[Esapi-user] Has anyone written a GUI to manage ESAPI configuration file settings?

Chris Schmidt chrisisbeef at gmail.com
Thu Feb 4 01:06:55 EST 2010


I want to resurrect this thread...

I have been looking for a reason to do something with my google app engine
account, and I think this is right along the lines of the type of app that
could live and grow in the *cloud*

So I would like to see what kinds of ideas people have around building this
Enterprise Security Policy Manager. Here are my thoughts:

1. Rich Interface with lots of descriptive information about each step of
the policy building lifecycle.

2. Portable format output (Importable by ESAPI implementations mainly, but
with documentation for other vendors to process the data structure)
    > I still like JSON for this. I am not a fan of XML and find that the
JSON format fits well into just about every language there is as a data
exchange format

3. Private data (crypto) is not stored as part of the server stored
configuration, however, it can be read from an existing configuration
    > If requested, this information can be generated at the final stages of
configuration, just before the configuration is sent to the user

4. Access functionality of the configurator as a service (ReSTful)

5. Hosted ESAPI4JS implementations using the users stored configuration
    > I would also like to engage the google team about adding ESAPI4JS to
the Ajax Libraries API when it reaches a stable point)

Basic Flow of Operation:

1. User signs into app using their google account

2. If existing configuration(s) are available for said user, allow them to
update their current policies or create a new one
    > Policy should be tied to a unique URI

3. If no existing policy exists for the user, start a wizard interface:

    A: Basic Settings - General Meta-Information about the application
        > Application Name, Application URI, Application Platform, Policy
Version (default start point is current date in dd.mm.yy-rev format)

    B: Component Selection - Allow the user to select which components of
the ESAPI to use (Validation, Logging, Auth/AC, Crypto, etc.)

    C: Individual Component Configurations - Each component will have it's
own set of options
        > Also allow specification of contributed component implementations
at this point.
        > For example, a user specifies that he wants to use the Logging
Module, so present him with the option to use the Log4J or Commons-Logging
implementation

    D: Security Policy Overview - Provide a summary of the security policy,
broken down by component

    E: Save settings and Build a custom distribution with all required
dependencies for the users configuration


Any thoughts on this - and does anyone have cycles to aide in putting
something like this together? I think it would go a long way towards making
ESAPI adoption more wide-spread. The ability to build your policy, specific
to your application, and include the ability to package a distribution for a
specific application, similar to the way that you download a good share of
the JavaScript libraries these days.




On Wed, Jan 27, 2010 at 6:20 PM, Mike Boberski <mike.boberski at gmail.com>wrote:

> Exactly, yes, that's what I meant, like that. E.g. dragging an email square
> onto a validator circle, double clicking on the email square to tailor the
> default email regex, and then click submit and the ESAPI config file is
> saved and then available for export.
>
> I don't know the particulars of others' experiences bringing ESAPI to
> development teams other than what I can glean from the lists, but I am
> finding that it's exactly analogous to bringing PKI toolkits (both COTS and
> customized) to development teams which I did for many years, for which there
> are many lessons learned which can be applied here, like putting a GUI on
> configuration editors, like taking the "extended factory" approach to wrap
> the heck out of things for specific customers, developing compliance tests
> etc., and (you guessed it) documentation, documentation, documentation.
>
> </dream>, well-put.
>
> Mike
>
>
>
> On Wed, Jan 27, 2010 at 8:09 PM, Jeff Williams <
> jeff.williams at aspectsecurity.com> wrote:
>
>> I like this idea and think it would go a long way towards making ESAPI
>> easy to understand and use. Actually, it should really be an enterprise
>> security policy editor that saves to a format that ESAPI can read. I'm
>> thinking of wizards that present options so that people with authority
>> can make informed decisions about appsec. </dream>
>>
>> --Jeff
>>
>>
>> -----Original Message-----
>> From: esapi-user-bounces at lists.owasp.org
>> [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Boberski,
>> Michael [USA]
>> Sent: Monday, January 25, 2010 3:52 PM
>> To: Kevin W. Wall
>> Cc: ESAPI-Users
>> Subject: Re: [Esapi-user] Has anyone written a GUI to manage ESAPI
>> configuration file settings?
>>
>> Something more content aware, right.
>>
>> Mike B.
>>
>> -----Original Message-----
>> From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com]
>> Sent: Monday, January 25, 2010 3:50 PM
>> To: Boberski, Michael [USA]
>> Cc: ESAPI-Users
>> Subject: Re: [Esapi-user] Has anyone written a GUI to manage ESAPI
>> configuration file settings?
>>
>> Boberski, Michael [USA] wrote:
>> > Hi,
>> >
>> > Has anyone (1)written a GUI-based utility (either a heavy client or
>> web-based) to manage ESAPI configuration files that (2)they might be
>> interested in sharing?
>>
>> Isn't there perhaps an Eclipse plugin for managing Java properties
>> files?
>>
>> I know there are Eclipse plugins for managing XML. (E.g., the POM XML
>> editor.) Is that what you are thinking of or were you thinking that is
>> more context aware?
>>
>> -kevin
>> --
>> Kevin W. Wall
>> "The most likely way for the world to be destroyed, most experts agree,
>> is by accident. That's where we come in; we're computer professionals.
>> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>


-- 
Chris Schmidt

OWASP ESAPI Developer
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Check out OWASP ESAPI for Java
http://code.google.com/p/owasp-esapi-java/

OWASP ESAPI for JavaScript
http://code.google.com/p/owasp-esapi-js/

Yet Another Developers Blog
http://yet-another-dev.blogspot.com

Bio and Resume
http://www.digital-ritual.net/resume.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100203/7473a348/attachment.html 


More information about the Esapi-user mailing list