Talk:OWASP Java Project Roadmap

J2EE Security for Architects
To my mind, Risk Analysis is a general exercise that will apply equaly to all apps irrespective of the language used to implement the app. So would say that this belongs in the Guide rather than the Java project, unless you have some ideas on how to make this Java specific? --Stephendv 08:04, 12 June 2006 (EDT) Same as above. --Stephendv 08:04, 12 June 2006 (EDT) This is quite general. Shall we narrow it down to the architectural issues that should be considered for each of the popular architectures such as: --Stephendv 08:04, 12 June 2006 (EDT) There are many frameworks out there, so I'd suggest we keep this down to frameworks that specifically offer security functionality such as: Most web tier frameworks will prevent XSS attacks, so listing them all in this section is a bit verbose, would prefer to see them listed in the XSS section. --Stephendv 08:04, 12 June 2006 (EDT)
 * Risk Analysis
 * Mapping Regulatory requirements to technical requirements
 * Design considerations
 * Architectural considerations
 * EJB Middle tier
 * Web Services Middle tier
 * Spring Middle tier
 * Frameworks you should be aware of (e.g. struts, stinger, etc.)
 * Acegi
 * Commons validator
 * Stinger seems to be parked for a while now, is this correct Jeff?

Input Validation

 * Overview

SQL Injection

 * Overview
 * Prevention
 * White Listing
 * Prepared Statements
 * Stored Procedures
 * Hibernate
 * Ibatis
 * Spring JDBC
 * EJB 3.0? --Stephendv 08:04, 12 June 2006 (EDT)
 * JDO? --Stephendv 08:04, 12 June 2006 (EDT)

XSS

 * Overview
 * Prevention
 * White Listing
 * Manual HTML Encoding
 * Preventing XSS in popular Web Frameworks
 * JSP
 * Struts
 * Spring MVC
 * Java Server Faces
 * WebWork
 * Wicket
 * Tapestry --Stephendv 08:04, 12 June 2006 (EDT)
 * Misc I/P Validation Attacks (e.g. HTTP Response Splitting)
 * Using struts (Would recommend we cover a number of frameworks as mentioned above). --Stephendv 08:04, 12 June 2006 (EDT)

Authentication

 * SSL Best Practices
 * SQL Injection. Why discuss this here, when it's an input validation issue? --Stephendv 08:04, 12 June 2006 (EDT)
 * Session Fixation
 * Captcha systems --Stephendv 08:04, 12 June 2006 (EDT)

Authorization

 * Declarative v/s Programmatic
 * web.xml configuration
 * Forceful browsing. Could you expand on this? --Stephendv 08:04, 12 June 2006 (EDT)
 * JAAS

Encryption

 * JCE
 * Storing db secrets
 * Encrypting JDBC connections

Error Handling & Logging

 * Output Validation
 * Custom Errors
 * Logging - why log? what to log? log4j, etc.

Deployment Issues

 * Need to add here