[Java-project] Fwd: [Owasp-leaders] Restart of the OWASP Java Project

Fri Mar 4 07:36:42 EST 2011

Hi All,

@Dave: Yes I totally agree with you...to some extend. My idea was not to
build each of this suggested contents/topics by my own but to set-up a
general roadmap to collect and priorize future work for this project. So
that if I find a volunteer asking my what can I do, I can give him one these
packages to work on. I will not be able to do this all by my own but I will
do my best to create a good foundation for this project.

@Kris: This would be really helpfull, unfortunatelly from my expierence
FindBugs and PMD do not have a very high coverage of J2EE flaws. But perhaps
if someone likes to do something on SCA for Java we could integrate these as
well as Fortify, Ounce and Veracode for that. I will come back to you
regarding this;)

@psiinon: This is actually a great idea! To have something helping
developers/users to navigate the security decisions would be something
really helpful. I don't now how we could practically set it up practically.
Is there a way to integrate a dynamic UML activity diagram into the wiki?
Would you like to to constribute such a tree, at least something we can
discuss and build upon?

Thanks for all your feedback!

- Matthias

2011/3/4 psiinon <psiinon at gmail.com>

> Resending to this list as I wasnt subscribed before :)
>
>
> ---------- Forwarded message ----------
> From: psiinon <psiinon at gmail.com>
> Date: Fri, Mar 4, 2011 at 9:57 AM
> Subject: Re: [Owasp-leaders] Restart of the OWASP Java Project
> To: matthias.rohr at owasp.org
> Cc: java-project at lists.owasp.org, owasp-leaders at lists.owasp.org
>
>
> Hi Matthias,
>
> I would really like to see as many java security tools and libraries
> as possible reviewed, whether OWASP ones or not.
>
> But what I would _really_ like to see is a 'java security' decision
> tree. I'll explain...
> I think the key use case we should be trying to address is "I'm a java
> developer and I want to use standard high quality security controls,
> what should I use?"
> I see this as a decision tree because right now I dont think theres a
> single right answer.
> But I think we can implement a simple decision tree using the wiki.
> So the first question could be "Is this a new project or an existing one?"
> Why? Because big frameworks like ESAPI could well be too much work to
> introduce into a large existing project.
> Other questions could be things like:
> * Are you using one of these frameworks: Spring, Struts, GWT etc etc?"
> * Do you want to consider commercial software or just free/open source
> solutions?
>
> So a java dev should be able to navigate the tree and then end up with
> a set of (hopefully) one or more tools or libraries that they should
> consider. And hopefully in time we can also provide more advise and
> guidance as to which situations the tools/libraries work best and
> which problems they address (XSS, CRSF etc etc)
>
> And we may find that at the end of some of the branches there are no
> good solutions, in which case we should look at how we can provide
> them, either by developing new tools or by extending existing ones.
>
> I think this would be really useful, and something that we can
> gradually build up over time.
>
> Psiinon
>
> >
> > From: owasp-leaders-bounces at lists.owasp.org
> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matthias
> Rohr
> > Sent: Wednesday, March 02, 2011 12:24 PM
> > To: java-project at lists.owasp.org
> > Cc: owasp-leaders at lists.owasp.org
> > Subject: [Owasp-leaders] Restart of the OWASP Java Project
> >
> >
> >
> > Hi all,
> >
> > As some of you might already know, at this years OWASP Summit I pitched
> in
> > as new project leader for the OWASP Java Project. I was not that active
> the
> > last years in this project, so I'm sorry if I should missed some
> discussions
> > here. I will, however, do my best to really bring this project forward.
> > First of all I must say, that those who have worked on this project have
> > done an absolutelly great job! From my point of view, the vision for this
> > page (if not already) should be to create the central landing page on the
> > Web for all Java users (developers, architects & co.) interested in Web
> > security.
> >
> > For this to work I'd suggust a few improvements and I'd loved to hear any
> > ideads you might have in mind as well!
> >
> > 1. Align the page with other Java-related OWASP projects like ESAPI,
> > Webgoat, ASVS (including a new chapter:  "OWASP J2EE Related Projects")
> > 2. Priorize work on missing content
> > 3. Implement a J2EE/Java EE Secure Coding Guideline based on ESAPI, ASVS
> > and/or the Quick Reference Guide.
> > 4. Set-up a comparision of security aspects of web frameworks such like
> > struts2, spring mvc, jsf, gwt, etc.
> > 5. Set-up a comparision of security aspects of templating technologies
> such
> > as jsp, velocity, tiles, etc.
> > 6. Should we use the term "Java EE" instead of "J2EE"?
> >
> > Lastly, I talked with Daniel Brzozowski, the project leader of the OWASP
> > .NET Project. We both agreed, that it would be highly valuable, to try to
> > implement the same structure in both projects. Therefore, I'd like to
> > sugguest to integrate the following additional topics into the Java
> Project:
> >
> > 7.  J2EE Incidents
> > 8.  OWASP J2EE Research
> > 9.  OWASP Top10 for J2EE
> >
> > What do you think about these ideas? Any other input or ideas?
> >
> > - Matthias
> >
> > --
> > Matthias Rohr
> > OWASP Java Project Leader,
> http://www.owasp.org/index.php/OWASP_Java_Project
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> _______________________________________________
> Java-project mailing list
> Java-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/java-project
>

-- 
Matthias Rohr
OWASP Java Project Leader, http://www.owasp.org/index.php/OWASP_Java_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/java-project/attachments/20110304/71d72c2f/attachment.html 