[OWASP-ESAPI] ESAPI SecureStrings

Lievens, Ron ron.lievens at sogeti.nl
Thu Apr 2 03:59:05 EDT 2009


Hi,

 

In the web services we develop, we store credit-card information.

Most people will use Strings to store credit-card info and store an
encrypted version in the database.

 

But Strings in Java are immutable and are not deleted by the garbage
collection. (what's new)

So the credit-card information is only removed from memory when the web
service goes down:S

 

This problem is easily solved by using a char array instead of a String.

In .NET there is a SecureString object, which stores the string
encrypted in memory.

 

In my opinion is this feature missing from ESAPI.

If I were to implement this feature, how can I contribute this to ESAPI?

 

Please give me your ideas about this subject.

 

 

Greets,

 

Ron Lievens


Disclaimer:
This message contains information that may be privileged or confidential and is the property of Sogeti Nederland B.V. or its Group members. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090402/b9d90604/attachment-0001.html 


More information about the OWASP-ESAPI mailing list