ESAPI

16
ESAPI

TAGS:

description

null Bangalore Chapter - June 2014 Meet

Transcript of ESAPI

Page 1: ESAPI

ESAPI

Page 2: ESAPI

Jeff Williams, Project Mgr - OWASP ESAPI

Founder and CEO of Aspect Security

25 years experience

Top 10, Webgoat proj

About the author

Page 3: ESAPI

Issues! when security implementation is in developers hand.

Reinventing the wheel

Complexity of Application Security for developers

Simplify application security for developers.

Why ESAPI ?

Page 4: ESAPI

Security API

Exhaustive list of security controls

Web application or web service project

120 methods and interfaces

First J2ee version realised Aug 2010

What is ESAPI ?

Page 5: ESAPI

Footprints

Page 6: ESAPI

J2ee ESAPI Libraries

Page 7: ESAPI

Libraries barrowed !!

Page 8: ESAPI
Page 9: ESAPI

Packages

Page 10: ESAPI

Create a security API that matches YOUR enterprise Create a custom ESAPI for your organization.

It works best when ..

Page 11: ESAPI

Canonicalization feature is handy Encoding module is very mature. Data validation response can be improved by spring validation framework HTTP header and cookie validations are good Client side JavaScript ESAPI is not part of this module. Not sure if Owasp CSRFguard and CSRF module in ESAPI is same or not

My observation..

Page 12: ESAPI

1. Add esapi.jar file to lib 2. Create a custom ESAPI for your organization.

2 Step Setup..

Page 13: ESAPI

Data-validation..

Review.jsp

Review.jsp

Validation.properties

Page 14: ESAPI

Encoding.. Review.jsp

Review.jsp

Page 15: ESAPI

Gap between suggestion and execution

Learning .. ..

Page 16: ESAPI

eND..


ESAPI: A GUIDED TOUR - OWASP

ESAPI: A GUIDED TOUR - OWASP

OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

ColdFusion - Transformation over the years · PDF Enhancements. ESAPI encoding. Standalone, high performing PDF engine. API Management platform. Security analyzer. Command line interface.

ColdFusion - Transformation over the years · PDF Enhancements. ESAPI encoding. Standalone, high performing PDF engine. API Management platform. Security analyzer. Command line interface.

Vulnerability Scan and Fix for Mobile Application: LTW …€¦ · Description Description OWASP ESAPI Secure Coding Guidelines (ESAPI SCG) include a set of banned APIs in J2EE framework,

Vulnerability Scan and Fix for Mobile Application: LTW …€¦ · Description Description OWASP ESAPI Secure Coding Guidelines (ESAPI SCG) include a set of banned APIs in J2EE framework,

TCG TSS 2.0 Enhanced System Level API (ESAPI) Specification · This TCG TSS 2.0 ESAPI Specification defines the middle layer of the user-facing TSS 2.0 APIs and adds the following

TCG TSS 2.0 Enhanced System Level API (ESAPI) Specification · This TCG TSS 2.0 ESAPI Specification defines the middle layer of the user-facing TSS 2.0 APIs and adds the following

Understanding ESAPI, OWASP Delhi

Understanding ESAPI, OWASP Delhi

Petteri Arola OWASP Chapter Leader Nixu Oy … · 2017-01-12 · • ESAPI Tietoturva-arkkitehtuuri • AppSec kirjastot • ESAPI referenssitoteutukset Turvallinen ohjelmointi •

Petteri Arola OWASP Chapter Leader Nixu Oy … · 2017-01-12 · • ESAPI Tietoturva-arkkitehtuuri • AppSec kirjastot • ESAPI referenssitoteutukset Turvallinen ohjelmointi •

Design Patterns - OWASP › › Esapi-design-patterns.pdf · This document explores three common OWASP Enterprise Security API (ESAPI) design patterns. It is intended to be language‐independent,

Design Patterns - OWASP › › Esapi-design-patterns.pdf · This document explores three common OWASP Enterprise Security API (ESAPI) design patterns. It is intended to be language‐independent,

Design Patterns - OWASP · PDF filehave the same basic design: ... ESAPI Design Patterns 7 8 ESAPI Design Patterns This page is

Design Patterns - OWASP · PDF filehave the same basic design: ... ESAPI Design Patterns 7 8 ESAPI Design Patterns This page is

THE UNFORTUNATE REALITY OF INSECURE LIBRARIES · Grails Stripes JBoss Seam Log4j Spring Security ESAPI Apache Commons Validator Hibernate Validator Apache Santuario ... The amount

THE UNFORTUNATE REALITY OF INSECURE LIBRARIES · Grails Stripes JBoss Seam Log4j Spring Security ESAPI Apache Commons Validator Hibernate Validator Apache Santuario ... The amount

TCG TSS 2.0 Enhanced System API (ESAPI) Specification T C G · opyright © T G 2017 TSS Enhanced System API (ESAPI) Specification Version 0.90 Revision 03 Version 0.90, Revision 03

TCG TSS 2.0 Enhanced System API (ESAPI) Specification T C G · opyright © T G 2017 TSS Enhanced System API (ESAPI) Specification Version 0.90 Revision 03 Version 0.90, Revision 03

Development Security Framework based on Owasp Esapi for JSF2.0

Development Security Framework based on Owasp Esapi for JSF2.0

ii ESAPI for Java EE Installation Guide - OWASP3.5 Installation Using NetBeans Step 1 Add the ESAPI Jar to the classpath: right-click the project, choose Properties, then under Categories

ii ESAPI for Java EE Installation Guide - OWASP3.5 Installation Using NetBeans Step 1 Add the ESAPI Jar to the classpath: right-click the project, choose Properties, then under Categories

Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,

Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,

Advanced Web Technology 11) Web Security : ESAPI · Advanced Web Technology 11) Web Security : ESAPI Problems and Solutions: Handling Authentication and Identity 9. The Authenticator

Advanced Web Technology 11) Web Security : ESAPI · Advanced Web Technology 11) Web Security : ESAPI Problems and Solutions: Handling Authentication and Identity 9. The Authenticator

Design Patterns - OWASP · 2 The Built-In Singleton Pattern . The ESAPI security control interfaces include an “ESAPI” class that is commonly referred to as a “locator” class.

Design Patterns - OWASP · 2 The Built-In Singleton Pattern . The ESAPI security control interfaces include an “ESAPI” class that is commonly referred to as a “locator” class.

Enterprise Security API (ESAPI) Java€¦ · 03.06.2010  · common encryption, random number, and hashing operations. encrypted = ESAPI.encryptor().encrypt( decrypted ); ... Logger

Enterprise Security API (ESAPI) Java€¦ · 03.06.2010  · common encryption, random number, and hashing operations. encrypted = ESAPI.encryptor().encrypt( decrypted ); ... Logger

Analyzing (Java) Source Code for Cryptographic Weaknesses · Analyzing (Java) Source Code for Cryptographic Weaknesses ... OWASP ESAPI for Java Project co-leader Cryptography ...

Analyzing (Java) Source Code for Cryptographic Weaknesses · Analyzing (Java) Source Code for Cryptographic Weaknesses ... OWASP ESAPI for Java Project co-leader Cryptography ...

OWASP ESAPI WAF AppSec DC 2009

OWASP ESAPI WAF AppSec DC 2009

OWASP Foundation Inc.€¦ · be used to guard against security-related design and implementation flaws. ... Your Coding Guideline Tailor the ESAPI coding guidelines Retrofit ESAPI

OWASP Foundation Inc.€¦ · be used to guard against security-related design and implementation flaws. ... Your Coding Guideline Tailor the ESAPI coding guidelines Retrofit ESAPI