This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Talk:OWASP Java Project Roadmap
- 1 J2EE Security for Architects
- 2 J2EE Security for Developers
- 3 J2EE Security For Deployers
J2EE Security for Architects
- Risk Analysis
To my mind, Risk Analysis is a general exercise that will apply equaly to all apps irrespective of the language used to implement the app. So would say that this belongs in the Guide rather than the Java project, unless you have some ideas on how to make this Java specific? --Stephendv 08:04, 12 June 2006 (EDT)
- Mapping Regulatory requirements to technical requirements
Same as above. --Stephendv 08:04, 12 June 2006 (EDT)
- Design considerations
This is quite general. Shall we narrow it down to the architectural issues that should be considered for each of the popular architectures such as:
- Architectural considerations
- EJB Middle tier
- Web Services Middle tier
- Spring Middle tier
--Stephendv 08:04, 12 June 2006 (EDT)
- Frameworks you should be aware of (e.g. struts, stinger, etc.)
There are many frameworks out there, so I'd suggest we keep this down to frameworks that specifically offer security functionality such as:
- Acegi
- Commons validator
- Stinger seems to be parked for a while now, is this correct Jeff?
Most web tier frameworks will prevent XSS attacks, so listing them all in this section is a bit verbose, would prefer to see them listed in the XSS section. --Stephendv 08:04, 12 June 2006 (EDT)
J2EE Security for Developers
Java Security Basics
- Class Loading
- Bytecode verifier
- The Security Manager
Input Validation
- Overview
SQL Injection
- Overview
- Prevention
- White Listing
- Prepared Statements
- Stored Procedures
- Hibernate
- Ibatis
- Spring JDBC
- EJB 3.0?
- JDO?
XSS
- Overview
- Prevention
- White Listing
- Manual HTML Encoding
- Preventing XSS in popular Web Frameworks
- JSP
- Struts
- Spring MVC
- Java Server Faces
- WebWork?
- Wicket?
- Tapestry?
-
Misc I/P Validation Attacks (e.g. HTTP Response Splitting)- Moved this out to a separate section below. --Stephendv 08:41, 12 June 2006 (EDT) -
Using strutsWould recommend we cover a number of frameworks as mentioned above. --Stephendv 08:04, 12 June 2006 (EDT)
LDAP Injection
- Overview
- Prevention
XPATH Injection
- Overview
- Prevention
Miscellaneous Injection Attacks
- HTTP Response splitting
Authentication
- SSL Best Practices
- SQL Injection. Why discuss this here, when it's an input validation issue? --Stephendv 08:04, 12 June 2006 (EDT)
-
Session Fixation- Move this out to a separate section below. --Stephendv 08:37, 12 June 2006 (EDT) - Captcha systems
Authorization
- Declarative v/s Programmatic
- web.xml configuration
- Forceful browsing. Could you expand on this? --Stephendv 08:04, 12 June 2006 (EDT)
- JAAS
- EJB Authorization
- Acegi?
Session Management
- Session Fixation
- Terminating sessions
- Terminating sessions when the browser window is closed
- Implementing a session timeout
Encryption
- JCE
- Storing db secrets
- Encrypting JDBC connections
Error Handling & Logging
- Output Validation
- Custom Errors
- Logging - why log? what to log? log4j, etc.
Web Services Security
- SAML
- WS-Security
- ...?
Code Analysis Tools
- FindBugs
- Creating custom rules
- PMD
- Creating custom rules
J2EE Security For Deployers
Securing Popular J2EE Servers
- Securing Tomcat
- Securing JBoss
- Securing WebLogic
- Securing WebSphere
- Securing x...
Defining a Java Security Policy
- Jeff's tool? --Stephendv 08:37, 12 June 2006 (EDT)