[Java-project] Fwd: [Owasp-leaders] Restart of the OWASP Java Project
psiinon
psiinon at gmail.com
Fri Mar 4 08:08:12 EST 2011
Hi Matthias,
Not sure if I can supply a fully formed tree, but I'll try to find
some time to generate something that can be a starting point for
discussions :)
Psiinon
On Fri, Mar 4, 2011 at 12:36 PM, Matthias Rohr <matthias.rohr at owasp.org> wrote:
> Hi All,
>
> @Dave: Yes I totally agree with you...to some extend. My idea was not to
> build each of this suggested contents/topics by my own but to set-up a
> general roadmap to collect and priorize future work for this project. So
> that if I find a volunteer asking my what can I do, I can give him one these
> packages to work on. I will not be able to do this all by my own but I will
> do my best to create a good foundation for this project.
>
> @Kris: This would be really helpfull, unfortunatelly from my expierence
> FindBugs and PMD do not have a very high coverage of J2EE flaws. But perhaps
> if someone likes to do something on SCA for Java we could integrate these as
> well as Fortify, Ounce and Veracode for that. I will come back to you
> regarding this;)
>
> @psiinon: This is actually a great idea! To have something helping
> developers/users to navigate the security decisions would be something
> really helpful. I don't now how we could practically set it up practically.
> Is there a way to integrate a dynamic UML activity diagram into the wiki?
> Would you like to to constribute such a tree, at least something we can
> discuss and build upon?
>
> Thanks for all your feedback!
>
> - Matthias
>
> 2011/3/4 psiinon <psiinon at gmail.com>
>>
>> Resending to this list as I wasnt subscribed before :)
>>
>>
>> ---------- Forwarded message ----------
>> From: psiinon <psiinon at gmail.com>
>> Date: Fri, Mar 4, 2011 at 9:57 AM
>> Subject: Re: [Owasp-leaders] Restart of the OWASP Java Project
>> To: matthias.rohr at owasp.org
>> Cc: java-project at lists.owasp.org, owasp-leaders at lists.owasp.org
>>
>>
>> Hi Matthias,
>>
>> I would really like to see as many java security tools and libraries
>> as possible reviewed, whether OWASP ones or not.
>>
>> But what I would _really_ like to see is a 'java security' decision
>> tree. I'll explain...
>> I think the key use case we should be trying to address is "I'm a java
>> developer and I want to use standard high quality security controls,
>> what should I use?"
>> I see this as a decision tree because right now I dont think theres a
>> single right answer.
>> But I think we can implement a simple decision tree using the wiki.
>> So the first question could be "Is this a new project or an existing one?"
>> Why? Because big frameworks like ESAPI could well be too much work to
>> introduce into a large existing project.
>> Other questions could be things like:
>> * Are you using one of these frameworks: Spring, Struts, GWT etc etc?"
>> * Do you want to consider commercial software or just free/open source
>> solutions?
>>
>> So a java dev should be able to navigate the tree and then end up with
>> a set of (hopefully) one or more tools or libraries that they should
>> consider. And hopefully in time we can also provide more advise and
>> guidance as to which situations the tools/libraries work best and
>> which problems they address (XSS, CRSF etc etc)
>>
>> And we may find that at the end of some of the branches there are no
>> good solutions, in which case we should look at how we can provide
>> them, either by developing new tools or by extending existing ones.
>>
>> I think this would be really useful, and something that we can
>> gradually build up over time.
>>
>> Psiinon
>>
>> >
>> > From: owasp-leaders-bounces at lists.owasp.org
>> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matthias
>> > Rohr
>> > Sent: Wednesday, March 02, 2011 12:24 PM
>> > To: java-project at lists.owasp.org
>> > Cc: owasp-leaders at lists.owasp.org
>> > Subject: [Owasp-leaders] Restart of the OWASP Java Project
>> >
>> >
>> >
>> > Hi all,
>> >
>> > As some of you might already know, at this years OWASP Summit I pitched
>> > in
>> > as new project leader for the OWASP Java Project. I was not that active
>> > the
>> > last years in this project, so I'm sorry if I should missed some
>> > discussions
>> > here. I will, however, do my best to really bring this project forward.
>> > First of all I must say, that those who have worked on this project have
>> > done an absolutelly great job! From my point of view, the vision for
>> > this
>> > page (if not already) should be to create the central landing page on
>> > the
>> > Web for all Java users (developers, architects & co.) interested in Web
>> > security.
>> >
>> > For this to work I'd suggust a few improvements and I'd loved to hear
>> > any
>> > ideads you might have in mind as well!
>> >
>> > 1. Align the page with other Java-related OWASP projects like ESAPI,
>> > Webgoat, ASVS (including a new chapter: "OWASP J2EE Related Projects")
>> > 2. Priorize work on missing content
>> > 3. Implement a J2EE/Java EE Secure Coding Guideline based on ESAPI, ASVS
>> > and/or the Quick Reference Guide.
>> > 4. Set-up a comparision of security aspects of web frameworks such like
>> > struts2, spring mvc, jsf, gwt, etc.
>> > 5. Set-up a comparision of security aspects of templating technologies
>> > such
>> > as jsp, velocity, tiles, etc.
>> > 6. Should we use the term "Java EE" instead of "J2EE"?
>> >
>> > Lastly, I talked with Daniel Brzozowski, the project leader of the OWASP
>> > .NET Project. We both agreed, that it would be highly valuable, to try
>> > to
>> > implement the same structure in both projects. Therefore, I'd like to
>> > sugguest to integrate the following additional topics into the Java
>> > Project:
>> >
>> > 7. J2EE Incidents
>> > 8. OWASP J2EE Research
>> > 9. OWASP Top10 for J2EE
>> >
>> > What do you think about these ideas? Any other input or ideas?
>> >
>> > - Matthias
>> >
>> > --
>> > Matthias Rohr
>> > OWASP Java Project Leader,
>> > http://www.owasp.org/index.php/OWASP_Java_Project
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> _______________________________________________
>> Java-project mailing list
>> Java-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/java-project
>
>
>
> --
> Matthias Rohr
> OWASP Java Project Leader, http://www.owasp.org/index.php/OWASP_Java_Project
>
>
>
> _______________________________________________
> Java-project mailing list
> Java-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/java-project
>
>
More information about the Java-project
mailing list