This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Java Project Roadmap"
From OWASP
(→Ideas) |
|||
Line 15: | Line 15: | ||
==Current Tasks== | ==Current Tasks== | ||
− | * | + | * Call for volunteers - Join the [http://lists.owasp.org/mailman/listinfo/java-project mailing list], read the [[Tutorial]] and get started! |
− | * | + | * Refine this roadmap in the [http://www.owasp.org/index.php/Talk:OWASP_Java_Project_Roadmap discussion]. |
==Ideas== | ==Ideas== | ||
Line 31: | Line 31: | ||
: Sounds like some excellent content! Couldn't this fit in to the [http://www.owasp.org/index.php?title=Talk:OWASP_Java_Project_Roadmap#Code_Analysis_Tools Code Analysis Tools] section (even if we have to rename the section to something like "Code Analysis Techniques")? Since the Eclipse example is something core to the Java project, I think it should be placed under a real heading, but for other miscellaneous content, I've created a Resources section which could include external articles, books and other resources. [[User:Stephendv|Stephendv]] 04:18, 26 June 2006 (EDT) | : Sounds like some excellent content! Couldn't this fit in to the [http://www.owasp.org/index.php?title=Talk:OWASP_Java_Project_Roadmap#Code_Analysis_Tools Code Analysis Tools] section (even if we have to rename the section to something like "Code Analysis Techniques")? Since the Eclipse example is something core to the Java project, I think it should be placed under a real heading, but for other miscellaneous content, I've created a Resources section which could include external articles, books and other resources. [[User:Stephendv|Stephendv]] 04:18, 26 June 2006 (EDT) | ||
+ | |||
+ | ==J2EE Security for Architects== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td><b>Deadline for first draft:</b></td><td>19/08/2006</td></tr> | ||
+ | <tr><td><b>Deadline for first review:</b></td><td>26/08/2006</td></tr> | ||
+ | <tr><td><b>Deadline for final draft:</b></td><td>11/09/2006</td></tr> | ||
+ | <tr><td><b>Deadline for final review:</b></td><td>20/09/2006</td></tr> | ||
+ | </table> | ||
+ | ===Design considerations=== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Discuss the security implications of common J2EE architectures. This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection. Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost. | ||
+ | |||
+ | Any other security concerns that should be addressed during the design phase should also be mentioned here.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Architectural considerations | ||
+ | ** EJB Middle tier | ||
+ | ** Web Services Middle tier | ||
+ | ** Spring Middle tier | ||
+ | |||
+ | ===Noteworthy Frameworks=== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level, for example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Acegi | ||
+ | * Commons validator | ||
+ | * jGuard | ||
+ | * Stinger | ||
+ | |||
+ | ==J2EE Security for Developers== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td><b>Deadline for first draft:</b></td><td>19/08/2006</td></tr> | ||
+ | <tr><td><b>Deadline for first review:</b></td><td>26/08/2006</td></tr> | ||
+ | <tr><td><b>Deadline for final draft:</b></td><td>11/09/2006</td></tr> | ||
+ | <tr><td><b>Deadline for final review:</b></td><td>20/09/2006</td></tr> | ||
+ | </table> | ||
+ | ===Java Security Basics=== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Provide an introduction into the basic security services provided by the Java language and environment. Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Class Loading | ||
+ | * Bytecode verifier | ||
+ | * The Security Manager and security.policy file | ||
+ | |||
+ | ===Input Validation=== | ||
+ | * Overview | ||
+ | |||
+ | ==== SQL Injection==== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Provide cursory background information on SQL injection and refer to the Guide for more indepth coverage (no need to duplicate info in the Guide). This section should provide practical advise and real-world code examples for developers. If you feel that a popular persistence framework is not covered, please add it!</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Overview | ||
+ | * Prevention | ||
+ | ** White Listing | ||
+ | ** Prepared Statements | ||
+ | ** Stored Procedures | ||
+ | ** Hibernate | ||
+ | ** Ibatis | ||
+ | ** Spring JDBC | ||
+ | ** EJB 3.0 | ||
+ | ** JDO | ||
+ | |||
+ | ====Cross Site Scripting (XSS)==== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Provide cursory background information on XSS and refer to the Guide for more indepth coverage. This section should provide practical advise and real-world code examples for developers. If you would like to see coverage of a web framework that's not listed, please add it!</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Overview | ||
+ | * Prevention | ||
+ | ** White Listing | ||
+ | ** Manual HTML Encoding | ||
+ | ** Preventing XSS in popular Web Frameworks | ||
+ | *** JSP/JSTL | ||
+ | *** Struts | ||
+ | *** Spring MVC | ||
+ | *** Java Server Faces | ||
+ | *** WebWork | ||
+ | *** Wicket | ||
+ | *** Tapestry | ||
+ | * CSRF attack | ||
+ | |||
+ | ==== LDAP Injection ==== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing LDAP injection.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Overview | ||
+ | * Prevention | ||
+ | |||
+ | ==== XPATH Injection ==== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing XPATH injection.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Overview | ||
+ | * Prevention | ||
+ | |||
+ | ==== Miscellaneous Injection Attacks ==== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Should contain practical real-world advise and code examples.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * HTTP Response splitting | ||
+ | * Command injection - Runtime.getRuntime().exec() | ||
+ | |||
+ | === Authentication=== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Discuss authentication for Java and J2EE apps under the suggested headings below. Examples for container managed authentication of specific application servers are also welcome.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Storing credentials | ||
+ | * Hashing | ||
+ | * SSL Best Practices | ||
+ | * CAPTCHA systems (such as jcaptcha) | ||
+ | * Container-managed authentication with Realms | ||
+ | * JAAS Authentication | ||
+ | * Password length & complexity | ||
+ | |||
+ | ===Session Management=== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>The generic problems and solutions for session management are covered in the Guide. This section should focus on Java specific examples. </td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Logout | ||
+ | * Session Timeout | ||
+ | * Absolute Timeout | ||
+ | * Session Fixation | ||
+ | * Terminating sessions | ||
+ | ** Terminating sessions when the browser window is closed | ||
+ | |||
+ | ===Authorization=== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Java and J2EE specific discussion and examples.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * In presentation layer | ||
+ | * In business logic | ||
+ | * In data layer | ||
+ | * Declarative v/s Programmatic | ||
+ | * web.xml configuration | ||
+ | * [[Forced browsing]] | ||
+ | * JAAS | ||
+ | * EJB Authorization | ||
+ | * Acegi | ||
+ | * JACC | ||
+ | * Check horizontal privilege | ||
+ | |||
+ | === Encryption=== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Java and J2EE specific discussion and examples.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * JCE | ||
+ | * Storing db secrets | ||
+ | * Encrypting JDBC connections | ||
+ | * JSSE | ||
+ | * Random number generation | ||
+ | |||
+ | === Error Handling & Logging=== | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Java and J2EE specific discussion and examples.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Output Validation | ||
+ | * Custom Errors | ||
+ | * Logging - why log? what to log? log4j, etc. | ||
+ | * Exception handling techniques | ||
+ | ** fail-open/fail-closed | ||
+ | ** resource cleanup | ||
+ | ** finally block | ||
+ | ** swallowing exceptions | ||
+ | * Exception handling frameworks | ||
+ | ** Servlet spec - web.xml | ||
+ | ** JSP errorPage | ||
+ | * Web application forensics | ||
+ | |||
+ | === Web Services Security === | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Discuss securely implementing Web Services using Java technologies. Examples using specific frameworks are welcome. The topic list is a bit light at the moment, please add more topics if they're relevant.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * SAML | ||
+ | * (X)WS-Security | ||
+ | * SunJWSDP | ||
+ | * XML Signature (JSR 105) | ||
+ | * XML Encryption (JSR 106) | ||
+ | |||
+ | === Code Analysis Tools === | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>The introduction should cover the advantages and short comings of code analysis tools. An overview of the current state of the art and the available tools would go well here. As a start, only open source tools are listed, but if vendors of commercial tools adhere to the [[Tutorial]] guidelines, these submissions will be gladly received.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Introduction | ||
+ | * FindBugs | ||
+ | ** Creating custom rules | ||
+ | * PMD | ||
+ | ** Creating custom rules | ||
+ | * JLint | ||
+ | * Jmetrics | ||
+ | |||
+ | == J2EE Security For Deployers == | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td><b>Deadline for first draft:</b></td><td>19/08/2006</td></tr> | ||
+ | <tr><td><b>Deadline for first review:</b></td><td>26/08/2006</td></tr> | ||
+ | <tr><td><b>Deadline for final draft:</b></td><td>11/09/2006</td></tr> | ||
+ | <tr><td><b>Deadline for final review:</b></td><td>20/09/2006</td></tr> | ||
+ | </table> | ||
+ | === Securing Popular J2EE Servers === | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Practical step-by-step guides to securing various J2EE servers. Examples of secure configurations can also be provided for download. If configurations are provided, they should be properly commented so that the rationale for configuration settings is clearly explained. Users of the configurations should be provided with enough information to make their own risk decisions.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Securing Tomcat | ||
+ | * Securing JBoss | ||
+ | * Securing WebLogic | ||
+ | * Securing WebSphere | ||
+ | * Others... | ||
+ | |||
+ | === Defining a Java Security Policy === | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>Practical information on creating a Java security policies for J2EE servers.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * PolicyTool | ||
+ | * jChains (www.jchains.org) | ||
+ | |||
+ | === Protecting Binaries === | ||
+ | <table border=1 cellpadding=5> | ||
+ | <tr><td valign="top"><b>Objective:</b></td><td>This should be focussed on web applications, so examples should include applets and web start apps.</td></tr> | ||
+ | <tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> | ||
+ | <tr><td valign="top"><b>Contributors:</b></td><td></td></tr> | ||
+ | <tr><td><b>Reviewers:</b></td><td></td></tr> | ||
+ | </table> | ||
+ | * Bytecode Manipulation Tools and Techniques | ||
+ | * Bytecode obfuscation | ||
+ | * Convert bytecode to native machine code | ||
+ | * jarsigner | ||
[[Category:OWASP Java Project]] | [[Category:OWASP Java Project]] |
Revision as of 08:58, 26 June 2006
- 1 Goals
- 2 Current Tasks
- 3 Ideas
- 4 J2EE Security for Architects
- 5 J2EE Security for Developers
- 6 J2EE Security For Deployers
Goals
The OWASP Java Project's overall goal is to...
Produce materials that show J2EE architects, developers, and deployers how to deal with most common application security problems throughout the lifecycle.
In the near term, we are focused on the following tactical goals:
- Provide examples of how to prevent Cross Site Scripting attacks in popular web frameworks
- Provide examples of how to prevent SQL Injection in popular data access frameworks
- Provide examples of how to prevent LDAP injection in Java
- A practical guide to implementing a security policy for a Java web application
- Secure configuration guides for popular application servers
Current Tasks
- Call for volunteers - Join the mailing list, read the Tutorial and get started!
- Refine this roadmap in the discussion.
Ideas
Please submit your ideas for the OWASP Java Project here (you can sign your ideas by adding four tilde characters like this ~~~~)
- It would be useful to have a library of J2EE security resources on the web. In addition to URLs, I think these should have short summaries that explain what the resource is about. I've clicked on far too many "J2EE Security" links only to find that the article is about implementing access control in Tomcat.
- A tool that automatically generates a security policy for a given application could be useful. The tool is first run in learning mode where it maps all the accesses that the application attempts and then generates a policy based on those access attempts.
- Note: I built such a tool back in the mid-1990's. It's a custom security manager that intercepts all accesses and has a "learn" mode. If someone is willing to take on the project, I'd be happy to dig it up. Jeff Williams 16:18, 8 June 2006 (EDT)
- I'll be happy to take this on - what status is the code currently in? --Stephendv 09:15, 12 June 2006 (EDT)
- I think we should consider revamping the roadmap with specific article titles and content that we'd like to get written. For example, I'm considering writing an article on how to set up Eclipse to do a code review. It would be nice to link that in here, but I'm not sure just where. I was thinking something like this....
- Using Eclipse for security code review
- This article will cover setting up Eclipse with plugins like FindBugs, jlint, PMD, and Metrics. Then it will explore how you can use the various search and code browsing functions to find and diagnose potential vulnerabilities. Jeff Williams 15:01, 22 June 2006 (EDT)
- Sounds like some excellent content! Couldn't this fit in to the Code Analysis Tools section (even if we have to rename the section to something like "Code Analysis Techniques")? Since the Eclipse example is something core to the Java project, I think it should be placed under a real heading, but for other miscellaneous content, I've created a Resources section which could include external articles, books and other resources. Stephendv 04:18, 26 June 2006 (EDT)
J2EE Security for Architects
Deadline for first draft: | 19/08/2006 |
Deadline for first review: | 26/08/2006 |
Deadline for final draft: | 11/09/2006 |
Deadline for final review: | 20/09/2006 |
Design considerations
Objective: | Discuss the security implications of common J2EE architectures. This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection. Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost. Any other security concerns that should be addressed during the design phase should also be mentioned here. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Architectural considerations
- EJB Middle tier
- Web Services Middle tier
- Spring Middle tier
Noteworthy Frameworks
Objective: | Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level, for example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Acegi
- Commons validator
- jGuard
- Stinger
J2EE Security for Developers
Deadline for first draft: | 19/08/2006 |
Deadline for first review: | 26/08/2006 |
Deadline for final draft: | 11/09/2006 |
Deadline for final review: | 20/09/2006 |
Java Security Basics
Objective: | Provide an introduction into the basic security services provided by the Java language and environment. Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Class Loading
- Bytecode verifier
- The Security Manager and security.policy file
Input Validation
- Overview
SQL Injection
Objective: | Provide cursory background information on SQL injection and refer to the Guide for more indepth coverage (no need to duplicate info in the Guide). This section should provide practical advise and real-world code examples for developers. If you feel that a popular persistence framework is not covered, please add it! |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Overview
- Prevention
- White Listing
- Prepared Statements
- Stored Procedures
- Hibernate
- Ibatis
- Spring JDBC
- EJB 3.0
- JDO
Cross Site Scripting (XSS)
Objective: | Provide cursory background information on XSS and refer to the Guide for more indepth coverage. This section should provide practical advise and real-world code examples for developers. If you would like to see coverage of a web framework that's not listed, please add it! |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Overview
- Prevention
- White Listing
- Manual HTML Encoding
- Preventing XSS in popular Web Frameworks
- JSP/JSTL
- Struts
- Spring MVC
- Java Server Faces
- WebWork
- Wicket
- Tapestry
- CSRF attack
LDAP Injection
Objective: | As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing LDAP injection. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Overview
- Prevention
XPATH Injection
Objective: | As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing XPATH injection. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Overview
- Prevention
Miscellaneous Injection Attacks
Objective: | Should contain practical real-world advise and code examples. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- HTTP Response splitting
- Command injection - Runtime.getRuntime().exec()
Authentication
Objective: | Discuss authentication for Java and J2EE apps under the suggested headings below. Examples for container managed authentication of specific application servers are also welcome. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Storing credentials
- Hashing
- SSL Best Practices
- CAPTCHA systems (such as jcaptcha)
- Container-managed authentication with Realms
- JAAS Authentication
- Password length & complexity
Session Management
Objective: | The generic problems and solutions for session management are covered in the Guide. This section should focus on Java specific examples. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Logout
- Session Timeout
- Absolute Timeout
- Session Fixation
- Terminating sessions
- Terminating sessions when the browser window is closed
Authorization
Objective: | Java and J2EE specific discussion and examples. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- In presentation layer
- In business logic
- In data layer
- Declarative v/s Programmatic
- web.xml configuration
- Forced browsing
- JAAS
- EJB Authorization
- Acegi
- JACC
- Check horizontal privilege
Encryption
Objective: | Java and J2EE specific discussion and examples. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- JCE
- Storing db secrets
- Encrypting JDBC connections
- JSSE
- Random number generation
Error Handling & Logging
Objective: | Java and J2EE specific discussion and examples. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Output Validation
- Custom Errors
- Logging - why log? what to log? log4j, etc.
- Exception handling techniques
- fail-open/fail-closed
- resource cleanup
- finally block
- swallowing exceptions
- Exception handling frameworks
- Servlet spec - web.xml
- JSP errorPage
- Web application forensics
Web Services Security
Objective: | Discuss securely implementing Web Services using Java technologies. Examples using specific frameworks are welcome. The topic list is a bit light at the moment, please add more topics if they're relevant. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- SAML
- (X)WS-Security
- SunJWSDP
- XML Signature (JSR 105)
- XML Encryption (JSR 106)
Code Analysis Tools
Objective: | The introduction should cover the advantages and short comings of code analysis tools. An overview of the current state of the art and the available tools would go well here. As a start, only open source tools are listed, but if vendors of commercial tools adhere to the Tutorial guidelines, these submissions will be gladly received. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Introduction
- FindBugs
- Creating custom rules
- PMD
- Creating custom rules
- JLint
- Jmetrics
J2EE Security For Deployers
Deadline for first draft: | 19/08/2006 |
Deadline for first review: | 26/08/2006 |
Deadline for final draft: | 11/09/2006 |
Deadline for final review: | 20/09/2006 |
Securing Popular J2EE Servers
Objective: | Practical step-by-step guides to securing various J2EE servers. Examples of secure configurations can also be provided for download. If configurations are provided, they should be properly commented so that the rationale for configuration settings is clearly explained. Users of the configurations should be provided with enough information to make their own risk decisions. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Securing Tomcat
- Securing JBoss
- Securing WebLogic
- Securing WebSphere
- Others...
Defining a Java Security Policy
Objective: | Practical information on creating a Java security policies for J2EE servers. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- PolicyTool
- jChains (www.jchains.org)
Protecting Binaries
Objective: | This should be focussed on web applications, so examples should include applets and web start apps. |
Status: | Call for volunteers |
Contributors: | |
Reviewers: |
- Bytecode Manipulation Tools and Techniques
- Bytecode obfuscation
- Convert bytecode to native machine code
- jarsigner