The OWASP Top Ten and ESAPI – Final Summary

No Gravatar

Ok, well now we’ve been through all the issues listed in the 2007 version of the Top Ten. The new 2010 version is very similar with a couple discrepancies. I may follow up on those couple of issues at a later time. Hopefully you’ve seen through all the articles in this series that ESAPI (specifically the Java version was used) was built to deal with quite a few real security issues that developers face today. This series has shown that ESAPI can be used in almost every instance to either partially or completely remediate a specific issue, and to do it properly. The ESAPI community is thriving, and good things are coming out frequently. New implementations of some controls are showing up. New people are joining. New issues are being tackled. Get involved with this community and make it better. Use the outstanding controls this group has kindly given away, and offer some of your own.

Hopefully this series has been helpful to you in moving closer to secure J2EE development by exposing you to ESAPI and all it has to offer. I’ll be moving on to different topics in the future. Hope you enjoyed this one!

As a reference, all the articles from the series are listed below for easy access.
Part 0: The OWASP Top Ten and ESAPI
Part 1: The OWASP Top Ten and ESAPI – Part 1 – Cross Site Scripting (XSS)
Part 2: The OWASP Top Ten and ESAPI – Part 2 – Injection Flaws
Part 3: The OWASP Top Ten and ESAPI – Part 3 – Malicious File Execution
Part 4: The OWASP Top Ten and ESAPI – Part 4 – Insecure Direct Object Reference
Part 5: The OWASP Top Ten and ESAPI – Part 5 – Cross Site Request Forgery (CSRF)
Part 6: The OWASP Top Ten and ESAPI – Part 6 – Information Leakage and Improper Error Handling
Part 7: The OWASP Top Ten and ESAPI – Part 7 – Broken Authentication and Session Management
Part 8: The OWASP Top Ten and ESAPI – Part 8 – Insecure Cryptographic Storage
Part 9: The OWASP Top Ten and ESAPI – Part 9 – Insecure Communications
Part 10: The OWASP Top Ten and ESAPI – Part 10 – Failure to Restrict URL Access

As a final note, I’d like to make a special request. If you have any requests for something you’d like to see here, an article on a specific topic involving J2EE web security, feel free to comment here or send me an email. My direct contact info is listed on the About page.

Be Sociable, Share!

Technorati Tags: , , , ,

5 thoughts on “The OWASP Top Ten and ESAPI – Final Summary

  1. I think that was an excellent series. My “special request” would be some recommendations on how to implement audit trail using ESAPI. In particular, something that would be in some way compliant with PCI recommendation 10. Thanks

  2. @Alexis
    Thanks. I will look into PCI recommendation 10, and see if there are specific things that ESAPI can do to help deal with the requirements there. I will say that typically ESAPI is not built to meet specific business requirements, but rather provides certain controls to prevent certain classes of attacks, ie. part of the output encoding controls protect against XSS. There is, however, a logger in ESAPI. The default logger can be setup to do a certain type of output encoding to prevent problems like log forging. That might be a place to start.

  3. The series was excellent, The only think I disagree with you about was the numbering (OWASP Top 10 issue + 1) to get the right part.

    it’s much easier to rename part 1 -the intro- part 0 and be compliant with OWASP numbering for easy access to the issues.

  4. @Mostafa,
    Great idea – I renamed all the articles according to your suggestion. The urls stayed the same, but the titles and headers are updated. Should have done this in the first place.

Leave a Reply

Your email address will not be published. Required fields are marked *