[Esapi-user] Has anyone written a GUI to manage ESAPI configuration file settings?

Boberski, Michael [USA] boberski_michael at bah.com
Thu Feb 4 08:20:41 EST 2010


I'm up for continuing to discuss!

Cloud wouldn't work for me personally, my needs personally would be for something that works on a private network, that allows storage of e.g. the master secret and any keys locally.

Let me try to sketch a wizard type user interface in Visio, easier I find for UI stuff to actually try to draw it out, since can then scribble on it.

Best,

Mike B.


________________________________
From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Chris Schmidt
Sent: Thursday, February 04, 2010 1:07 AM
To: mike.boberski at gmail.com
Cc: ESAPI-Users
Subject: Re: [Esapi-user] Has anyone written a GUI to manage ESAPI configuration file settings?

I want to resurrect this thread...

I have been looking for a reason to do something with my google app engine account, and I think this is right along the lines of the type of app that could live and grow in the *cloud*

So I would like to see what kinds of ideas people have around building this Enterprise Security Policy Manager. Here are my thoughts:

1. Rich Interface with lots of descriptive information about each step of the policy building lifecycle.

2. Portable format output (Importable by ESAPI implementations mainly, but with documentation for other vendors to process the data structure)
    > I still like JSON for this. I am not a fan of XML and find that the JSON format fits well into just about every language there is as a data exchange format

3. Private data (crypto) is not stored as part of the server stored configuration, however, it can be read from an existing configuration
    > If requested, this information can be generated at the final stages of configuration, just before the configuration is sent to the user

4. Access functionality of the configurator as a service (ReSTful)

5. Hosted ESAPI4JS implementations using the users stored configuration
    > I would also like to engage the google team about adding ESAPI4JS to the Ajax Libraries API when it reaches a stable point)

Basic Flow of Operation:

1. User signs into app using their google account

2. If existing configuration(s) are available for said user, allow them to update their current policies or create a new one
    > Policy should be tied to a unique URI

3. If no existing policy exists for the user, start a wizard interface:

    A: Basic Settings - General Meta-Information about the application
        > Application Name, Application URI, Application Platform, Policy Version (default start point is current date in dd.mm.yy-rev format)

    B: Component Selection - Allow the user to select which components of the ESAPI to use (Validation, Logging, Auth/AC, Crypto, etc.)

    C: Individual Component Configurations - Each component will have it's own set of options
        > Also allow specification of contributed component implementations at this point.
        > For example, a user specifies that he wants to use the Logging Module, so present him with the option to use the Log4J or Commons-Logging implementation

    D: Security Policy Overview - Provide a summary of the security policy, broken down by component

    E: Save settings and Build a custom distribution with all required dependencies for the users configuration


Any thoughts on this - and does anyone have cycles to aide in putting something like this together? I think it would go a long way towards making ESAPI adoption more wide-spread. The ability to build your policy, specific to your application, and include the ability to package a distribution for a specific application, similar to the way that you download a good share of the JavaScript libraries these days.




On Wed, Jan 27, 2010 at 6:20 PM, Mike Boberski <mike.boberski at gmail.com<mailto:mike.boberski at gmail.com>> wrote:
Exactly, yes, that's what I meant, like that. E.g. dragging an email square onto a validator circle, double clicking on the email square to tailor the default email regex, and then click submit and the ESAPI config file is saved and then available for export.

I don't know the particulars of others' experiences bringing ESAPI to development teams other than what I can glean from the lists, but I am finding that it's exactly analogous to bringing PKI toolkits (both COTS and customized) to development teams which I did for many years, for which there are many lessons learned which can be applied here, like putting a GUI on configuration editors, like taking the "extended factory" approach to wrap the heck out of things for specific customers, developing compliance tests etc., and (you guessed it) documentation, documentation, documentation.

</dream>, well-put.

Mike



On Wed, Jan 27, 2010 at 8:09 PM, Jeff Williams <jeff.williams at aspectsecurity.com<mailto:jeff.williams at aspectsecurity.com>> wrote:
I like this idea and think it would go a long way towards making ESAPI
easy to understand and use. Actually, it should really be an enterprise
security policy editor that saves to a format that ESAPI can read. I'm
thinking of wizards that present options so that people with authority
can make informed decisions about appsec. </dream>

--Jeff


-----Original Message-----
From: esapi-user-bounces at lists.owasp.org<mailto:esapi-user-bounces at lists.owasp.org>
[mailto:esapi-user-bounces at lists.owasp.org<mailto:esapi-user-bounces at lists.owasp.org>] On Behalf Of Boberski,
Michael [USA]
Sent: Monday, January 25, 2010 3:52 PM
To: Kevin W. Wall
Cc: ESAPI-Users
Subject: Re: [Esapi-user] Has anyone written a GUI to manage ESAPI
configuration file settings?

Something more content aware, right.

Mike B.

-----Original Message-----
From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com<mailto:kevin.w.wall at gmail.com>]
Sent: Monday, January 25, 2010 3:50 PM
To: Boberski, Michael [USA]
Cc: ESAPI-Users
Subject: Re: [Esapi-user] Has anyone written a GUI to manage ESAPI
configuration file settings?

Boberski, Michael [USA] wrote:
> Hi,
>
> Has anyone (1)written a GUI-based utility (either a heavy client or
web-based) to manage ESAPI configuration files that (2)they might be
interested in sharing?

Isn't there perhaps an Eclipse plugin for managing Java properties
files?

I know there are Eclipse plugins for managing XML. (E.g., the POM XML
editor.) Is that what you are thinking of or were you thinking that is
more context aware?

-kevin
--
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org<mailto:Esapi-user at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/esapi-user
_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org<mailto:Esapi-user at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/esapi-user


_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org<mailto:Esapi-user at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/esapi-user




--
Chris Schmidt

OWASP ESAPI Developer
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Check out OWASP ESAPI for Java
http://code.google.com/p/owasp-esapi-java/

OWASP ESAPI for JavaScript
http://code.google.com/p/owasp-esapi-js/

Yet Another Developers Blog
http://yet-another-dev.blogspot.com

Bio and Resume
http://www.digital-ritual.net/resume.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100204/4bd6116b/attachment.html 


More information about the Esapi-user mailing list