OWASP Java Table of Contents

Key:
 * xx%: Progress status of the paragraph
 * Review: The paragraph needs a review
 * TD: Paragraph to be assigned

Design considerations

 * Architectural considerations (0%, TD)
 * EJB Middle tier (0%, TD)
 * Web Services Middle tier (0%, TD)
 * Spring Middle tier (0%, TD)

Noteworthy Frameworks
(50% ?, Claire McDonough, Ranjita Shankar Iyer, Rohyt Belani to update, Review)
 * Struts
 * Turbine
 * JFS (MyFaces)
 * Tapestry
 * Webwork
 * Cocoon
 * Tiles
 * SiteMesh
 * Spring

Java Security Basics

 * Class Loading (0%, Shyaam Sundar, Review)
 * Bytecode verifier (0%, Shyaam Sundar, Review)
 * The Security Manager and security.policy file (0%, Shyaam Sundar, Review)

Input Validation

 * Overview (0%, TD)
 * Dangerous calls (BufferedReader.readLine, ServletRequest.getParameter, etc...) (0%, TD)
 * [How to add validation logic to HttpServletRequest] (100%, Jeff Williams, Review)
 * [How to perform HTML entity encoding in Java] (100%, Jeff Williams, Review)

Preventing SQL Injection in Java

 * Overview
 * Prevention (60%, Stephen de Vries, Review)
 * White Listing
 * Prepared Statements
 * Stored Procedures
 * Hibernate
 * Ibatis
 * Spring JDBC
 * EJB 3.0
 * JDO

Preventing LDAP Injection in Java

 * Overview (100%, Stephen de Vries, Review)
 * Prevention (100%, Stephen de Vries, Review)

XPATH Injection

 * Overview (0%, TD)
 * Prevention (0%, TD)

Miscellaneous Injection Attacks

 * HTTP Response splitting (0%, TD)
 * Command injection - Runtime.getRuntime.exec (0%, TD)

Authentication

 * Storing credentials - (0%, Adrian San Juan, Review)
 * Hashing - (100%, Michel Prunet, Review)
 * SSL Best Practices - (20%, Philippe Curmin, Review)
 * Using JCaptcha - (100%, Dave Ferguson, Review)
 * Container-managed authentication with Realms
 * Declarative Access Control in Java - (100%, Dave Ferguson, Review)
 * JAAS Timed Login Module - (100%, Stephen de Vries, Review)
 * JAAS Tomcat Login Module - (100%, Stephen de Vries, Review)
 * Password length & complexity - (0%, Adrian San Juan, Review)

Session Management

 * Logout (0%, TD)
 * Session Timeout (0%, TD)
 * Absolute Timeout (0%, TD)
 * Session Fixation (0%, TD)
 * Terminating sessions (0%, TD)
 * Terminating sessions when the browser window is closed

Authorization

 * Declarative v/s Programmatic (0%, TD)
 * EJB Authorization (0%, TD)
 * Acegi (0%, TD)
 * JACC (0%, TD)
 * Check horizontal privilege (0%, TD)

Encryption

 * JCE (0%, TD)
 * Storing db secrets (0%, TD)
 * Encrypting JDBC connections (0%, TD)
 * JSSE (0%, TD)
 * Random number generation (0%, TD)

Error Handling & Logging

 * Logging - why log? what to log? log4j, etc. (0%, TD)
 * Exception handling techniques (0%, TD)
 * fail-open/fail-closed
 * resource cleanup
 * finally block
 * swallowing exceptions
 * Exception handling frameworks (50%, TD)
 * Servlet spec - web.xml Securing tomcat (100%, Darren Edmonds, Review)
 * JSP errorPage (0%, TD)
 * Web application forensics (0%, TD)

Web Services Security

 * SAML (0%, TD)
 * (X)WS-Security (0%, TD)
 * SunJWSDP (0%, TD)
 * XML Signature (JSR 105) (0%, TD)
 * XML Encryption (JSR 106) (0%, TD)

Code Analysis Tools

 * Introduction (0%, TD)
 * Category:OWASP LAPSE Project (100%, Review)
 * FindBugs (0%, TD)
 * Creating custom rules
 * PMD (0%, TD)
 * Creating custom rules
 * JLint (0%, TD)
 * Jmetrics (0%, TD)

Securing Popular J2EE Servers

 * Securing Tomcat - (100%, Darren Edmonds, Review)
 * Securing JBoss (0%, TD)
 * Securing WebLogic (0%, TD)
 * Securing WebSphere (0%, TD)
 * Others...

Defining a Java Security Policy

 * PolicyTool (80%, Jeff Williams, Needs a new owner, Review)
 * jChains (www.jchains.org) - (0%, TD)

Protecting Binaries

 * Bytecode manipulation tools and techniques (0%, TD)
 * Bytecode obfuscation (proguard) (0%, TD)
 * Convert bytecode to native machine code (0%, TD)
 * Signing jar files with jarsigner (0%, TD)

J2EE Security for Security Analysts and Testers

 * Using Eclipse to verify Java applications (0%, TD)
 * Using WebScarab to find vulnerabilities in J2EE applications - (0%, TD)
 * Decompiling Java bytecode (0%, TD)