This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:OWASP Java Project Roadmap"

From OWASP
Jump to: navigation, search
m (J2EE Security for Architects)
(some additions and comments)
Line 1: Line 1:
 
==J2EE Security for Architects==
 
==J2EE Security for Architects==
 +
 
=== Risk Analysis===
 
=== Risk Analysis===
 
To my mind, Risk Analysis is a general exercise that will apply equaly to all apps irrespective of the language used to implement the app.  So would say that this belongs in the Guide rather than the Java project, unless you have some ideas on how to make this Java specific?  --[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT)
 
To my mind, Risk Analysis is a general exercise that will apply equaly to all apps irrespective of the language used to implement the app.  So would say that this belongs in the Guide rather than the Java project, unless you have some ideas on how to make this Java specific?  --[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT)
 +
I agree -- suggest deleting this section [[User:Jeff Williams|Jeff Williams]] 09:04, 12 June 2006 (EDT)
 +
 
===Mapping Regulatory requirements to technical requirements===
 
===Mapping Regulatory requirements to technical requirements===
 
Same as above. --[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT)
 
Same as above. --[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT)
 +
I agree -- suggest deleting this section [[User:Jeff Williams|Jeff Williams]] 09:04, 12 June 2006 (EDT)
 +
 
===Design considerations===
 
===Design considerations===
 
This is quite general.  Shall we narrow it down to the architectural issues that should be considered for each of the popular architectures such as:
 
This is quite general.  Shall we narrow it down to the architectural issues that should be considered for each of the popular architectures such as:
Line 11: Line 16:
 
** Spring Middle tier
 
** Spring Middle tier
 
--[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT)
 
--[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT)
 +
 
===Frameworks you should be aware of (e.g. struts, stinger, etc.)===
 
===Frameworks you should be aware of (e.g. struts, stinger, etc.)===
 
There are many frameworks out there, so I'd suggest we keep this down to frameworks that specifically offer security functionality such as:  
 
There are many frameworks out there, so I'd suggest we keep this down to frameworks that specifically offer security functionality such as:  
Line 16: Line 22:
 
* Commons validator
 
* Commons validator
 
* Stinger seems to be parked for a while now, is this correct Jeff?
 
* Stinger seems to be parked for a while now, is this correct Jeff?
 +
** Stinger is
 
Most web tier frameworks will prevent XSS attacks, so listing them all in this section is a bit verbose, would prefer to see them listed in the XSS section.  --[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT)
 
Most web tier frameworks will prevent XSS attacks, so listing them all in this section is a bit verbose, would prefer to see them listed in the XSS section.  --[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT)
 +
  
 
==J2EE Security for Developers==
 
==J2EE Security for Developers==
 +
 
===Java Security Basics===  
 
===Java Security Basics===  
 
* Class Loading
 
* Class Loading
 
* Bytecode verifier
 
* Bytecode verifier
* The Security Manager
+
* The Security Manager and security.policy file
 +
I suggest we do something short here for web developers, and wait on client side apps for now [[User:Jeff Williams|Jeff Williams]] 09:04, 12 June 2006 (EDT)
  
 
===Input Validation===
 
===Input Validation===
 
* Overview
 
* Overview
 +
 
==== SQL Injection====
 
==== SQL Injection====
 
* Overview
 
* Overview
Line 66: Line 77:
  
 
=== Authentication===
 
=== Authentication===
 +
* Storing credentials
 +
* Hashing
 
* SSL Best Practices
 
* SSL Best Practices
* SQL Injection.  Why discuss this here, when it's an input validation issue? --[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT)
+
* CAPTCHA systems (jcaptcha?)
* <s>Session Fixation</s> - Move this out to a separate section below. --[[User:Stephendv|Stephendv]] 08:37, 12 June 2006 (EDT)
+
 
* Captcha systems
+
===Session Management===
 +
* Logout
 +
* Session Timeout
 +
* Absolute Timeout
 +
* Session Fixation
 
   
 
   
 
===Authorization===
 
===Authorization===
 +
* In presentation layer
 +
* In business logic
 +
* In data layer
 
* Declarative v/s Programmatic
 
* Declarative v/s Programmatic
 
* web.xml configuration
 
* web.xml configuration
* Forceful browsing.  Could you expand on this? --[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT)
+
* [[Forced browsing]].  Could you expand on this? --[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT).  This is an attack that attempts to exploit the use of [[Access control enforced by presentation layer]].
 
* JAAS
 
* JAAS
 
* EJB Authorization
 
* EJB Authorization
Line 105: Line 125:
 
* PMD
 
* PMD
 
** Creating custom rules
 
** Creating custom rules
 +
* JLint
 +
* Jmetrics
  
 
== J2EE Security For Deployers ==
 
== J2EE Security For Deployers ==
 +
 
=== Securing Popular J2EE Servers ===
 
=== Securing Popular J2EE Servers ===
 
* Securing Tomcat
 
* Securing Tomcat
Line 113: Line 136:
 
* Securing WebSphere
 
* Securing WebSphere
 
* Securing x...
 
* Securing x...
 +
 
=== Defining a Java Security Policy ===
 
=== Defining a Java Security Policy ===
 
* Jeff's tool? --[[User:Stephendv|Stephendv]] 08:37, 12 June 2006 (EDT)
 
* Jeff's tool? --[[User:Stephendv|Stephendv]] 08:37, 12 June 2006 (EDT)
 +
* jChains (www.jchains.org)

Revision as of 13:04, 12 June 2006

J2EE Security for Architects

Risk Analysis

To my mind, Risk Analysis is a general exercise that will apply equaly to all apps irrespective of the language used to implement the app. So would say that this belongs in the Guide rather than the Java project, unless you have some ideas on how to make this Java specific? --Stephendv 08:04, 12 June 2006 (EDT)

I agree -- suggest deleting this section Jeff Williams 09:04, 12 June 2006 (EDT)

Mapping Regulatory requirements to technical requirements

Same as above. --Stephendv 08:04, 12 June 2006 (EDT)

I agree -- suggest deleting this section Jeff Williams 09:04, 12 June 2006 (EDT)

Design considerations

This is quite general. Shall we narrow it down to the architectural issues that should be considered for each of the popular architectures such as:

  • Architectural considerations
    • EJB Middle tier
    • Web Services Middle tier
    • Spring Middle tier

--Stephendv 08:04, 12 June 2006 (EDT)

Frameworks you should be aware of (e.g. struts, stinger, etc.)

There are many frameworks out there, so I'd suggest we keep this down to frameworks that specifically offer security functionality such as:

  • Acegi
  • Commons validator
  • Stinger seems to be parked for a while now, is this correct Jeff?
    • Stinger is

Most web tier frameworks will prevent XSS attacks, so listing them all in this section is a bit verbose, would prefer to see them listed in the XSS section. --Stephendv 08:04, 12 June 2006 (EDT)


J2EE Security for Developers

Java Security Basics

  • Class Loading
  • Bytecode verifier
  • The Security Manager and security.policy file

I suggest we do something short here for web developers, and wait on client side apps for now Jeff Williams 09:04, 12 June 2006 (EDT)

Input Validation

  • Overview

SQL Injection

  • Overview
  • Prevention
    • White Listing
    • Prepared Statements
    • Stored Procedures
    • Hibernate
    • Ibatis
    • Spring JDBC
    • EJB 3.0?
    • JDO?

XSS

  • Overview
  • Prevention
    • White Listing
    • Manual HTML Encoding
    • Preventing XSS in popular Web Frameworks
      • JSP
      • Struts
      • Spring MVC
      • Java Server Faces
      • WebWork?
      • Wicket?
      • Tapestry?
  • Misc I/P Validation Attacks (e.g. HTTP Response Splitting) - Moved this out to a separate section below. --Stephendv 08:41, 12 June 2006 (EDT)
  • Using struts Would recommend we cover a number of frameworks as mentioned above. --Stephendv 08:04, 12 June 2006 (EDT)

LDAP Injection

  • Overview
  • Prevention

XPATH Injection

  • Overview
  • Prevention

Miscellaneous Injection Attacks

  • HTTP Response splitting

Authentication

  • Storing credentials
  • Hashing
  • SSL Best Practices
  • CAPTCHA systems (jcaptcha?)

Session Management

  • Logout
  • Session Timeout
  • Absolute Timeout
  • Session Fixation

Authorization

Session Management

  • Session Fixation
  • Terminating sessions
    • Terminating sessions when the browser window is closed
  • Implementing a session timeout

Encryption

  • JCE
  • Storing db secrets
  • Encrypting JDBC connections

Error Handling & Logging

  • Output Validation
  • Custom Errors
  • Logging - why log? what to log? log4j, etc.

Web Services Security

  • SAML
  • WS-Security
  • ...?

Code Analysis Tools

  • FindBugs
    • Creating custom rules
  • PMD
    • Creating custom rules
  • JLint
  • Jmetrics

J2EE Security For Deployers

Securing Popular J2EE Servers

  • Securing Tomcat
  • Securing JBoss
  • Securing WebLogic
  • Securing WebSphere
  • Securing x...

Defining a Java Security Policy

  • Jeff's tool? --Stephendv 08:37, 12 June 2006 (EDT)
  • jChains (www.jchains.org)