Difference between revisions of "Talk:OWASP Java Project Roadmap"

From OWASP
Jump to: navigation, search
m (J2EE Security for Architects)
m (J2EE Security for Developers)
Line 38: Line 38:
  
 
==J2EE Security for Developers==
 
==J2EE Security for Developers==
 
+
<table border=1 cellpadding=5>
===Java Security Basics===  
+
 
 +
  <tr><td><b>Deadline for first draft:</b></td><td></td></tr>
 +
  <tr><td><b>Deadline for first review:</b></td><td></td></tr>
 +
  <tr><td><b>Deadline for final draft:</b></td><td></td></tr>
 +
  <tr><td><b>Deadline for final review:</b></td><td></td></tr>
 +
</table>
 +
===Java Security Basics===
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>Provide an introduction into the basic security services provided by the Java language and environment.  Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases.</td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 
* Class Loading
 
* Class Loading
 
* Bytecode verifier
 
* Bytecode verifier
 
* The Security Manager and security.policy file
 
* The Security Manager and security.policy file
I suggest we do something short here for web developers, and wait on client side apps for now [[User:Jeff Williams|Jeff Williams]] 09:04, 12 June 2006 (EDT)
 
 
I agree --[[User:Stephendv|Stephendv]] 09:48, 12 June 2006 (EDT)
 
 
I agree - the initial focus should be on web apps. We can address security issues pertinent to thick-client apps in the next phase - Rohyt
 
  
 
===Input Validation===
 
===Input Validation===
Line 53: Line 59:
  
 
==== SQL Injection====
 
==== SQL Injection====
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>Provide cursory background information on SQL injection and refer to the Guide for more indepth coverage (no need to duplicate info in the Guide).  This section should provide practical advise and real-world code examples for developers. If you feel that a popular persistence framework is not covered, please add it!</td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 
* Overview
 
* Overview
 
* Prevention
 
* Prevention
Line 64: Line 75:
 
** JDO?  
 
** JDO?  
  
====XSS====
+
====Cross Site Scripting (XSS)====
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>Provide cursory background information on XSS and refer to the Guide for more indepth coverage.  This section should provide practical advise and real-world code examples for developers.  If you would like to see coverage of a web framework that's not listed, please add it!</td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 
* Overview
 
* Overview
 
* Prevention
 
* Prevention
Line 74: Line 90:
 
*** Spring MVC
 
*** Spring MVC
 
*** Java Server Faces
 
*** Java Server Faces
*** WebWork?
+
*** WebWork
*** Wicket?
+
*** Wicket
*** Tapestry?
+
*** Tapestry  
 
* CSRF attack
 
* CSRF attack
  
 
==== LDAP Injection ====
 
==== LDAP Injection ====
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing LDAP injection.</td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 
* Overview
 
* Overview
 
* Prevention
 
* Prevention
  
 
==== XPATH Injection ====
 
==== XPATH Injection ====
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing XPATH injection.</td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 
* Overview
 
* Overview
 
* Prevention
 
* Prevention
  
 
==== Miscellaneous Injection Attacks ====
 
==== Miscellaneous Injection Attacks ====
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>Should contain practical real-world advise and code examples.</td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 
* HTTP Response splitting
 
* HTTP Response splitting
 
* Command injection - Runtime.getRuntime().exec()
 
* Command injection - Runtime.getRuntime().exec()
  
 
=== Authentication===
 
=== Authentication===
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>Discuss authentication for Java and J2EE apps under the suggested headings below.  Examples for container managed authentication of specific application servers are also welcome.</td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 
* Storing credentials
 
* Storing credentials
 
* Hashing
 
* Hashing
 
* SSL Best Practices
 
* SSL Best Practices
* CAPTCHA systems (jcaptcha?)
+
* CAPTCHA systems (such as jcaptcha)
 
* Container-managed authentication with Realms
 
* Container-managed authentication with Realms
 
* JAAS Authentication
 
* JAAS Authentication
Line 101: Line 137:
  
 
===Session Management===
 
===Session Management===
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>The generic problems and solutions for session management are covered in the Guide.  This section should focus on Java specific examples.  </td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 
* Logout
 
* Logout
 
* Session Timeout
 
* Session Timeout
Line 109: Line 150:
 
   
 
   
 
===Authorization===
 
===Authorization===
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>Java and J2EE specific discussion and examples.</td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 
* In presentation layer
 
* In presentation layer
 
* In business logic
 
* In business logic
Line 117: Line 163:
 
* JAAS
 
* JAAS
 
* EJB Authorization
 
* EJB Authorization
* Acegi?
+
* Acegi
 
* JACC
 
* JACC
 
* Check horizontal privilege
 
* Check horizontal privilege
  
 
=== Encryption===
 
=== Encryption===
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>Java and J2EE specific discussion and examples.</td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 
* JCE
 
* JCE
 
* Storing db secrets
 
* Storing db secrets
Line 129: Line 180:
  
 
=== Error Handling & Logging===
 
=== Error Handling & Logging===
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>Java and J2EE specific discussion and examples.</td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 
* Output Validation
 
* Output Validation
 
* Custom Errors
 
* Custom Errors
Line 140: Line 196:
 
** Servlet spec - web.xml
 
** Servlet spec - web.xml
 
** JSP errorPage
 
** JSP errorPage
 
+
* Web application forensics and how it differs from conventional forensics. This will emphasize the importance of appropriate exception handling and logging  - Rohyt
- Web application forensics and how it differs from conventional forensics. This will emphasize the importance of appropriate exception handling and logging  - Rohyt
+
  
 
=== Web Services Security ===
 
=== Web Services Security ===
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>Discuss securely implementing Web Services using Java technologies.  Examples using specific frameworks are welcome.  The topic list is a bit light at the moment, please add more topics if they're relevant.</td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 
* SAML
 
* SAML
 
* WS-Security
 
* WS-Security
Line 149: Line 209:
  
 
=== Code Analysis Tools ===
 
=== Code Analysis Tools ===
 +
<table border=1 cellpadding=5>
 +
  <tr><td valign="top"><b>Objective:</b></td><td>The introduction should cover the advantages and short comings of code analysis tools.  An overview of the current state of the art and the available tools would go well here.  As a start, only open source tools are listed, but if vendors of commercial tools adhere to the [[Contributing to the OWASP Java project]] guidelines, these submissions will be gladly received.</td></tr>
 +
  <tr><td valign="top"><b>Contributors:</b></td><td></td></tr>
 +
  <tr><td><b>Reviewers:</b></td><td></td></tr>
 +
</table>
 +
* Introduction
 
* FindBugs
 
* FindBugs
 
** Creating custom rules
 
** Creating custom rules

Revision as of 03:57, 19 June 2006

Contents

J2EE Security for Architects

Reviewers:Stephen de Vries
Deadline for first draft:19/08/2006
Deadline for first review:26/08/2006
Deadline for final draft:11/09/2006
Deadline for final review:20/09/2006

Design considerations

Objective:Discuss the security implications of common J2EE architectures. This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection. Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost. Any other security concerns that should be addressed during the design phase should also be mentioned here.
Contributors:
  • Architectural considerations
    • EJB Middle tier
    • Web Services Middle tier
    • Spring Middle tier

Noteworthy Frameworks

Objective:Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level, for example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks.
Contributors:
  • Acegi
  • Commons validator
  • jGuard
  • Stinger seems to be parked for a while now, is this correct Jeff?
    • Stinger is
    • CVS HEAD is in a functional state; needs work on docs and new features Roman 00:15, 13 June 2006 (EDT)

Most web tier frameworks will prevent XSS attacks, so listing them all in this section is a bit verbose, would prefer to see them listed in the XSS section. --Stephendv 08:04, 12 June 2006 (EDT)


I think Struts should be covered too - Rohyt

Struts is important as a web framework, but there are many frameworks that provide the same functionality from a security point of view. I think it makes sense to discuss struts as a web framework in section on XSS below with the other popular web frameworks rather than give it a special place in this section which only covers security specific frameworks. --Stephendv 07:22, 18 June 2006 (EDT)

J2EE Security for Developers

Deadline for first draft:
Deadline for first review:
Deadline for final draft:
Deadline for final review:

Java Security Basics

Objective:Provide an introduction into the basic security services provided by the Java language and environment. Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases.
Contributors:
Reviewers:
  • Class Loading
  • Bytecode verifier
  • The Security Manager and security.policy file

Input Validation

  • Overview

SQL Injection

Objective:Provide cursory background information on SQL injection and refer to the Guide for more indepth coverage (no need to duplicate info in the Guide). This section should provide practical advise and real-world code examples for developers. If you feel that a popular persistence framework is not covered, please add it!
Contributors:
Reviewers:
  • Overview
  • Prevention
    • White Listing
    • Prepared Statements
    • Stored Procedures
    • Hibernate
    • Ibatis
    • Spring JDBC
    • EJB 3.0?
    • JDO?

Cross Site Scripting (XSS)

Objective:Provide cursory background information on XSS and refer to the Guide for more indepth coverage. This section should provide practical advise and real-world code examples for developers. If you would like to see coverage of a web framework that's not listed, please add it!
Contributors:
Reviewers:
  • Overview
  • Prevention
    • White Listing
    • Manual HTML Encoding
    • Preventing XSS in popular Web Frameworks
      • JSP/JSTL
      • Struts
      • Spring MVC
      • Java Server Faces
      • WebWork
      • Wicket
      • Tapestry
  • CSRF attack

LDAP Injection

Objective:As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing LDAP injection.
Contributors:
Reviewers:
  • Overview
  • Prevention

XPATH Injection

Objective:As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing XPATH injection.
Contributors:
Reviewers:
  • Overview
  • Prevention

Miscellaneous Injection Attacks

Objective:Should contain practical real-world advise and code examples.
Contributors:
Reviewers:
  • HTTP Response splitting
  • Command injection - Runtime.getRuntime().exec()

Authentication

Objective:Discuss authentication for Java and J2EE apps under the suggested headings below. Examples for container managed authentication of specific application servers are also welcome.
Contributors:
Reviewers:
  • Storing credentials
  • Hashing
  • SSL Best Practices
  • CAPTCHA systems (such as jcaptcha)
  • Container-managed authentication with Realms
  • JAAS Authentication
  • Password length & complexity

Session Management

Objective:The generic problems and solutions for session management are covered in the Guide. This section should focus on Java specific examples.
Contributors:
Reviewers:
  • Logout
  • Session Timeout
  • Absolute Timeout
  • Session Fixation
  • Terminating sessions
    • Terminating sessions when the browser window is closed

Authorization

Objective:Java and J2EE specific discussion and examples.
Contributors:
Reviewers:
  • In presentation layer
  • In business logic
  • In data layer
  • Declarative v/s Programmatic
  • web.xml configuration
  • Forced browsing
  • JAAS
  • EJB Authorization
  • Acegi
  • JACC
  • Check horizontal privilege

Encryption

Objective:Java and J2EE specific discussion and examples.
Contributors:
Reviewers:
  • JCE
  • Storing db secrets
  • Encrypting JDBC connections
  • JSSE
  • Random number generation

Error Handling & Logging

Objective:Java and J2EE specific discussion and examples.
Contributors:
Reviewers:
  • Output Validation
  • Custom Errors
  • Logging - why log? what to log? log4j, etc.
  • Exception handling techniques
    • fail-open/fail-closed
    • resource cleanup
    • finally block
    • swallowing exceptions
  • Exception handling frameworks
    • Servlet spec - web.xml
    • JSP errorPage
  • Web application forensics and how it differs from conventional forensics. This will emphasize the importance of appropriate exception handling and logging - Rohyt

Web Services Security

Objective:Discuss securely implementing Web Services using Java technologies. Examples using specific frameworks are welcome. The topic list is a bit light at the moment, please add more topics if they're relevant.
Contributors:
Reviewers:
  • SAML
  • WS-Security
  • ...?

Code Analysis Tools

Objective:The introduction should cover the advantages and short comings of code analysis tools. An overview of the current state of the art and the available tools would go well here. As a start, only open source tools are listed, but if vendors of commercial tools adhere to the Contributing to the OWASP Java project guidelines, these submissions will be gladly received.
Contributors:
Reviewers:
  • Introduction
  • FindBugs
    • Creating custom rules
  • PMD
    • Creating custom rules
  • JLint
  • Jmetrics

J2EE Security For Deployers

Securing Popular J2EE Servers

  • Securing Tomcat
  • Securing JBoss
  • Securing WebLogic
  • Securing WebSphere
  • Securing x...

Would be nice to include an example secure by default configuration file for each server that has additional comments in it which expands on the security repurcussions of the various sections.

Defining a Java Security Policy

  • Jeff's tool? --Stephendv 08:37, 12 June 2006 (EDT)
  • jChains (www.jchains.org)

Protecting Binaries

- Discuss Bytecode Manipulation Tools and Techniques - Rohyt

  • Bytecode obfuscation
  • Convert bytecode to native machine code
  • jarsigner