1 / 14

ESAPI Pictures

This document provides an in-depth overview of the ESAPI (Enterprise Security API) architecture, focusing on existing enterprise security services and libraries. It covers key functionalities, including access control mechanisms, data validation, and handling of untrusted input/output. Key methods such as isAuthorizedForFunction(), isAuthorizedForData(), and various encoding and validation techniques are detailed. Additionally, this overview discusses intrusion detection, logging, cryptography, and methods for enhancing HTTP security, ensuring a comprehensive understanding of ESAPI's role in enterprise security frameworks.

shae
Download Presentation

ESAPI Pictures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ESAPI Pictures For Javadoc

  2. Architecture Overview Existing Enterprise Security Services/Libraries

  3. OWASP Top Ten Coverage

  4. Enforcing Access Control Controller Business Functions Data Layer PresentationLayer isAuthorizedForFunction() isAuthorizedForData() isAuthorizedForURL() isAuthorizedForService() User Backend isAuthorizedForFunction() isAuthorizedForFile() Roles

  5. Handling Authentication and Identity Controller Business Functions Data Layer PresentationLayer ESAPI AccessControl Logging IntrusionDetection Authentication User Backend Users

  6. Handling Direct Object References Controller Business Functions Data Layer PresentationLayer Access Reference Map getDirectReference() User Backend getIndirectReference() Report123.xls http://app?file=Report123.xls http://app?file=1 http://app?id=9182374 Acct:9182374 http://app?id=7d3J93

  7. Decoding/Encoding Untrusted Data Controller Business Functions Data Layer PresentationLayer Encoding Engine Encoding Engine Codecs: HTML Entity Codec Percent Codec JavaScript Codec VBScript Codec CSS Codec … Validation Engine Decoding Engine Encode: encodeForSQL() encodeForLDAP() encodeForXML() encodeForXPath() encodeForOS() Encode: encodeForHTML() encodeForHTMLAttribute() encodeForJavaScript() encodeForCSS() encodeForURL() User Backend

  8. Validating Untrusted Input/Output Controller Business Functions Data Layer PresentationLayer Validation Engine Validation Engine Validate: getValidDate() getValidCreditCard() getValidInput() getValidNumber() … Validate: getValidDate() getValidCreditCard() getValidSafeHTML() getValidInput() getValidNumber() getValidFileName() getValidRedirect() safeReadLine() … User Backend

  9. Enhancing HTTP Controller Business Functions Data Layer PresentationLayer HTTP Utilities HTTP Utilities Input Utilities: assertSecureRequest() getCSRFToken getSafeFileUploads() safeSendForward() verifyCSRFToken() … Output Utilities: addCSRFToken() changeSessionIdentifier() safeSetContentType() setNoCacheHeaders() setRememberToken() verifyCSRFToken() … User Backend

  10. Security Logging ESAPI Logger Controller Business Functions Data Layer PresentationLayer Logging: fatal() error() warning() info() debug() trace() … User Backend

  11. Detecting Intrusions Controller Business Functions Data Layer PresentationLayer ESAPI Logging IntrusionDetection Authentication Tailorable Quotas User Backend Quota Exceeded Users Log Intrusion Event Logout User, Lock Account

  12. Basic Cryptography Controller Business Functions Data Layer PresentationLayer Encryptor Crypto: encrypt() / decrypt() hash() seal() / unseal() sign() verifySeal() verifySignature() User Backend

  13. Encrypted Properties Controller Business Functions Data Layer PresentationLayer Encrypted Properties Encryptor new EncryptedProperties() set() / get() User Backend Encrypted Properties File

  14. Safe OS Command Execution Controller Business Functions Data Layer PresentationLayer executeSystemCommand() User Backend

More Related