FROC2010 Abstract Schmidt

The Presentation: "Solving Real-World Problems with an Enterprise Security API (ESAPI)"
A great deal of work has gone into aggregating statistics and information about security vulnerabilities in enterprise applications on the internet. A lot of work has also been done in creating software libraries and secure coding guidelines to mitigate vulnerabilities. The OWASP group has created an ESAPI that is meant to act as a service provider of security to enterprise applications. There is a lot of documentation and resources available on what an ESAPI is, but there is not much information on how to actually implement an ESAPI to mitigate a specific set of vulnerabilities in an application. This presentation aims to provide information on how to use ESAPI to solve real-world security problems in a clear and interactive way. Using ESAPI for Java and Javascript I will demonstrate examples of vulnerabilities in simple web applications, describe the problem and solution, then fix the vulnerabilities. I will also discuss the importance of developing the ESAPI to fit the business needs of the application.

The presentation will use OWASP ESAPI configured with the reference implementations for Encoding/Decoding, Encryption, Logging, and Validation. For Authentication and Access Control a custom JAAS Implementation to show how easy it is to implement business specific implementations into the ESAPI framework.

The Speaker: Chris Schmidt
Chris Schmidt is a Software Engineer for ServiceMagic, in Golden, CO. He is also a core contributer on the OWASP ESAPI4Java Project and project owner of the OWASP ESAPI4JavaScript Project. Chris has 13 years experience in Information Technology as an Systems Engineer, Software Engineer, and Independent Application Security Consultant. He authors the Yet Another Developer's Blog and is in the process of writing his first book on Secure Development Practices centered around the core concepts of the ESAPI.

Back to Conference Agenda