A great deal of work has gone into aggregating statistics and information about security vulnerabilities in enterprise applications on the internet. A lot of work has also been done in creating software libraries and secure coding guidelines to mitigate vulnerabilities. The OWASP group has created an ESAPI that is meant to act as a service provider of security to enterprise applications. There is a lot of documentation and resources available on what an ESAPI is, but there is not much information on how to actually implement an ESAPI to mitigate a specific set of vulnerabilities in an application. This presentation aims to provide information on how to use ESAPI to solve real-world security problems in a clear and interactive way.
Using ESAPI for Java, I will demonstrate examples of vulnerabilities in simple web applications, describe the problem and solution, then fix the vulnerabilities. I will also discuss the importance of developing the ESAPI to fit the business needs of the application.
The presentation will use OWASP ESAPI configured with the reference implementations for Encoding/Decoding, Encryption, Logging, WAF, and Validation. For Authentication and Access Control a custom implementation will be used to show how easy it is to implement business specific implementations into the ESAPI framework.
Speaker bio will be posted shortly.