Talk:OWASP Java Project Roadmap

This is the discussion page for the Java Project Roadmap. You can add your thoughts and comments below. Please make them easy to read and end your entries with ~ to sign your entries.

Ideas

 * I think we should consider revamping the roadmap with specific article titles and content that we'd like to get written. For example, I'm considering writing an article on how to set up Eclipse to do a code review. It would be nice to link that in here, but I'm not sure just where.  I was thinking something like this....


 * Using Eclipse for security code review
 * This article will cover setting up Eclipse with plugins like FindBugs, jlint, PMD, and Metrics. Then it will explore how you can use the various search and code browsing functions to find and diagnose potential vulnerabilities. Jeff Williams 15:01, 22 June 2006 (EDT)

Sounds like some excellent content! Couldn't this fit in to the Code Analysis Tools section (even if we have to rename the section to something like "Code Analysis Techniques")? Since the Eclipse example is something core to the Java project, I think it should be placed under a real heading, but for other miscellaneous content, I've created a Resources section which could include external articles, books and other resources. Stephendv 04:18, 26 June 2006 (EDT)

Design considerations

 * Architectural considerations
 * EJB Middle tier
 * Web Services Middle tier
 * Spring Middle tier

Noteworthy Frameworks
Most web tier frameworks will prevent XSS attacks, so listing them all in this section is a bit verbose, would prefer to see them listed in the XSS section. --Stephendv 08:04, 12 June 2006 (EDT)
 * Acegi
 * Commons validator
 * jGuard
 * Stinger seems to be parked for a while now, is this correct Jeff?
 * Stinger is
 * CVS HEAD is in a functional state; needs work on docs and new features Roman 00:15, 13 June 2006 (EDT)

I think Struts should be covered too - Rohyt

Struts is important as a web framework, but there are many frameworks that provide the same functionality from a security point of view. I think it makes sense to discuss struts as a web framework in section on XSS below with the other popular web frameworks rather than give it a special place in this section which only covers security specific frameworks. --Stephendv 07:22, 18 June 2006 (EDT)

Java Security Basics

 * Class Loading
 * Bytecode verifier
 * The Security Manager and security.policy file

Input Validation

 * Overview

SQL Injection

 * Overview
 * Prevention
 * White Listing
 * Prepared Statements
 * Stored Procedures
 * Hibernate
 * Ibatis
 * Spring JDBC
 * EJB 3.0?
 * JDO?

Cross Site Scripting (XSS)

 * Overview
 * Prevention
 * White Listing
 * Manual HTML Encoding
 * Preventing XSS in popular Web Frameworks
 * JSP/JSTL
 * Struts
 * Spring MVC
 * Java Server Faces
 * WebWork
 * Wicket
 * Tapestry
 * CSRF attack

LDAP Injection

 * Overview
 * Prevention

XPATH Injection

 * Overview
 * Prevention

Miscellaneous Injection Attacks

 * HTTP Response splitting
 * Command injection - Runtime.getRuntime.exec

Authentication

 * Storing credentials
 * Hashing
 * SSL Best Practices
 * CAPTCHA systems (such as jcaptcha)
 * Container-managed authentication with Realms
 * JAAS Authentication
 * Password length & complexity

Session Management

 * Logout
 * Session Timeout
 * Absolute Timeout
 * Session Fixation
 * Terminating sessions
 * Terminating sessions when the browser window is closed

Authorization

 * In presentation layer
 * In business logic
 * In data layer
 * Declarative v/s Programmatic
 * web.xml configuration
 * Forced browsing
 * JAAS
 * EJB Authorization
 * Acegi
 * JACC
 * Check horizontal privilege

Encryption

 * JCE
 * Storing db secrets
 * Encrypting JDBC connections
 * JSSE
 * Random number generation

Error Handling & Logging

 * Output Validation
 * Custom Errors
 * Logging - why log? what to log? log4j, etc.
 * Exception handling techniques
 * fail-open/fail-closed
 * resource cleanup
 * finally block
 * swallowing exceptions
 * Exception handling frameworks
 * Servlet spec - web.xml
 * JSP errorPage
 * Web application forensics and how it differs from conventional forensics. This will emphasize the importance of appropriate exception handling and logging  - Rohyt

Web Services Security
I think this section should also include WSS4J and a description of how XWS-Security and WSS4J can be integrated in the major Java Web Services Frameworks, such as Spring-WS, Axis, XFire, etc. (see also http://www.nljug.org/pages/events/content/jfall_2007/sessions/00028/) Eelco Klaver 08:59, 23 October 2007 (EDT)
 * SAML
 * (X)WS-Security
 * SunJWSDP
 * XML Signature (JSR 105)
 * XML Encryption (JSR 106)

Code Analysis Tools

 * Introduction
 * FindBugs
 * Creating custom rules
 * PMD
 * Creating custom rules
 * JLint
 * Jmetrics

I proposed some guidelines for the entire OWASP site in the Tutorial page. What do you think?? Jeff Williams 15:01, 22 June 2006 (EDT)

I didn't know this existed. Replaced the above with a link to the Tutorial page. --Stephendv 04:03, 26 June 2006 (EDT)

Securing Popular J2EE Servers

 * Securing Tomcat
 * Securing JBoss
 * Securing WebLogic
 * Securing WebSphere
 * Others...

Defining a Java Security Policy

 * Jeff's tool? --Stephendv 08:37, 12 June 2006 (EDT)
 * jChains (www.jchains.org)

Protecting Binaries
- Discuss Bytecode Manipulation Tools and Techniques - Rohyt
 * Bytecode obfuscation
 * Convert bytecode to native machine code
 * jarsigner