JSF Security Presentation at OWASP Atlanta Wed Aug 9
Posted by David Chandler on August 8, 2006
Securing JavaServer Faces Applications Against the OWASP Top Ten Attacks
This is a preview of the talk I’ll be giving at ApacheCon US in October.
When: Wednesday August 9th 6:30pm – 8:00pm
Thoughtmill – MapQuest <http://www.mapquest.com/directions/main.adp?go=1&do=nw&rmm=1&un=m&cl=EN&ct=NA&rsres=1&1ahXX=&1y=US&1a=&1c=&1s=&1z=&2ahXX=&2y=US&2a=2520+Northwinds+Parkway%2C+Suite+300&2c=Alpharetta&2s=Ga&2z=30004>
Two Northwinds Center
2520 Northwinds Parkway, Suite 300
Alpharetta, GA 30004
This meeting is open to public and admission is free.
OWASP Atlanta – our mission as a local chapter of the Open Web Application Security Project is to help promote awareness and contributions to web application security.
Who Should Attend – anyone interested in Web Application Security (management, security architects, developers, etc)
Please RSVP for this event. Send email to cburkeinga “at” hotmail and also Register to OWASP Atlanta mailing list at: http://lists.sourceforge.net/lists/listinfo/owasp-atlanta/
Keynote Speaker: David Chandler
The JavaServer Faces (JSF) API is an excellent foundation for building
secure Web applications because of its component-oriented nature,
carefulness surrounding data validation, and numerous extension points.
Apache myFaces builds on this strength by providing components which
offer built-in protection against many of the OWASP Top Ten attacks
including form parameter tampering and cross-site scripting. In this
presentation, we’ll review how myFaces protects against these attacks
and move on to explore JSF extensions you can deploy to provide complete
protection against the OWASP Top Ten, including forced browsing,
information leakage in select boxes, and unauthorized method execution.
Specifically, we’ll look at centralized approaches to ensuring that
every field and form is properly validated, a phase listener and view
handler to prevent forced browsing and assist with detection of session
hijacking, a customer converter and component to hide sensitive
information such as IDs in menu options, and a JAAS permission checker
for component actions (event handler methods).
David Chandler is a Java Web Architect in Atlanta, GA, where he has been developing a next-generation platform for Internet banking applications. An electrical engineer by trade, Chandler got hooked on developing dynamic Web applications in 1994 and hasn’t looked back since. Having written Web applications in C, perl, ColdFusion, and Java, Chandler is a huge fan of tools like Hibernate and JSF that bring together the robustness and expressiveness of Java along with the speedy development that once belonged only to scripting languages. Chandler holds a patent on a method of organizing hierarchical data in a relational database and is the author of the best-selling Running a Perfect Web Site (Que, 1995).