Revision as of 14:32, 15 April 2008

1 Using Security Controls
2 Avoiding Specific Risks
3 Banned APIs

Using Security Controls

Authentication

ID	Requirement	Code Example
AU001	The application shall use to	TBD

Session Management

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Access Control

ID	Requirement	Code Example
AC001	The application shall use `assertAuthorizedForURL()` to verify authorization before allowing access to each URL.	TBD
AC002	The application shall use `assertAuthorizedForFunction()` to verify authorization before allowing access to each business function.	TBD
AC003	The application shall use `assertAuthorizedForFile()` to verify authorization before allowing access to files.	TBD
AC004	The application shall use `assertAuthorizedForData()` to verify authorization before allowing access to data.	TBD
AC005	The application shall use `assertAuthorizedForService()` to verify authorization before allowing access to each backend service.	TBD
AC006	The application shall use `isAuthorizedFor*` methods to verify authorization before including user interface controls in HTML output.	TBD
AC007	The application shall use `AccessReferenceMap.getIndirectReference()` to reference all application objects such as filenames, directory paths, and database keys.	TBD
AC008	The application shall prevent access to all resources that should not be directly accessed by users (such as resources, XML files, JSP files, properties) by storing them in a protected directory, such as `WEB-INF`.	TBD
AC009	The application shall use `HTTPUtilities.sendSafeForward()` for all forwards, to ensure that they cannot be used to bypass access checks.	TBD
AC0010	The appplication must use only trusted data used in access control decisions.	TBD
AC0011	Administrative functions for the application shall be deployed as a separate application with increased authentication controls.	TBD

Input Validation and Encoding

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Data Protection

ID	Requirement	Code Example
AC001	The application shall use to	TBD

| The application shall use an EncryptedProperties to store all security relevant data, such as passwords, credentials, codes, configuration information, addresses, etc…

Using Services Securely

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Error Handling

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Logging and Intrusion Detection

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Secure Configuration and Deployment

ID	Requirement	Code Example
SC001	Production code shall not contain code not intended for use, such as debug, test, and dead code.	TBD
SC002	The application's source code shall not contain secrets that would compromise security if disclosed.	TBD
SC003	The application team shall run code quality tools such as FindBugs and PMD to find quality problems.	TBD

Avoiding Specific Risks

Cross Site Scripting

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Cross Site Request Forgery

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Thread Safety Problems

ID	Requirement	Code Example
AC001	The application shall avoid the use of shared storage, such as class variables, instance variables, or singletons, in all multithreaded code.	TBD

Denial of Service

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Banned APIs

The following calls are dangerous and should be replaces with the safer calls provided by ESAPI.

ID	Banned Call	ESAPI Replacement	Code Example
BAN001	System.out.println()	Logger.*	TBD
BAN002	Throwable.printStackTrace()	Logger.*	TBD
BAN003	Runtime.exec()	Executor.safeExec()	TBD
BAN004	Session.getId()	Randomizer.getRandomString (better not to use at all)	TBD
BAN005	ServletRequest.getUserPrincipal()	Authenticator.getCurrentUser()	TBD
BAN006	ServletRequest.isUserInRole()	AccessController.isAuthorized*()	TBD
BAN007	Session.invalidate()	Authenticator.logout()	TBD
BAN008	Math.Random.*	Randomizer.*	TBD
BAN009	File.createTempFile()	Randomizer.getRandomFilename()	TBD
BAN010	ServletResponse.setContentType()	HTTPUtilities.setContentType()	TBD
BAN011	ServletResponse.sendRedirect()	[http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IHTTPUtilities.html HTTPUtilities.safeSendRedirect()	TBD
BAN012	RequestDispatcher.forward()	HTTPUtilities.safeSendForward()	TBD
BAN013	ServletResponse.addHeader()	HTTPUtilities.safeSetHeader()/safeSetHeader()	TBD
BAN014	ServletResponse.addCookie()	HTTPUtilities.safeAddCookie()	TBD
BAN015	ServletRequest.isSecure()	HTTPUtilties.isSecureChannel()	TBD
BAN016	Properties.*	EncryptedProperties.*	TBD
BAN017	ServletContext.log()	Logger.*	TBD
BAN018	java.security and javax.crypto	Encryptor.*	TBD
BAN019	java.net.URLEncoder/Decoder	Encoder.encodeForURL()/decodeForURL()	TBD
BAN020	java.sql.Statement.execute	PreparedStatement.execute	TBD
BAN021	ServletResponse.encodeURL	HTTPUtilities.safeEncodeURL() (better not to use at all)	TBD
BAN022	ServletResponse.encodeRedirectURL	HTTPUtilities.safeEncodeRedirectURL() (better not to use at all)	TBD

@@ Line 269: / Line 269: @@
 | align="center" | '''BAN001'''
 | System.out.println()
-| Logger.*
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/ILogger.html Logger.*]
 | TBD
 |-
 | align="center" | '''BAN002'''
 | Throwable.printStackTrace()
-| Logger.*
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/ILogger.html Logger.*]
 | TBD
 |-
 | align="center" | '''BAN003'''
 | Runtime.exec()
-| Executor.safeExec()
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IExecutor.html Executor.safeExec()]
 | TBD
 |-
 | align="center" | '''BAN004'''
 | Session.getId()
-| Randomizer.getRandomString() (better not to use at all)
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/interfaces/IRandomizer.html Randomizer.getRandomString] (better not to use at all)
 | TBD
 |-
 | align="center" | '''BAN005'''
-| Session.getId()
+| ServletRequest.getUserPrincipal()
-| Randomizer.getRandomString() (better not to use at all)
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IAuthenticator.html Authenticator.getCurrentUser()]
 | TBD
 |-
 | align="center" | '''BAN006'''
-| ServletRequest.getUserPrincipal()
+| ServletRequest.isUserInRole()
-| Authenticator.getCurrentUser()
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IAccessController.html AccessController.isAuthorized*()]
 | TBD
 |-
 | align="center" | '''BAN007'''
-| ServletRequest.isUserInRole()
+| Session.invalidate()
-| AccessController.isAuthorized*()
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IAuthenticator.html Authenticator.logout()]
 | TBD
 |-
 | align="center" | '''BAN008'''
-| Session.invalidate()
+| Math.Random.*
-| Authenticator.logout()
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IRandomizer.html Randomizer.*]
 | TBD
 |-
 | align="center" | '''BAN009'''
-| Math.Random.*
+| File.createTempFile()
-| Randomizer.*
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IRandomizer.html Randomizer.getRandomFilename()]
 | TBD
 |-
 | align="center" | '''BAN010'''
-| File.createTempFile()
+| ServletResponse.setContentType()
-| Randomizer.getRandomFilename()
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IHTTPUtilities.html HTTPUtilities.setContentType()]
 | TBD
 |-
 | align="center" | '''BAN011'''
-| ServletResponse.setContentType()
+| ServletResponse.sendRedirect()
-| HTTPUtilities.setContentType()
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IHTTPUtilities.html HTTPUtilities.safeSendRedirect()
 | TBD
 |-
 | align="center" | '''BAN012'''
-| ServletResponse.sendRedirect()
+| RequestDispatcher.forward()
-| HTTPUtilities.sendSafeRedirect()
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IHTTPUtilities.html HTTPUtilities.safeSendForward()]
 | TBD
 |-
 | align="center" | '''BAN013'''
-| RequestDispatcher.forward()
+| ServletResponse.addHeader()
-| HTTPUtilities.sendSafeForward()
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IHTTPUtilities.html HTTPUtilities.safeSetHeader()/safeSetHeader()]
 | TBD
 |-
 | align="center" | '''BAN014'''
-| ServletResponse.addHeader()
+| ServletResponse.addCookie()
-| HTTPUtilities.addSafeHeader()
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IHTTPUtilities.html HTTPUtilities.safeAddCookie()]
 | TBD
 |-
 | align="center" | '''BAN015'''
-| ServletResponse.addCookie()
+| ServletRequest.isSecure()
-| HTTPUtilities.addSafeCookie()
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IHTTPUtilities.html HTTPUtilties.isSecureChannel()]
 | TBD
 |-
 | align="center" | '''BAN016'''
-| ServletRequest.isSecure()
+| Properties.*
-| HTTPUtilties.isSecureChannel()
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IEncryptedProperties.html EncryptedProperties.*]
 | TBD
 |-
 | align="center" | '''BAN017'''
-| Properties.*
+| ServletContext.log()
-| EncryptedProperties.*
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/ILogger.html Logger.*]
 | TBD
 |-
 | align="center" | '''BAN018'''
-| ServletContext.log()
+| java.security and javax.crypto
-| Logger.*
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IEncryptor.html Encryptor.*]
 | TBD
 |-
 | align="center" | '''BAN019'''
-| java.security and javax.crypto
+| java.net.URLEncoder/Decoder
-| Encryptor.*
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IEncoder.html Encoder.encodeForURL()/decodeForURL()]
 | TBD
 |-
 | align="center" | '''BAN020'''
-| java.net.URLEncoder/Decoder
-| Encoder.encodeForURL/decodeForURL
-| TBD
-|-
-| align="center" | '''BAN021'''
 | java.sql.Statement.execute
 | PreparedStatement.execute
 | TBD
 |-
-| align="center" | '''BAN022'''
+| align="center" | '''BAN021'''
 | ServletResponse.encodeURL
-| HTTPUtilities.safeEncodeURL (better not to use at all)
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IHTTPUtilities HTTPUtilities.safeEncodeURL()] (better not to use at all)
 | TBD
 |-
-| align="center" | '''BAN023'''
+| align="center" | '''BAN022'''
 | ServletResponse.encodeRedirectURL
-| HTTPUtilities.safeEncodeRedirectURL (better not to use at all)
+| [http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/org/owasp/esapi/IHTTPUtilities HTTPUtilities.safeEncodeRedirectURL()] (better not to use at all)
+| TBD
 |}

Difference between revisions of "ESAPI Secure Coding Guideline"

Revision as of 14:32, 15 April 2008

Using Security Controls

Authentication

Session Management

Access Control

Input Validation and Encoding

Data Protection

Using Services Securely

Error Handling

Logging and Intrusion Detection

Secure Configuration and Deployment

Avoiding Specific Risks

Cross Site Scripting

Cross Site Request Forgery

Thread Safety Problems

Denial of Service

Banned APIs

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools