This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Scala Frameworks"

From OWASP
Jump to: navigation, search
m
Line 25: Line 25:
 
| [http://spray.io/ Spray] || ✓ || ✓ || - || - || -
 
| [http://spray.io/ Spray] || ✓ || ✓ || - || - || -
 
|}
 
|}
 +
 +
== Sensitive information in Configuration Files==
 +
Every Scala project will contain configuration files that contain sensitive information such as:
 +
* Passwords in clear text
 +
* Path to Keystores
 +
* Passwords from Keystores
 +
 +
Programers should avoid configuring clear text passwords  in Application.conf files, for that purpose, encryption is necessary
 +
 +
===Encrypt Keystore Password ===
 +
At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required.
 +
The Playframework provides some examples of implementing this
 +
https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore
 +
==Vulnerable Framework Components==
 +
It os essential that developers implement regular dependency checks of their components, since must Scala projects will make use of the above mentioned frameworks
 
   
 
   
 
Reference  
 
Reference  
 
https://www.47deg.com/blog/security-frameworks-for-scala/
 
https://www.47deg.com/blog/security-frameworks-for-scala/

Revision as of 00:00, 7 November 2017

Scala language , just as JAVA , offers different types of Security Frameworks you can work with. Depending on the task, here we offer some general guidelines regarding the proper use of them The following table contains the most popular ones and their security in terms of modules and implementation

Security Frameworks

Framework Authentication Authorization CSRF XSS SQLInjection
Play - - -
Deadbolt 2 - - -
Play-pac4j - - - -
Scala-oauth2-provider - - - -
SecureSocial - - - -
Silhouette - Play Framework Library - - - -
Lift
Akka (Akka-http) - - -
Spray - - -

Sensitive information in Configuration Files

Every Scala project will contain configuration files that contain sensitive information such as:

  • Passwords in clear text
  • Path to Keystores
  • Passwords from Keystores

Programers should avoid configuring clear text passwords in Application.conf files, for that purpose, encryption is necessary

Encrypt Keystore Password

At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required. The Playframework provides some examples of implementing this https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore

Vulnerable Framework Components

It os essential that developers implement regular dependency checks of their components, since must Scala projects will make use of the above mentioned frameworks

Reference https://www.47deg.com/blog/security-frameworks-for-scala/