Category:OWASP Java Project

Main
The OWASP Java Project's goal is to enable Java and J2EE developers to build secure applications efficiently. See the OWASP Java Project Roadmap for more information on our plans.

Java Security Overview
While Java and J2EE contain many security technologies, it is not easy to produce an application without security vulnerabilities. Most application security vulnerabilities apply to Java applications just like other environments. The notable exception is buffer overflow and related issues that do not apply to Java applications.

There is a wealth of information about vulnerabilities that apply to Java and JavaEE application in the Vulnerability articles here at OWASP. The articles that have specific Java examples are tagged with the Java category.

The goals of this project are to provide information about building, configuring, deploying, operating, and maintaining secure Java applications. We cover the following topics:


 * J2EE Security for Architects
 * Provides information about the design and architectural considerations for a Java web application. Common architectures such as EJB, Web Services and Spring Middle tiers are discussed.


 * J2EE Security for Developers
 * These articles cover dangerous Java calls and common vulnerabilities associated with them, such as Runtime.exec, Statement.execute, readline, etc... The dangers of native code, dynamic code, and reflection will be discussed. We'll also talk about using tools like PMD, jlint, FindBugs, Eclipse, jad, and more. This section will also cover standard security mechanisms in the JDK, such as cryptography, logging, encryption, error handling. Securing elements of an application, such as servlets, JSPs, controllers, business logic, and persistence layers will be covered. We'll discuss handling request parameters, encoding, injection, and more. We'll also discuss the use of security mechanisms such as log4j, BouncyCastle, XML encryption, XML signature, and other technologies.


 * J2EE Security for Deployers
 * These articles cover topics specifically related to the J2EE environment. We discuss minimizing the attack surface in web.xml, configuring error handlers, and performing hardening of popular J2EE application servers.


 * J2EE Security for Security Analysts and Testers
 * These articles cover the verification, analysis, and testing of the security of J2EE applications. This section will cover using tools to find vulnerabilities, both in source code and in running applications. These articles will focus on J2EE-specific aspects of testing applications that use various common J2EE frameworks and coding patterns.

Related OWASP Projects

 * OWASP Enterprise Security API (ESAPI) Project
 * a free and open collection of all the security methods that a developer needs to build a secure web application.


 * OWASP Development Guide
 * a massive document covering all aspects of web application and web service security


 * OWASP Java Encoder Project
 * a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies to help Java web developers defend against Cross Site Scripting


 * OWASP AntiSamy Java Project
 * an API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks


 * OWASP Java HTML Sanitizer Project
 * a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.


 * OWASP Java JSON Sanitizer
 * a tool to convert JSON-like content to valid JSON! The OWASP JSON Sanitizer Project is a simple to use Java library that can be attached at either end of a data-pipeline


 * OWASP Dependency Check
 * a Java utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities


 * OWASP Secure Headers Project
 * a collection of HTTP response headers to elevate the security of your web app!


 * OWASP Secure Coding Practices - Quick Reference Guide
 * this document provides a quick high level reference for secure coding practices. It is technology agnostic and defines a set of general software security coding practices, in a checklist format, that can be integrated into the development lifecycle.


 * OWASP Code Review Guide
 * a project to capture best practices for reviewing code.


 * OWASP CSRFGuard Project
 * a J2EE filter that implements a unique request token to mitigate CSRF attacks


 * OWASP Code Pulse
 * a real-time code coverage tool of penetration testing activities

Roadmap
The OWASP Java Project's overall goal is to...

build and maintain a central landing page on the Web for all Java users (developers, architects & co.) interested in Web security

and to

produce materials that show J2EE architects, developers, and deployers how to deal with most common application security problems throughout the lifecycle.

In the near term, we are focused on the following tactical goals:


 * 1) Restructure the existing content
 * 2) Align the page with other Java-related OWASP projects like ESAPI, Webgoat, ASVS (including a new chapter:  "OWASP J2EE Related Projects")
 * 3) Priorize work on missing content
 * 4) Implement a J2EE/Java EE Secure Coding Guideline based on ESAPI, ASVS and/or the Quick Reference Guide.
 * 5) Set-up a comparision of security aspects of web frameworks such like struts2, spring mvc, jsf, gwt, etc.
 * 6) Set-up a comparision of security aspects of templating technologies such as jsp, velocity, tiles, etc.
 * 7) Provide examples of how to prevent comman attacks like XSS in popular web frameworks
 * 8) A practical guide to implementing a security policy for a Java web application
 * 9) Provide secure configuration guides for popular application servers
 * 10) Provide an OWASP Java Top 10

Current Tasks
See the OWASP Java Table of Contents for details of individual article status
 * Call for volunteers - Join the mailing list, read the Tutorial, check the OWASP Java Table of Contents and get started!
 * Review of current articles

Ideas
Please submit your high level ideas about the direction of the OWASP Java Project here (you can sign your ideas by adding four tilde characters like this ~ )
 * To add specific articles, visit the OWASP Java Table of Contents

Joining the Project
Mirko Richter is the project lead. The project's high level roadmap can be found at the Roadmap tab. Remember to add the tag: to the end of new articles so that they're properly categorised.
 * Please submit your ideas for individual articles to the Java Project Article Wishlist.
 * If you'd like to contribute:
 * 1) visit the Tutorial,
 * 2) join the mailing list
 * 3) and pick a topic from the OWASP Java Table of Contents, or suggest a new topic.