[OWASP-ESAPI] ESAPI SecureStrings

Jim Manico jim.manico at owasp.org
Thu Apr 2 04:03:34 EDT 2009


If someone is able to read the ram on your java server, then they can get password information, all submit data as it comes in, everything. It's game over long before they steal your credit card info from your servers ram.

- Jim
  ----- Original Message ----- 
  From: Lievens, Ron 
  To: owasp-esapi at lists.owasp.org 
  Sent: Wednesday, April 01, 2009 9:59 PM
  Subject: [OWASP-ESAPI] ESAPI SecureStrings


  Hi,

   

  In the web services we develop, we store credit-card information.

  Most people will use Strings to store credit-card info and store an encrypted version in the database.

   

  But Strings in Java are immutable and are not deleted by the garbage collection. (what's new)

  So the credit-card information is only removed from memory when the web service goes down:S

   

  This problem is easily solved by using a char array instead of a String.

  In .NET there is a SecureString object, which stores the string encrypted in memory.

   

  In my opinion is this feature missing from ESAPI.

  If I were to implement this feature, how can I contribute this to ESAPI?

   

  Please give me your ideas about this subject.

   

   

  Greets,

   

  Ron Lievens



  Disclaimer: 
  This message contains information that may be privileged or confidential and is the property of Sogeti Nederland B.V. or its Group members. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. 


------------------------------------------------------------------------------


  _______________________________________________
  OWASP-ESAPI mailing list
  OWASP-ESAPI at lists.owasp.org
  https://lists.owasp.org/mailman/listinfo/owasp-esapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090401/c5260629/attachment.html 


More information about the OWASP-ESAPI mailing list