Difference between revisions of "Category:OWASP Java Project"

From OWASP
Jump to: navigation, search
m (Reverted edits by Muthashok (Talk); changed back to last version by Jeff Williams)
(Java Security Overview)
Line 13: Line 13:
 
While Java and J2EE contain many security technologies, it is not easy to produce an application without security vulnerabilities. Most application security [[:Category:Vulnerability|vulnerabilities]] apply to Java applications just like other environments. The notable exception is [[Buffer overflow|buffer overflow]] and related issues that do not apply to Java applications.
 
While Java and J2EE contain many security technologies, it is not easy to produce an application without security vulnerabilities. Most application security [[:Category:Vulnerability|vulnerabilities]] apply to Java applications just like other environments. The notable exception is [[Buffer overflow|buffer overflow]] and related issues that do not apply to Java applications.
  
The following areas provide an overview of the most common challenges for Java programmers, and links to articles that provide more information:
+
The goals of this project are to provide information about building, configuring, deploying, operating, and maintaining secure Java applications. We cover the following topics
  
===Securing the Java Environment===
+
; Securing the Java Environment
Verifier and Sandbox
+
: Understanding the security of the Java platform is a critical first step to understanding the security of your application. The articles cover the bytecode verifier and Java security manager (aka Sandbox), JRE vs. JDK, precompiling JSP's, decompiling, reverse engineering, etc...
JRE vs. JDK (precompile JSPs)
+
  
 +
; Securing Java Application Code
 +
: This section covers dangerous Java calls and common vulnerabilities associated with them, such as Runtime.exec(), Statement.execute(), readline(), etc... The dangers of native code, dynamic code, and reflection will be discussed. We'll also talk about using tools like PMD, jlint, FindBugs, Eclipse, jad, and more. This section will also cover standard security mechanisms in the JDK, such as cryptography, logging, encryption, error handling.
  
===Securing Java Application Code===
+
; Securing the J2EE Environment
Common vulnerabilities like...Runtime.exec, Statement, readline()
+
: These articles cover topics specifically related to the J2EE environment. We discuss minimizing the attack surface in web.xml, configuring error handlers, using EJBs, configuring authentication and access control in the environment, and implementing custom validators and isAuthorized() methods.
Dangers of native code, dynamic code, and reflection
+
Tools like PMD and FindBugs
+
Security mechanisms like cryptography, logging, encryption, error handling
+
  
===Securing the J2EE Environment===
+
; Securing J2EE Application Code
Minimize attack surface in web.xml
+
: Finally, you have to secure your J2EE code, such as servlets, JSPs, controllers, business logic, and persistence layers. We'll discuss handling request parameters, encoding, injection, and more. We'll also discuss the use of security mechanisms such as log4j, BouncyCastle, XML encryption, XML signature, and other technologies.
Configure error handlers
+
 
+
===Securing J2EE Application Code===
+
Vulnerabilities like...
+
Using J2EE filters for protection
+
Mechanisms like input validation, encoding
+
Common vulnerabilities like...
+
  
 
[[Category:Platform]]
 
[[Category:Platform]]
 
[[Category:OWASP Project]]
 
[[Category:OWASP Project]]

Revision as of 13:47, 22 June 2006

About

The OWASP Java Project's goal is to enable Java and J2EE developers to build secure applications efficiently. See the OWASP Java Project Roadmap for more information on our plans.

Joining the Project

Stephen de Vries and Rohyt Belani lead the project. We're currently building out the OWASP Java Project Roadmap. Please submit your ideas for where we should spend our efforts there.

We're in the process of creating the email list for the OWASP project. Stay tuned for more details.

Java Security Overview

While Java and J2EE contain many security technologies, it is not easy to produce an application without security vulnerabilities. Most application security vulnerabilities apply to Java applications just like other environments. The notable exception is buffer overflow and related issues that do not apply to Java applications.

The goals of this project are to provide information about building, configuring, deploying, operating, and maintaining secure Java applications. We cover the following topics

Securing the Java Environment
Understanding the security of the Java platform is a critical first step to understanding the security of your application. The articles cover the bytecode verifier and Java security manager (aka Sandbox), JRE vs. JDK, precompiling JSP's, decompiling, reverse engineering, etc...
Securing Java Application Code
This section covers dangerous Java calls and common vulnerabilities associated with them, such as Runtime.exec(), Statement.execute(), readline(), etc... The dangers of native code, dynamic code, and reflection will be discussed. We'll also talk about using tools like PMD, jlint, FindBugs, Eclipse, jad, and more. This section will also cover standard security mechanisms in the JDK, such as cryptography, logging, encryption, error handling.
Securing the J2EE Environment
These articles cover topics specifically related to the J2EE environment. We discuss minimizing the attack surface in web.xml, configuring error handlers, using EJBs, configuring authentication and access control in the environment, and implementing custom validators and isAuthorized() methods.
Securing J2EE Application Code
Finally, you have to secure your J2EE code, such as servlets, JSPs, controllers, business logic, and persistence layers. We'll discuss handling request parameters, encoding, injection, and more. We'll also discuss the use of security mechanisms such as log4j, BouncyCastle, XML encryption, XML signature, and other technologies.

Subcategories

This category has the following 2 subcategories, out of 2 total.

J

  • Java(3 C, 49 P)

O

Media in category "OWASP Java Project"

This category contains only the following file.