Jim Manico jim.manico at owasp.org
Thu Apr 2 04:03:34 EDT 2009

If someone is able to read the ram on your java server, then they can get password information, all submit data as it comes in, everything. It's game over long before they steal your credit card info from your servers ram.

- Jim
  ----- Original Message ----- 
  From: Lievens, Ron 
  To: owasp-esapi at lists.owasp.org 
  Sent: Wednesday, April 01, 2009 9:59 PM
  Subject: [OWASP-ESAPI] ESAPI SecureStrings



  In the web services we develop, we store credit-card information.

  Most people will use Strings to store credit-card info and store an encrypted version in the database.


  But Strings in Java are immutable and are not deleted by the garbage collection. (what's new)

  So the credit-card information is only removed from memory when the web service goes down:S


  This problem is easily solved by using a char array instead of a String.

  In .NET there is a SecureString object, which stores the string encrypted in memory.


  In my opinion is this feature missing from ESAPI.

  If I were to implement this feature, how can I contribute this to ESAPI?


  Please give me your ideas about this subject.





  Ron Lievens

  This message contains information that may be privileged or confidential and is the property of Sogeti Nederland B.V. or its Group members. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. 


  OWASP-ESAPI mailing list
  OWASP-ESAPI at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090401/c5260629/attachment.html 

More information about the OWASP-ESAPI mailing list