OWASP Java Project Roadmap

Goals
The OWASP Java Project's overall goal is to...

Produce materials that show J2EE architects, developers, and deployers how to deal with most common application security problems throughout the lifecycle.

In the near term, we are focused on the following tactical goals:


 * 1) Provide examples of how to prevent Cross Site Scripting attacks in popular web frameworks
 * 2) Provide examples of how to prevent SQL Injection in popular data access frameworks
 * 3) Provide examples of how to prevent LDAP injection in Java
 * 4) A practical guide to implementing a security policy for a Java web application
 * 5) Secure configuration guides for popular application servers

Current Tasks

 * Call for volunteers - Join the mailing list, read the Tutorial and get started!
 * Refine this roadmap in the discussion.

Ideas
Please submit your ideas for the OWASP Java Project here (you can sign your ideas by adding four tilde characters like this ~ )
 * It would be useful to have a library of J2EE security resources on the web. In addition to URLs, I think these should have short summaries that explain what the resource is about.  I've clicked on far too many "J2EE Security" links only to find that the article is about implementing access control in Tomcat.
 * A tool that automatically generates a security policy for a given application could be useful. The tool is first run in learning mode where it maps all the accesses that the application attempts and then generates a policy based on those access attempts. Status: tool sent to Stephen.

Design considerations

 * Architectural considerations
 * EJB Middle tier
 * Web Services Middle tier
 * Spring Middle tier

Noteworthy Frameworks
1.	Struts 2.	Turbine 3.	JFS (MyFaces) 4.	Tapestry 5.	Webwork 6.	Cocoon 7.	Tiles 8.	SiteMesh 9.	Spring

Java Security Basics

 * Class Loading
 * Bytecode verifier
 * The Security Manager and security.policy file

Input Validation

 * Overview
 * Dangerous calls (BufferedReader.readLine, ServletRequest.getParameter, etc...)

SQL Injection

 * Overview
 * Prevention
 * White Listing
 * Prepared Statements
 * Stored Procedures
 * Hibernate
 * Ibatis
 * Spring JDBC
 * EJB 3.0
 * JDO

Cross Site Scripting (XSS)

 * Overview
 * Prevention
 * White Listing
 * Manual HTML Encoding
 * Preventing XSS in popular Web Frameworks
 * JSP/JSTL
 * Struts
 * Spring MVC
 * Java Server Faces
 * WebWork
 * Wicket
 * Tapestry
 * CSRF attack

LDAP Injection

 * Overview
 * Prevention

XPATH Injection

 * Overview
 * Prevention

Miscellaneous Injection Attacks

 * HTTP Response splitting
 * Command injection - Runtime.getRuntime.exec

Authentication

 * Storing credentials - Adrian San Juan
 * Hashing - Michel Prunet is working on this. Topic will include:
 * What is Hashing
 * Why storing password information with Hash is a good approach
 * Why to add salt.
 * How to use Hashing in Java
 * SSL Best Practices - Philippe Curmin is working on it. This topic shall include the following points:
 * What is SSL
 * How SSL is implemented in J2EE
 * HTTPS best practices in general
 * HTTPS best practices in J2EE
 * Examples with Tomcat
 * Examples with JBoss.
 * Using JCaptcha
 * Container-managed authentication with Realms
 * Declarative Access Control in Java
 * JAAS Authentication
 * Password length & complexity - Adrian San Juan

Session Management

 * Logout
 * Session Timeout
 * Absolute Timeout
 * Session Fixation
 * Terminating sessions
 * Terminating sessions when the browser window is closed

Authorization

 * In presentation layer
 * In business logic
 * In data layer
 * Declarative v/s Programmatic
 * web.xml configuration - Declarative Access Control in Java
 * Forced browsing
 * JAAS
 * EJB Authorization
 * Acegi
 * JACC
 * Check horizontal privilege

Encryption

 * JCE
 * Storing db secrets
 * Encrypting JDBC connections
 * JSSE
 * Random number generation

Error Handling & Logging

 * Output Validation
 * Custom Errors
 * Logging - why log? what to log? log4j, etc.
 * Exception handling techniques
 * fail-open/fail-closed
 * resource cleanup
 * finally block
 * swallowing exceptions
 * Exception handling frameworks
 * Servlet spec - web.xml
 * JSP errorPage
 * Web application forensics

Web Services Security

 * SAML
 * (X)WS-Security
 * SunJWSDP
 * XML Signature (JSR 105)
 * XML Encryption (JSR 106)

Code Analysis Tools

 * Introduction
 * FindBugs
 * Creating custom rules
 * PMD
 * Creating custom rules
 * JLint
 * Jmetrics

Securing Popular J2EE Servers

 * Securing Tomcat
 * Securing JBoss
 * Securing WebLogic
 * Securing WebSphere
 * Others...

Defining a Java Security Policy

 * PolicyTool
 * jChains (www.jchains.org)

Protecting Binaries

 * Bytecode manipulation tools and techniques
 * Bytecode obfuscation (proguard)
 * Convert bytecode to native machine code
 * Signing jar files with jarsigner

J2EE Security for Security Analysts and Testers
This is a proposed section that seems to be a good place to put articles that don't fit into some of the other categories. Jeff Williams 17:41, 30 June 2006 (EDT)


 * Using Eclipse to verify Java applications
 * Using Findbugs, PMD, Metrics, NCSS, jLint to find flaws and bugs
 * Using WebScarab to find vulnerabilities in J2EE applications - is there anything that would be specific to J2EE apps here? Wouldn't using webscarab apply to all web apps? Stephendv 07:14, 17 July 2006 (EDT)
 * Decompiling Java bytecode