Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP ESAPI SwingSet An introduction by Fabio Cerullo.

Published byJesse Knight Modified over 9 years ago

Similar presentations

Presentation on theme: "OWASP ESAPI SwingSet An introduction by Fabio Cerullo."— Presentation transcript:

1 OWASP ESAPI SwingSet An introduction by Fabio Cerullo

2 About me Information Security Specialist at AIB OWASP Global Education Committee OWASP Ireland Chapter Leader

3 Agenda Introduction to OWASP ESAPI Security Areas Covered by ESAPI Mapping ESAPI > ASVS > Swingset SwingSet Demo Q&A

4 Introduction to ESAPI What is the main problem with majority security controls/frameworks?

5 Introduction to ESAPI NOT Intuitive, Integrated nor Dev Friendly.

6 Introduction to ESAPI RISK is a path from Threat Agent to Business Impact

7 Introduction to ESAPI Every vulnerability originates from: Missing Control ➡ Lack of input validation ➡ Failure to perform access control Broken Control ➡ Improper Session Handling ➡ Fail Open Ignored Control ➡ Failure to implement encryption ➡ Forgot to use output encoding } ESAPI helps you here

8 Introduction to ESAPI OWASP ESAPI (Enterprise Security API) aims to provide developers with all the security controls they need: Standarized Centralized Organized Integrated High Quality Intuitive Tested

9 What is ESAPI? OWASP Enterprise Security API Toolkits helps software developers guard against security-related design and implementation flaws. Collection of classes that encapsulate the key security operations most applications need. There are Java EE,.Net, Javascript, Classic ASP ColdFusion/CFML, PHP and Python language versions. The ESAPI for JAVA EE version includes a Web Application Firewall (WAF) that can be used to give development teams breathing room while making fixes. All language versions of ESAPI Toolkits are licensed under the BSD license. You can use or modify ESAPI however you want, even include it in commercial products.

10 How does ESAPI work? Just extract ESAPI distribution package to an appropriate location. The ESAPI security control interfaces include an “ESAPI” class that is commonly referred to as a “locator” class. The ESAPI locator class is called in order to retrieve instances of individual security controls, which are then called in order to perform security checks.

11 Security Areas Covered by ESAPI There are 120+ methods organized in different interfaces.

12 Mapping ESAPI to ASVS ASVS can be used to establish a level of confidence in the security of Web applications. Authentication Session Management Access Control Input Validation Output Encoding Cryptography Error Handling & Logging Data Protection HTTP Security

13 Mapping ESAPI to ASVS - An example - ASVS Session Management ESAPI Implementation ESAPI.httpUtilities().changeSessionIde ntifier() changes the session id in the login process BTW: prevents session fixation.

14 Mapping ESAPI to ASVS

15 Swingset Originally designed as a Web Application which demonstrates the many uses of ESAPI. One issue... lacked interactivity with devs.

16 Swingset v1.0 Customized version of Swingset Aligned with OWASP GEC mission Aimed to train developers on ESAPI ➡ Each lab presents a vulnerability ➡ Developer needs to fix it using ESAPI Labs organized around ASVS

17 Swingset v1.0 Installation Requirements: JDK or JRE Eclipse ESAPI for Java Swingset

18 Swingset Demo Let’s go for a swing!

19 Swingset Demo ESAPI provides a “positive” set of security controls ESAPI could be used to improve the security of your applications in alignment with ASVS Swingset is a great tool to train developers on how to achieve this.

20 Swingset - Future Plans Automate installation as much as possible Better GUI (side menu/graphics) More lessons (eg. beginners/advanced) Virtual Lab Interested? Drop me an email! SWINGSET

21 Q&A FCERULLO@OWASP.ORG CATHAL.P.COURTNEY@AIB.IEAIB.IE Want to contribute or provide feedback? Thank you!

22 Additional Resources ESAPI Swingset v1.0 http://code.google.com/p/swingset-demo/ ESAPI Javadocs http://owasp-esapi- java.googlecode.com/svn/trunk_doc/latest/index. html http://owasp-esapi- java.googlecode.com/svn/trunk_doc/latest/index. html ESAPI book (needs update) https://www.owasp.org/images/7/79/ESAPI_Book.pdf https://www.owasp.org/images/7/79/ESAPI_Book.pdf

Download ppt "OWASP ESAPI SwingSet An introduction by Fabio Cerullo."

Similar presentations

OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.
Automation Domination Application Security with Continuous Integration (CI)

Automation Domination Application Security with Continuous Integration (CI)
© 2007 IBM Corporation IBM Emerging Technologies Enabling an Accessible Web 2.0 Becky Gibson Web Accessibility Architect.

© 2007 IBM Corporation IBM Emerging Technologies Enabling an Accessible Web 2.0 Becky Gibson Web Accessibility Architect.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.

Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.

Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
IOTA Improved Design and Implementation of a Modular and Extensible Website Framework Andrew Hamilton – TJHSST Computer Systems Lab 2008-2009 Abstract.

IOTA Improved Design and Implementation of a Modular and Extensible Website Framework Andrew Hamilton – TJHSST Computer Systems Lab Abstract.
FINAL DEMO 4.3.2009 Apollo Crew, group 3 T-76.4115 SW Development Project.

FINAL DEMO Apollo Crew, group 3 T SW Development Project.
MU Bulletin Board Member: Carol Lim Yi Wang Lei Wen Mentor: John Boyer Programmer/Analyst of MSA/ Student Life.

MU Bulletin Board Member: Carol Lim Yi Wang Lei Wen Mentor: John Boyer Programmer/Analyst of MSA/ Student Life.
Eclipse Overview Introduction to Web Programming Kirkwood Continuing Education Fred McClurg © Copyright 2015, Fred McClurg, All Rights Reserved.

Eclipse Overview Introduction to Web Programming Kirkwood Continuing Education Fred McClurg © Copyright 2015, Fred McClurg, All Rights Reserved.

Similar presentations

Ads by Google