This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ESAPI Secure Coding Guideline"
From OWASP
Line 10: | Line 10: | ||
| align="center" | '''AU001''' | | align="center" | '''AU001''' | ||
| The application shall use <code></code> to | | The application shall use <code></code> to | ||
+ | | TBD | ||
|} | |} | ||
Line 23: | Line 24: | ||
| align="center" | '''AC001''' | | align="center" | '''AC001''' | ||
| The application shall use <code></code> to | | The application shall use <code></code> to | ||
+ | | TBD | ||
|} | |} | ||
Line 98: | Line 100: | ||
| align="center" | '''AC001''' | | align="center" | '''AC001''' | ||
| The application shall use <code></code> to | | The application shall use <code></code> to | ||
+ | | TBD | ||
|} | |} | ||
Line 113: | Line 116: | ||
| align="center" | '''AC001''' | | align="center" | '''AC001''' | ||
| The application shall use <code></code> to | | The application shall use <code></code> to | ||
+ | | TBD | ||
|} | |} | ||
+ | |||
+ | |||
+ | | The application shall use an EncryptedProperties to store all security relevant data, such as passwords, credentials, codes, configuration information, addresses, etc… | ||
+ | |||
Line 127: | Line 135: | ||
| align="center" | '''AC001''' | | align="center" | '''AC001''' | ||
| The application shall use <code></code> to | | The application shall use <code></code> to | ||
+ | | TBD | ||
|} | |} | ||
Line 142: | Line 151: | ||
| align="center" | '''AC001''' | | align="center" | '''AC001''' | ||
| The application shall use <code></code> to | | The application shall use <code></code> to | ||
+ | | TBD | ||
|} | |} | ||
Line 157: | Line 167: | ||
| align="center" | '''AC001''' | | align="center" | '''AC001''' | ||
| The application shall use <code></code> to | | The application shall use <code></code> to | ||
+ | | TBD | ||
|} | |} | ||
Line 169: | Line 180: | ||
! width="45%" | Code Example | ! width="45%" | Code Example | ||
|- | |- | ||
− | | ''' | + | | '''SC001''' |
− | | The application shall | + | | Production code shall not contain code not intended for use, such as debug, test, and dead code. |
+ | | TBD | ||
+ | |- | ||
+ | | '''SC002''' | ||
+ | | The application's source code shall not contain secrets that would compromise security if disclosed. | ||
+ | | TBD | ||
+ | |- | ||
+ | | '''SC003''' | ||
+ | | The application team shall run code quality tools such as FindBugs and PMD to find quality problems. | ||
+ | | TBD | ||
|} | |} | ||
Line 177: | Line 197: | ||
− | = | + | =Avoiding Specific Risks= |
==Cross Site Scripting== | ==Cross Site Scripting== | ||
Line 188: | Line 208: | ||
| align="center" | '''AC001''' | | align="center" | '''AC001''' | ||
| The application shall use <code></code> to | | The application shall use <code></code> to | ||
+ | | TBD | ||
|} | |} | ||
Line 200: | Line 221: | ||
| align="center" | '''AC001''' | | align="center" | '''AC001''' | ||
| The application shall use <code></code> to | | The application shall use <code></code> to | ||
+ | | TBD | ||
|} | |} | ||
+ | |||
+ | |||
+ | |||
+ | ==Thread Safety Problems== | ||
+ | {|class="wikitable" style="text-align:left;" width="100%" | ||
+ | |- | ||
+ | ! ID | ||
+ | ! width="45%" | Requirement | ||
+ | ! width="45%" | Code Example | ||
+ | |- | ||
+ | | align="center" | '''AC001''' | ||
+ | | The application shall avoid the use of shared storage, such as class variables, instance variables, or singletons, in all multithreaded code. | ||
+ | | TBD | ||
+ | |} | ||
+ | |||
+ | |||
Line 212: | Line 250: | ||
| align="center" | '''AC001''' | | align="center" | '''AC001''' | ||
| The application shall use <code></code> to | | The application shall use <code></code> to | ||
+ | | TBD | ||
+ | |} | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | =Banned APIs= | ||
+ | |||
+ | The following calls are dangerous and should be replaces with the safer calls provided by ESAPI. | ||
+ | |||
+ | {|class="wikitable" style="text-align:left;" width="100%" | ||
+ | |- | ||
+ | ! ID | ||
+ | ! width="30%" | Banned Call | ||
+ | ! width="30%" | ESAPI Replacement | ||
+ | ! width="30%" | Code Example | ||
+ | |- | ||
+ | | align="center" | '''BAN001''' | ||
+ | | abc | ||
+ | | def | ||
+ | | TBD | ||
|} | |} |
Revision as of 15:00, 14 April 2008
Using Security Controls
Authentication
ID | Requirement | Code Example |
---|---|---|
AU001 | The application shall use to
|
TBD |
Session Management
ID | Requirement | Code Example |
---|---|---|
AC001 | The application shall use to
|
TBD |
Access Control
ID | Requirement | Code Example |
---|---|---|
AC001 | The application shall use assertAuthorizedForURL() to verify authorization before allowing access to each URL.
|
TBD |
AC002 | The application shall use assertAuthorizedForFunction() to verify authorization before allowing access to each business function.
|
TBD |
AC003 | The application shall use assertAuthorizedForFile() to verify authorization before allowing access to files.
|
TBD |
AC004 | The application shall use assertAuthorizedForData() to verify authorization before allowing access to data.
|
TBD |
AC005 | The application shall use assertAuthorizedForService() to verify authorization before allowing access to each backend service.
|
TBD |
AC006 | The application shall use isAuthorizedFor* methods to verify authorization before including user interface controls in HTML output.
|
TBD |
AC007 | The application shall use AccessReferenceMap.getIndirectReference() to reference all application objects such as filenames, directory paths, and database keys.
|
TBD |
AC008 | The application shall prevent access to all resources that should not be directly accessed by users (such as resources, XML files, JSP files, properties) by storing them in a protected directory, such as WEB-INF .
|
TBD |
AC009 | The application shall use HTTPUtilities.sendSafeForward() for all forwards, to ensure that they cannot be used to bypass access checks.
|
TBD |
AC0010 | The appplication must use only trusted data used in access control decisions. | TBD |
AC0011 | Administrative functions for the application shall be deployed as a separate application with increased authentication controls. | TBD |
Input Validation and Encoding
ID | Requirement | Code Example |
---|---|---|
AC001 | The application shall use to
|
TBD |
Data Protection
ID | Requirement | Code Example |
---|---|---|
AC001 | The application shall use to
|
TBD |
| The application shall use an EncryptedProperties to store all security relevant data, such as passwords, credentials, codes, configuration information, addresses, etc…
Using Services Securely
ID | Requirement | Code Example |
---|---|---|
AC001 | The application shall use to
|
TBD |
Error Handling
ID | Requirement | Code Example |
---|---|---|
AC001 | The application shall use to
|
TBD |
Logging and Intrusion Detection
ID | Requirement | Code Example |
---|---|---|
AC001 | The application shall use to
|
TBD |
Secure Configuration and Deployment
ID | Requirement | Code Example |
---|---|---|
SC001 | Production code shall not contain code not intended for use, such as debug, test, and dead code. | TBD |
SC002 | The application's source code shall not contain secrets that would compromise security if disclosed. | TBD |
SC003 | The application team shall run code quality tools such as FindBugs and PMD to find quality problems. | TBD |
Avoiding Specific Risks
Cross Site Scripting
ID | Requirement | Code Example |
---|---|---|
AC001 | The application shall use to
|
TBD |
Cross Site Request Forgery
ID | Requirement | Code Example |
---|---|---|
AC001 | The application shall use to
|
TBD |
Thread Safety Problems
ID | Requirement | Code Example |
---|---|---|
AC001 | The application shall avoid the use of shared storage, such as class variables, instance variables, or singletons, in all multithreaded code. | TBD |
Denial of Service
ID | Requirement | Code Example |
---|---|---|
AC001 | The application shall use to
|
TBD |
Banned APIs
The following calls are dangerous and should be replaces with the safer calls provided by ESAPI.
ID | Banned Call | ESAPI Replacement | Code Example |
---|---|---|---|
BAN001 | abc | def | TBD |