Presentation is loading. Please wait.

Presentation is loading. Please wait.

ESAPI Pictures For Javadoc.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ESAPI Pictures For Javadoc."— Presentation transcript:

1 ESAPI Pictures For Javadoc

2 Architecture Overview
Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries

3 OWASP Top Ten Coverage OWASP Top Ten OWASP ESAPI
A1. Cross Site Scripting (XSS) A2. Injection Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error Handling A7. Broken Authentication and Sessions A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, Encoder Encoder HTTPUtilities (upload) AccessReferenceMap User (csrftoken) EnterpriseSecurityException, HTTPUtils Authenticator, User, HTTPUtils Encryptor HTTPUtilities (secure cookie, channel) AccessController

4 Enforcing Access Control
isAuthorizedForFunction() isAuthorizedForData() isAuthorizedForURL() isAuthorizedForService() User Controller Business Functions Data Layer Backend Presentation Layer isAuthorizedForFunction() isAuthorizedForFile() Roles

5 Handling Authentication and Identity
User Controller Business Functions Data Layer Backend Presentation Layer ESAPI Authentication Access Control Logging Intrusion Detection Users

6 Handling Direct Object References
getDirectReference() User Controller Business Functions Data Layer Backend Presentation Layer getIndirectReference() Access Reference Map Report123.xls Acct:

7 Decoding/Encoding Untrusted Data
Codecs: HTML Entity Codec Percent Codec JavaScript Codec VBScript Codec CSS Codec Decoding Engine Validation Engine User Controller Business Functions Data Layer Backend PresentationLayer Encode: encodeForHTML() encodeForHTMLAttribute() encodeForJavaScript() encodeForCSS() encodeForURL() Encode: encodeForSQL() encodeForLDAP() encodeForXML() encodeForXPath() encodeForOS() Encoding Engine Encoding Engine

8 Validating Untrusted Input/Output
Validate: getValidDate() getValidCreditCard() getValidSafeHTML() getValidInput() getValidNumber() getValidFileName() getValidRedirect() safeReadLine() Validation Engine User Controller Business Functions Data Layer Backend PresentationLayer Validate: getValidDate() getValidCreditCard() getValidInput() getValidNumber() Validation Engine

9 Enhancing HTTP HTTP Utilities User Controller Business Functions
Input Utilities: assertSecureRequest() getCSRFToken getSafeFileUploads() safeSendForward() verifyCSRFToken() HTTP Utilities User Controller Business Functions Data Layer Backend Presentation Layer Output Utilities: addCSRFToken() changeSessionIdentifier() safeSetContentType() setNoCacheHeaders() setRememberToken() verifyCSRFToken() HTTP Utilities

10 Security Logging User Controller Business Functions Data Layer Backend
Presentation Layer ESAPI Logging: fatal() error() warning() info() debug() trace() Logger

11 Logout User, Lock Account
Detecting Intrusions User Controller Business Functions Data Layer Backend Presentation Layer ESAPI Authentication Logging Quota Exceeded Intrusion Detection Tailorable Quotas Users Log Intrusion Event Logout User, Lock Account

12 Basic Cryptography User Controller Business Functions Data Layer
Backend PresentationLayer Crypto: encrypt() / decrypt() hash() seal() / unseal() sign() verifySeal() verifySignature() Encryptor

13 new EncryptedProperties() Encrypted Properties File
set() / get() User Controller Business Functions Data Layer Backend PresentationLayer Encryptor Encrypted Properties Encrypted Properties File

14 Safe OS Command Execution
executeSystemCommand() User Controller Business Functions Data Layer Backend PresentationLayer

Download ppt "ESAPI Pictures For Javadoc."

Similar presentations

Webgoat.

Webgoat.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
OWASP Top 10 for 2010 OWASP Education Nishi Kumar

OWASP Top 10 for 2010 OWASP Education Nishi Kumar
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.
Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Tobias Gondrom (OWASP Project Leader)

Tobias Gondrom (OWASP Project Leader)
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security

Similar presentations

Ads by Google