Post on 06-May-2015
description
ESAPI
Jeff Williams, Project Mgr - OWASP ESAPI
Founder and CEO of Aspect Security
25 years experience
Top 10, Webgoat proj
About the author
Issues! when security implementation is in developers hand.
Reinventing the wheel
Complexity of Application Security for developers
Simplify application security for developers.
Why ESAPI ?
Security API
Exhaustive list of security controls
Web application or web service project
120 methods and interfaces
First J2ee version realised Aug 2010
What is ESAPI ?
Footprints
J2ee ESAPI Libraries
Libraries barrowed !!
Packages
Create a security API that matches YOUR enterprise Create a custom ESAPI for your organization.
It works best when ..
Canonicalization feature is handy Encoding module is very mature. Data validation response can be improved by spring validation framework HTTP header and cookie validations are good Client side JavaScript ESAPI is not part of this module. Not sure if Owasp CSRFguard and CSRF module in ESAPI is same or not
My observation..
1. Add esapi.jar file to lib 2. Create a custom ESAPI for your organization.
2 Step Setup..
Data-validation..
Review.jsp
Review.jsp
Validation.properties
Encoding.. Review.jsp
Review.jsp
Gap between suggestion and execution
Learning .. ..
eND..