Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API...
Transcript of Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API...
![Page 1: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/1.jpg)
Development of Security Framework based on
OWASP ESAPI for JSF2.0
![Page 2: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/2.jpg)
About Us
• About Us
– Rakesh Kachhadiya
• Master work, Univeristy of Freiburg (Germany)
– Emmanuel Benoist
• Professor, Bern University of Applied Sciences (Swizerland)
![Page 3: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/3.jpg)
ESAPI
• Enterprise Security API
– OWASP Project
– Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python, Objective C, Tuby, C, Perl, …
• Groups all security features into one library:
– Authentication, Authorization
– Access control, logging and intrusion detection
– Validation, decoding, encoding (for HTML, XML, SQL, Ldap, …)
– Crypto functionalities
![Page 4: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/4.jpg)
Java Server Faces
• JSF: Advantages
– Model View Controler • Controler: Faces Servlet
• View : xhtml files
– Component tree
• Model: Java files using notations
– Separation of layers • Front End: xhtml and components
• Back End: Java
– Libraries with reusable components • Apache, RichFaces, Oracle, etc…
– Concepts like: Validators and Converters
![Page 5: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/5.jpg)
Integrating ESAPI in JSF
• At different levels
– In the Model
• Authorization, Access control, logging, SQL/LDAP/XML/-encoding, …
– In the View
• Create Validators
– In the Controler (in the Faces Servlet)
• Enhancing HTTP
• HTML Encoding
![Page 6: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/6.jpg)
Project goals
• Provide a library for integrating ESAPI in JSF
– Reduces the work for the developers
– Secure implementation
• Adapt ESAPI to JSF ”culture”
– Provide out of the box tools
– Easy to integrate in a project
– Can be used by simple developers
![Page 7: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/7.jpg)
Architecture
![Page 8: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/8.jpg)
Demo1 : Render Response
![Page 9: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/9.jpg)
Demo2: Validation
![Page 10: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/10.jpg)
Demo3 : Filtering
![Page 11: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/11.jpg)
Demo4: File based Authorization
![Page 12: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/12.jpg)
Conclusion
• Integrate ESAPI into JSF
– It will help programmers
– Makes security “invisible”
• Known issues
– Access Control: prevent updating of the model
– CSRF: make it transparent for the programmer
• Need feedback from security experts
– What are the common vulnerabilities for JSF
![Page 13: Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,](https://reader033.fdocuments.us/reader033/viewer/2022043009/5f9b6653ec517e591530c791/html5/thumbnails/13.jpg)
Questions
• Feedback for OWASP
• Contacts us:
– Emmanuel.Benoist (AT) bfh.ch
– RakeshKachhadiya (AT) gmail.com
QUESTIONS ?