:	Call for volunteers
Contributors:
Reviewers:

- Discuss Bytecode Manipulation Tools and Techniques - Rohyt

Bytecode obfuscation
Convert bytecode to native machine code
jarsigner