This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
ESAPI Secure Coding Guideline
From OWASP
Revision as of 14:53, 14 April 2008 by Jeff Williams (talk | contribs) (Sample AppSec Requirements Based on ESAPI moved to ESAPI Secure Coding Guideline)
Using Security Controls
Authentication
| ID | Requirement | Code Example |
|---|---|---|
| AU001 | The application shall use |
Session Management
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
Access Control
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use assertAuthorizedForURL() to verify authorization before allowing access to each URL.
|
TBD |
| AC002 | The application shall use assertAuthorizedForFunction() to verify authorization before allowing access to each business function.
|
TBD |
| AC003 | The application shall use assertAuthorizedForFile() to verify authorization before allowing access to files.
|
TBD |
| AC004 | The application shall use assertAuthorizedForData() to verify authorization before allowing access to data.
|
TBD |
| AC005 | The application shall use assertAuthorizedForService() to verify authorization before allowing access to each backend service.
|
TBD |
| AC006 | The application shall use isAuthorizedFor* methods to verify authorization before including user interface controls in HTML output.
|
TBD |
| AC007 | The application shall use AccessReferenceMap.getIndirectReference() to reference all application objects such as filenames, directory paths, and database keys.
|
TBD |
| AC008 | The application shall prevent access to all resources that should not be directly accessed by users (such as resources, XML files, JSP files, properties) by storing them in a protected directory, such as WEB-INF.
|
TBD |
| AC009 | The application shall use HTTPUtilities.sendSafeForward() for all forwards, to ensure that they cannot be used to bypass access checks.
|
TBD |
| AC0010 | The appplication must use only trusted data used in access control decisions. | TBD |
| AC0011 | Administrative functions for the application shall be deployed as a separate application with increased authentication controls. | TBD |
Input Validation and Encoding
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
Data Protection
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
Using Services Securely
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
Error Handling
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
Logging and Intrusion Detection
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
Secure Configuration and Deployment
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
Preventing Specific Risks
Cross Site Scripting
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
Cross Site Request Forgery
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
Denial of Service
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
