WebApp Sec: RE: Secure coding techniques

["Andrew van der Stock" <vanderaj () greebo net>]

I'm working on a new version of the OWASP Guide. It has reasonable guidance
on issues which affect most platforms, including J2EE. It will have J2EE
samples in it on how to mitigate these issues, but does not currently do so.


Jeff Williams and I were working on a J2EE Guide, but I feel that
potentially with the improved OWASP Guide, maybe this effort is not as
useful as it otherwise might be.

If you feel like you want to work on this, we have about 50 pages done on
that J2EE Guide. As long as you wish to contribute back to the OWASP
project, I'd be happy to send a copy your way (it's really rough!). If you
want it, I'll get you to talk to Jeff about becoming an author, so you can
update your project pages and check in new versions on SourceForge.

Thanks,
Andrew

> -----Original Message-----
> From: _kiss_ [mailto:smcsoc () yahoo es]
> Sent: Tuesday, 1 February 2005 8:51 AM
> To: 'webappsec () securityfocus com'
> Subject: Secure coding techniques
>
>
> Hi all,
>
> I am currently involved in a project that deals with defining a secure
> development policy for a development team.
> They are using Apache/Tomcat/Oracle with Java Servlets/JSP technology.
> I have found some documents about common issues (which I knew from
> previous audits), but I would like to know
> if there is currently a compendium of secure coding techniques in these
> programming languagues, I mean, a document
> that is more defense-centric than attack-centric.
>
> Hope you can help me. Thanks in advance.