This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Scala Frameworks"

From OWASP
Jump to: navigation, search
(Sensitive information in Configuration Files)
(Vulnerable Framework Components)
 
(19 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
The following table contains the most popular ones and their security in terms of modules and implementation
 
The following table contains the most popular ones and their security in terms of modules and implementation
 
= Security Frameworks =
 
= Security Frameworks =
 
+
The following Scala frameworks contain modules that help developers implement secure features such as Authentenciation, Authorization, CRSF or SQLInjection
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
Line 26: Line 26:
 
|}
 
|}
  
== Sensitive information in Configuration Files==
+
==Secure Coding - Scala Frameworks==
Every Scala project will contain configuration files that can contain sensitive information such as:
 
* Passwords in clear text
 
* Path to Keystores
 
* Passwords from Keystores
 
  
Programers should avoid configuring clear text passwords  in Application.conf files, for that purpose, encryption is necessary
+
The following is a series of documents regarding the security configurations for the above mentioned frameworks
 +
https://www.owasp.org/index.php/Scala_Frameworks/Play
  
===Encrypt Keystore Password ===
+
==Vulnerable Framework Components==
At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required.
+
It is essential that developers implement regular dependency checks of their components, since most Scala projects will make use of the above mentioned frameworks. Consider using
The Playframework provides some examples of implementing this
+
https://www.owasp.org/index.php/OWASP_Dependency_Check
https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore unfortunately, there is no further information on how to create this information secure. The developer must also keep in mind that the default configuration is quite insecure
+
Which has a Scala plugin for this purpose
 +
https://github.com/albuch/sbt-dependency-check
  
'''play.server.https.keyStore.path''' - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you
+
==Reference==
 
+
https://www.47deg.com/blog/security-frameworks-for-scala/
Security issue: Keys must be secure guarded, allowing the 'generated' one, can allow an attacker obtain such information if code is compromised
 
 
 
'''play.server.https.keyStore.password''' - The password, defaults to a blank password
 
 
 
lank passwords are a 'no-go', therefore, it is essential to change this information. Again, do not create a 'clear-text' password, but make sure you use an environment variable for this purpose
 
  
'''play.server.https.keyStore.algorithm''' - The key store algorithm, defaults to the platforms default algorithm
+
<!-- Wikimedia insert classified page list here -->
 
+
[[Category:Technology]]
Developer should check what is the 'defaults' being used and make sure the algorithm in question is secure as recommended by NIST guidelines
+
[[Category:Language]]
 
+
[[Category:Scala]]
==Vulnerable Framework Components==
 
It os essential that developers implement regular dependency checks of their components, since must Scala projects will make use of the above mentioned frameworks
 
 
Reference
 
https://www.47deg.com/blog/security-frameworks-for-scala/
 

Latest revision as of 13:34, 7 November 2017

Scala language , just as JAVA , offers different types of Security Frameworks you can work with. Depending on the task, here we offer some general guidelines regarding the proper use of them The following table contains the most popular ones and their security in terms of modules and implementation

Security Frameworks

The following Scala frameworks contain modules that help developers implement secure features such as Authentenciation, Authorization, CRSF or SQLInjection

Framework Authentication Authorization CSRF XSS SQLInjection
Play - - -
Deadbolt 2 - - -
Play-pac4j - - - -
Scala-oauth2-provider - - - -
SecureSocial - - - -
Silhouette - Play Framework Library - - - -
Lift
Akka (Akka-http) - - -
Spray - - -

Secure Coding - Scala Frameworks

The following is a series of documents regarding the security configurations for the above mentioned frameworks https://www.owasp.org/index.php/Scala_Frameworks/Play

Vulnerable Framework Components

It is essential that developers implement regular dependency checks of their components, since most Scala projects will make use of the above mentioned frameworks. Consider using https://www.owasp.org/index.php/OWASP_Dependency_Check Which has a Scala plugin for this purpose https://github.com/albuch/sbt-dependency-check

Reference

https://www.47deg.com/blog/security-frameworks-for-scala/