![Page 1: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/1.jpg)
Copyright © 2007 - The OWASP FoundationThis work is available under the Creative Commons SA 2.5 license
The OWASP Foundation
The OpenWeb Application Security Project
http://www.owasp.org
A Sneak Peek at the OWASP Enterprise Security API
Jeff WilliamsOWASP Foundation [email protected]
Aspect Security [email protected]
![Page 2: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/2.jpg)
The Challenge…
Developers need to rip, mix, and burn authentication, access control, input validation, encoding, encryption, logging, error handling, etc…
Log4j, Reform, ACEGI, Struts, Stinger, Spring, Validator, Jasypt, JCE, JAAS, Cryptix, BouncyCastle, Anti-XSS, xml-dsig, xml-enc, lots lots more….
2
![Page 3: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/3.jpg)
Drivers
I’m tired of security “researchers”
Most developers shouldn’t build security controlsWhen to use a controlHow to use a controlWhy to use a control (maybe) All the security guidelines, courses, tutorials,
websites, books, etc… are all mixed up because everyone builds their own controls
Few organizations have a complete security API
3
![Page 4: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/4.jpg)
Design
Only include methods that…Are useful in a large percentage of applicationsFocus on the most risky areas
Designed to be simple to understand and use Interfaces with concrete reference implementation Full documentation and usage examples
Same basic API across common platforms Java EE, .NET, PHP, others?
4
![Page 5: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/5.jpg)
Strawman
5
Preliminary
![Page 6: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/6.jpg)
Customizing
ESAPI is an APIWrap existing libraries and servicesExtend and customize ESAPIFill in gaps with reference implementation
Easy to retrofit to existing applications
6
![Page 7: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/7.jpg)
Project Plan and Status
7
2002 – Start Collecting
9/07 – Sneak Peek
![Page 8: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/8.jpg)
Quality
8
![Page 9: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/9.jpg)
Authenticator
Key MethodscreateUser(accountName, pass1, pass2)generateStrongPassword()getCurrentUser() login(request, response)verifyAccountNameStrength(acctName)verifyPasswordStrength(newPass, oldPass)
Reference ImplementationUse threadlocal variable to store current UserAutomatically changes sessionid on login and logout
9
![Page 10: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/10.jpg)
User
Key MethodschangePassword(old, new1, new2) disable() enable() getAccountName() getScreenName() getCSRFToken()getLastFailedLoginTime() getLastLoginTime()getRoles() isInRole(role) isEnabled() isExpired() isLocked() loginWithPassword(password, request, response) logout(request, response) resetCSRFToken() resetPassword()verifyCSRFToken(java.lang.String token)
10
![Page 11: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/11.jpg)
AccessController
Key Methods isAuthorizedForData(key) isAuthorizedForFile(filepath) isAuthorizedForFunction(functionName) isAuthorizedForService(serviceName) isAuthorizedForURL(url)
Reference Implementation (not required) /* | any | deny | default deny rule /admin/* | admin | allow | admin access to /admin
11
![Page 12: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/12.jpg)
AccessReferenceMap
Key MethodsgetDirectReference(indirectReference)getIndirectReference(directReference) iterator()update(directReferences)
Examplehttp://www.ibank.com?file=report123.xlshttp://www.ibank.com?file=a3nr38
12
![Page 13: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/13.jpg)
Validator
Key Methodscanonicalize(input) isValidFileUpload(filepath, filename, content) isValidCreditCard(input) isValid***** (input) isValidRedirectLocation(location) isValidSafeHTML(input)safeReadLine(inputStream, maxchars)
Canonicalization is really important13
![Page 14: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/14.jpg)
Encoder
14
![Page 15: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/15.jpg)
HTTPUtilities
Key MethodschangeSessionIdentifier(request) formatHttpRequestForLog(request, sensitiveList)getFileUploads(request, tempDir, finalDir)killAllCookies(request, response)killCookie(name, request, response)sendRedirect(locationsetCookie(name, value, age, domain, path, response) setNoCacheHeaders(response)
Safer ways of dealing with HTTP, uses HTTPOnly15
![Page 16: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/16.jpg)
Encryptor
Key Methodsdecrypt(ciphertext) encrypt(plaintext)hash(plaintext, salt) loadCertificateFromFile(file)getTimeStamp()seal(data, expiration) verifySeal(seal, data) sign(data) verifySignature(signature, data)
Simple master key in configuration Minimal certificate support
16
![Page 17: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/17.jpg)
EncryptedProperties
Key MethodsgetProperty(key)setProperty(key, value) keySet() load(inputStream) store(outputStream, comments)
Simple protected storage for configuration data
17
![Page 18: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/18.jpg)
Randomizer
Key MethodsgetRandomInteger(min, max) getRandomReal(min, max) getRandomString(length, characterSet)
Several pre-defined character setsLowers, uppers, digits, specials, letters,
alphanumerics, password, etc…
18
![Page 19: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/19.jpg)
Exception Handling
EnterpriseSecurityExceptionAccessControlExceptionAuthenticationExceptionAvailabilityExceptionCertificateExceptionEncryptionExceptionExecutorException IntrusionExceptionValidationException
Allows a sensible security exception framework
19
![Page 20: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/20.jpg)
Logger
Key MethodsgetLogger(applicationName,moduleName) logCritical(type, message, throwable) logDebug(type, message, throwable) logError(type, message, throwable) logSuccess(type, message, throwable) logTrace(type, message, throwable) logWarning(type, message, throwable)
All EnterpriseSecurityExceptions are automatically logged
20
![Page 21: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/21.jpg)
IntrusionDetector
Key MethodsaddException(exception) createQuota(exception, limit)
Current PlanEnterpriseSecurityExceptions are automatically
sent to IntrusionDetectorCan set a quota for any exceptionDetects exceeding quota in a specified time
period
21
![Page 22: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/22.jpg)
OWASP Top Ten Coverage
22
![Page 23: A Sneak Peek at the OWASP Enterprise Security API](https://reader035.vdocument.in/reader035/viewer/2022062810/56815e63550346895dcce304/html5/thumbnails/23.jpg)
Closing Thoughts
I have learned an amazing amount (I thought I knew)
An ESAPI is a key part of a balanced breakfast Integrated API has huge benefits over separate libraries
Secondary benefitsMay help static analysis do betterEnables security upgrades across applicationsSimplifies developer training
Next year – experiences moving to ESAPI
23