[Java-project] Fwd: [Owasp-leaders] Restart of the OWASP Java Project
psiinon at gmail.com
Fri Mar 4 05:04:08 EST 2011
Resending to this list as I wasnt subscribed before :)
---------- Forwarded message ----------
From: psiinon <psiinon at gmail.com>
Date: Fri, Mar 4, 2011 at 9:57 AM
Subject: Re: [Owasp-leaders] Restart of the OWASP Java Project
To: matthias.rohr at owasp.org
Cc: java-project at lists.owasp.org, owasp-leaders at lists.owasp.org
I would really like to see as many java security tools and libraries
as possible reviewed, whether OWASP ones or not.
But what I would _really_ like to see is a 'java security' decision
tree. I'll explain...
I think the key use case we should be trying to address is "I'm a java
developer and I want to use standard high quality security controls,
what should I use?"
I see this as a decision tree because right now I dont think theres a
single right answer.
But I think we can implement a simple decision tree using the wiki.
So the first question could be "Is this a new project or an existing one?"
Why? Because big frameworks like ESAPI could well be too much work to
introduce into a large existing project.
Other questions could be things like:
* Are you using one of these frameworks: Spring, Struts, GWT etc etc?"
* Do you want to consider commercial software or just free/open source
So a java dev should be able to navigate the tree and then end up with
a set of (hopefully) one or more tools or libraries that they should
consider. And hopefully in time we can also provide more advise and
guidance as to which situations the tools/libraries work best and
which problems they address (XSS, CRSF etc etc)
And we may find that at the end of some of the branches there are no
good solutions, in which case we should look at how we can provide
them, either by developing new tools or by extending existing ones.
I think this would be really useful, and something that we can
gradually build up over time.
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matthias Rohr
> Sent: Wednesday, March 02, 2011 12:24 PM
> To: java-project at lists.owasp.org
> Cc: owasp-leaders at lists.owasp.org
> Subject: [Owasp-leaders] Restart of the OWASP Java Project
> Hi all,
> As some of you might already know, at this years OWASP Summit I pitched in
> as new project leader for the OWASP Java Project. I was not that active the
> last years in this project, so I'm sorry if I should missed some discussions
> here. I will, however, do my best to really bring this project forward.
> First of all I must say, that those who have worked on this project have
> done an absolutelly great job! From my point of view, the vision for this
> page (if not already) should be to create the central landing page on the
> Web for all Java users (developers, architects & co.) interested in Web
> For this to work I'd suggust a few improvements and I'd loved to hear any
> ideads you might have in mind as well!
> 1. Align the page with other Java-related OWASP projects like ESAPI,
> Webgoat, ASVS (including a new chapter: "OWASP J2EE Related Projects")
> 2. Priorize work on missing content
> 3. Implement a J2EE/Java EE Secure Coding Guideline based on ESAPI, ASVS
> and/or the Quick Reference Guide.
> 4. Set-up a comparision of security aspects of web frameworks such like
> struts2, spring mvc, jsf, gwt, etc.
> 5. Set-up a comparision of security aspects of templating technologies such
> as jsp, velocity, tiles, etc.
> 6. Should we use the term "Java EE" instead of "J2EE"?
> Lastly, I talked with Daniel Brzozowski, the project leader of the OWASP
> .NET Project. We both agreed, that it would be highly valuable, to try to
> implement the same structure in both projects. Therefore, I'd like to
> sugguest to integrate the following additional topics into the Java Project:
> 7. J2EE Incidents
> 8. OWASP J2EE Research
> 9. OWASP Top10 for J2EE
> What do you think about these ideas? Any other input or ideas?
> - Matthias
> Matthias Rohr
> OWASP Java Project Leader, http://www.owasp.org/index.php/OWASP_Java_Project
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
More information about the Java-project