Defense against the Dark Arts: ESAPI

Jump to: navigation, search

It has been said that software engineering is 10% engineering and 90% art. Given the same set of technical specifications, two engineers will have drastically different methods of addressing those specifications. This is the beauty of innovation and forward thinking, and while it is this type of creative problem solving that has kept the technical industry lurching forward in large strides – it is also the boon of application security. Enter the Enterprise Security API – a central repository for engineers to solve security concerns in application code. I have said many times that it should not be the responsibility of the engineers cranking out code every day to design security controls. It is difficult to remain on the bleeding edge of Application Security and Software Engineering at the same time and even more difficult to bring these two disciplines together into a cohesive, reusable component that addresses the threats specific to an organization.

This course will illustrate the importance of having an Enterprise Security API and how to effectively design, build and deploy a solution that addresses the Threat Model of the single application or enterprise application portfolio.

Topics Include (but are not necessarily limited to)

  • ESAPI Architecture
  • Security Controls Overview
  • OWASP Reference Implementations
  • Designing Custom Controls
  • Integrating with existing Applications
  • Starting Fresh
  • Enterprise Security Configuration
  • Error Handling, Logging and Intrusion Detection/Prevention
  • Authentication and Authorization
  • Validation and Encoding