OWASP Java Project Roadmap

Goals
The OWASP Java Project's overall goal is to...

Produce materials that show J2EE architects, developers, and deployers how to deal with most common application security problems throughout the lifecycle.

In the near term, we are focused on the following tactical goals:


 * 1) Provide examples of how to prevent Cross Site Scripting attacks in popular web frameworks
 * 2) Provide examples of how to prevent SQL Injection in popular data access frameworks
 * 3) Provide examples of how to prevent LDAP injection in Java
 * 4) A practical guide to implementing a security policy for a Java web application
 * 5) Secure configuration guides for popular application servers

Current Tasks

 * Decide on the near term tactical goals
 * Define this roadmap. This is currently being discussed here: http://www.owasp.org/index.php/Talk:OWASP_Java_Project_Roadmap#J2EE_Security_for_Architects

Ideas
Please submit your ideas for the OWASP Java Project here (you can sign your ideas by adding four tilde characters like this ~ )
 * It would be useful to have a library of J2EE security resources on the web. In addition to URLs, I think these should have short summaries that explain what the resource is about.  I've clicked on far too many "J2EE Security" links only to find that the article is about implementing access control in Tomcat.
 * A tool that automatically generates a security policy for a given application could be useful. The tool is first run in learning mode where it maps all the accesses that the application attempts and then generates a policy based on those access attempts.
 * Note: I built such a tool back in the mid-1990's. It's a custom security manager that intercepts all accesses and has a "learn" mode. If someone is willing to take on the project, I'd be happy to dig it up. Jeff Williams 16:18, 8 June 2006 (EDT)
 * I'll be happy to take this on - what status is the code currently in? --Stephendv 09:15, 12 June 2006 (EDT)
 * I think we should consider revamping the roadmap with specific article titles and content that we'd like to get written. For example, I'm considering writing an article on how to set up Eclipse to do a code review. It would be nice to link that in here, but I'm not sure just where.  I was thinking something like this....


 * Using Eclipse for security code review
 * This article will cover setting up Eclipse with plugins like FindBugs, jlint, PMD, and Metrics. Then it will explore how you can use the various search and code browsing functions to find and diagnose potential vulnerabilities. Jeff Williams 15:01, 22 June 2006 (EDT)


 * Sounds like some excellent content! Couldn't this fit in to the Code Analysis Tools  section (even if we have to rename the section to something like "Code Analysis Techniques")?  Since the Eclipse example is something core to the Java project, I think it should be placed under a real heading, but for other miscellaneous content, I've created a Resources section which could include external articles, books and other resources. Stephendv 04:18, 26 June 2006 (EDT)