Beruflich Dokumente
Kultur Dokumente
OWASP ENTERPRISE
SECURITY API TOOLKITS
OWASP ENTERPRISE Strong, simple security controls
Toolkit
OWASP ESAPI
SECURITY API
TOOLKIT
Just as web applications and web services can be Public Key
Infrastructure (PKI) enabled (PK‐enabled) to perform for example
certificate‐based authentication, applications and services can be
OWASP ESAPI‐enabled (ES‐enabled) to enable applications and services
to protect themselves from attackers.
Don’t write your own security controls! How ESAPI Works:
Reinventing the wheel when it comes to Allowing for language‐specific differences, all
developing security controls for every web OWASP ESAPI versions have the same basic
Top new features application or web service leads to wasted time design:
and enhancements and massive security holes. The OWASP Enterprise
There is a set of security control interfaces. They
There are Java EE, .NET, Security API (ESAPI) Toolkits help software
define for example types of parameters that are
Classic ASP, developers guard against security‐related design
passed to types of security controls. There is no
ColdFusion/CFML, PHP, and and implementation flaws. The ESAPI Toolkit
proprietary information or logic contained in
Python language versions architecture is very simple – a collection of classes
that encapsulate the key security operations most these interfaces.
The ESAPI for Java EE applications need. ESAPI is designed to make it There is a reference implementation for each
version includes a Web easy to retrofit security into existing applications, security control. The logic is not organization‐
Application Firewall (WAF) as well as providing a solid foundation for new specific and the logic is not application‐specific.
that can be used to give development. There is no proprietary information or logic
development teams contained in these reference implementation
breathing room while Plan and prepare, don’t react… classes. An example: string‐based input
making fixes Security testing, code reviews, penetration testing validation.
All language versions of and architecture reviews are not ends in
themselves. Unless architects and developers are There are optionally your own implementations
ESAPI Toolkits are licensed
prepared to make fixes, and to guard against for each security control. There may be
under the BSD license,
vulnerabilities in the first place, the results of application logic contained in these classes
which is very permissive
security‐focused testing and analysis fall on deaf which may be developed by or for your
and about as close to public
ears. The emphasis needs to be on adding strong, organization. There may be proprietary
domain as is possible. You
simple security controls into YOUR solution stack, information or logic contained in these classes
can use or modify ESAPI
and training your architects and developers to use which may be developed by or for your
however you want, even
them from the start, BEFORE undergoing security organization. An example: enterprise
include it in commercial
testing, code reviews, penetration testing and authentication.
products.
architecture reviews.
http://www.owasp.org
Related OWASP projects: How it works out of the box, from a developer’s perspective
Learn about the most
common web application
vulnerabilities: OWASP Top Calling security controls is easy! Security controls that are included:
Ten The ESAPI security control interfaces include an There are reference implementations for each of
“ESAPI” class that is commonly referred to as a the following security controls:
What security teams will be
“locator” class. The ESAPI locator class is called in
testing for after you Authentication
order to retrieve singleton instances of individual
integrate ESAPI: OWASP
security controls, which are then called in order to Access control
Application Security
perform security checks (such as performing an Input validation
Verification Standard
access control check) or that result in security Output encoding/escaping
(ASVS) Cryptography
effects (such as generating an audit record). Below
What you can do to help is an example of how input validation and output Error handling and logging
ensure that security is escaping can be done to guard against SQL Communication security
being built in, in the first injection: HTTP security
place: OWASP Legal Project Security configuration