esapi
DESCRIPTION
null Bangalore Chapter - June 2014 MeetTRANSCRIPT
![Page 1: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/1.jpg)
ESAPI
![Page 2: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/2.jpg)
Jeff Williams, Project Mgr - OWASP ESAPI
Founder and CEO of Aspect Security
25 years experience
Top 10, Webgoat proj
About the author
![Page 3: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/3.jpg)
Issues! when security implementation is in developers hand.
Reinventing the wheel
Complexity of Application Security for developers
Simplify application security for developers.
Why ESAPI ?
![Page 4: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/4.jpg)
Security API
Exhaustive list of security controls
Web application or web service project
120 methods and interfaces
First J2ee version realised Aug 2010
What is ESAPI ?
![Page 5: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/5.jpg)
Footprints
![Page 6: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/6.jpg)
J2ee ESAPI Libraries
![Page 7: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/7.jpg)
Libraries barrowed !!
![Page 8: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/8.jpg)
![Page 9: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/9.jpg)
Packages
![Page 10: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/10.jpg)
Create a security API that matches YOUR enterprise Create a custom ESAPI for your organization.
It works best when ..
![Page 11: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/11.jpg)
Canonicalization feature is handy Encoding module is very mature. Data validation response can be improved by spring validation framework HTTP header and cookie validations are good Client side JavaScript ESAPI is not part of this module. Not sure if Owasp CSRFguard and CSRF module in ESAPI is same or not
My observation..
![Page 12: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/12.jpg)
1. Add esapi.jar file to lib 2. Create a custom ESAPI for your organization.
2 Step Setup..
![Page 13: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/13.jpg)
Data-validation..
Review.jsp
Review.jsp
Validation.properties
![Page 14: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/14.jpg)
Encoding.. Review.jsp
Review.jsp
![Page 15: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/15.jpg)
Gap between suggestion and execution
Learning .. ..
![Page 16: ESAPI](https://reader034.vdocuments.site/reader034/viewer/2022042513/55495b3bb4c90566498b5519/html5/thumbnails/16.jpg)
eND..