Using Security Controls

Authentication

ID	Requirement	Code Example
AU001	The application shall use to	TBD

Session Management

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Access Control

ID	Requirement	Code Example
AC001	The application shall use `assertAuthorizedForURL()` to verify authorization before allowing access to each URL.	TBD
AC002	The application shall use `assertAuthorizedForFunction()` to verify authorization before allowing access to each business function.	TBD
AC003	The application shall use `assertAuthorizedForFile()` to verify authorization before allowing access to files.	TBD
AC004	The application shall use `assertAuthorizedForData()` to verify authorization before allowing access to data.	TBD
AC005	The application shall use `assertAuthorizedForService()` to verify authorization before allowing access to each backend service.	TBD
AC006	The application shall use `isAuthorizedFor*` methods to verify authorization before including user interface controls in HTML output.	TBD
AC007	The application shall use `AccessReferenceMap.getIndirectReference()` to reference all application objects such as filenames, directory paths, and database keys.	TBD
AC008	The application shall prevent access to all resources that should not be directly accessed by users (such as resources, XML files, JSP files, properties) by storing them in a protected directory, such as `WEB-INF`.	TBD
AC009	The application shall use `HTTPUtilities.sendSafeForward()` for all forwards, to ensure that they cannot be used to bypass access checks.	TBD
AC0010	The appplication must use only trusted data used in access control decisions.	TBD
AC0011	Administrative functions for the application shall be deployed as a separate application with increased authentication controls.	TBD

Input Validation and Encoding

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Data Protection

ID	Requirement	Code Example
AC001	The application shall use to	TBD

| The application shall use an EncryptedProperties to store all security relevant data, such as passwords, credentials, codes, configuration information, addresses, etc…

Using Services Securely

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Error Handling

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Logging and Intrusion Detection

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Secure Configuration and Deployment

ID	Requirement	Code Example
SC001	Production code shall not contain code not intended for use, such as debug, test, and dead code.	TBD
SC002	The application's source code shall not contain secrets that would compromise security if disclosed.	TBD
SC003	The application team shall run code quality tools such as FindBugs and PMD to find quality problems.	TBD

Avoiding Specific Risks

Cross Site Scripting

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Cross Site Request Forgery

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Thread Safety Problems

ID	Requirement	Code Example
AC001	The application shall avoid the use of shared storage, such as class variables, instance variables, or singletons, in all multithreaded code.	TBD

Denial of Service

ID	Requirement	Code Example
AC001	The application shall use to	TBD

Banned APIs

The following calls are dangerous and should be replaces with the safer calls provided by ESAPI.

ID	Banned Call	ESAPI Replacement	Code Example
BAN001	abc	def	TBD

ESAPI Secure Coding Guideline

Using Security Controls

Authentication

Session Management

Access Control

Input Validation and Encoding

Data Protection

Using Services Securely

Error Handling

Logging and Intrusion Detection

Secure Configuration and Deployment

Avoiding Specific Risks

Cross Site Scripting

Cross Site Request Forgery

Thread Safety Problems

Denial of Service

Banned APIs

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools