Devise security with ESAPI in your application

The OWASP Enterprise Security API (ESAPI) Toolkits help software developers guard against security-related design and implementation flaws. Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers. Using an ESAPI Toolkit realizes cost savings through reduced development time, and the increased security due to using heavily analyzed and carefully designed security methods provide developers with a massive advantage over organizations that are trying to deal with security using existing ad hoc secure coding techniques. Available platforms, frameworks, and toolkits (Java EE, Struts, Spring, etc...) simply do not provide enough protection! ESAPI Toolkits are designed to automatically take care of many aspects of application security, making these issues invisible to the developers.
The use of the ESAPI will also make it much easier for static analysis tools to verify an application, by building ESAPI calls into static analysis tool rulesets.
It has been deveoped for various technologies like .NET, Java,PHP etc... Some are still good way from completion. The main idea behind the implementation of ESAPI is it gives you flexibility to use it against any language without caring about how they are receiving input and how they are filtreing it. Just use a method like ESAPI.endoeForHTML(input) and it will encode all the inputs taken by the application. The main difference between a normal encoding function and ESAPI encoding function is that the ESAPI functions are very well researched and carefully implemented .
For example,

methods for Authenticating a users are:

createUser(accountName, pass1, pass2)
generateStrongPassword()
getCurrentUser()
login(request, response)
logout()
verifyAccountNameStrength(acctName)
verifyPasswordStrength(newPass, oldPass)

Handling UesrAuthentication:



So,
Wrap your existing libraries and services
Extend and customize your ESAPI implementation
Fill in gaps with the reference implementation

Reference:

Comments

Popular posts from this blog

SQL Injection in search field

Nipper Download