| « Sneak preview: Xpages and jQuery app. | Multiple IBM Products Login Page Cross Site Scripting Vulnerability » |
Xpages and Security: Can an expert please help? OWASP and Xpages
As we've all been making the move to more and more Xpages applications, I'd like to raise the point of security.
We are as Domino people not know to be attacked a lot, but still I'd like to know the following (as an admin that does some design work):
Would it be possible, now xpages uses Serverside Java, to implement the OWASP Esapi?
So for field validation etc to prevent XSS and XSRF and other threats from the OWASP top 10? Or would this be a non-issue for Domino as a webplatform?
Enterprise Security API (ESAPI)
OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Our motto is NO GUTS NO GLORY!
How ESAPI Works
Read more about the ESAPI here.
We are as Domino people not know to be attacked a lot, but still I'd like to know the following (as an admin that does some design work):
Would it be possible, now xpages uses Serverside Java, to implement the OWASP Esapi?
So for field validation etc to prevent XSS and XSRF and other threats from the OWASP top 10? Or would this be a non-issue for Domino as a webplatform?
Enterprise Security API (ESAPI)
OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Our motto is NO GUTS NO GLORY!
How ESAPI Works
Read more about the ESAPI here.
3 comments
Comment from: Matt White [Visitor] · http://mattwhite.met
The thing you may be interested in is Active Content Filtering which is a feature of XPages in 8.5.1. Steve Castledine wrote a good article about it: http://www.stevecastledine.com/sc.nsf/dx/xpages-rich-text-filtering-custom-converters-all-in-one-post
03/04/10 @ 12:03
Thanks Matt! Interesting piece of reading!
03/04/10 @ 12:44
Comment from: Nathan T. Freeman [Visitor] · http://nathan.lotus911.com
Well, the first step of ESAPI is the implementation of a PKI infrastructure. Notes/Domino has had an integrated enterprise PKI since day one, although the browser-integration remains a pain to set up.
As far as validating and sanitizing inputs goes, there's a breathtaking degree of flexibility with Xpages. It does, at this point, need to be engaged on a field-by-field basis. It would definitely be interesting to design something that enforced this at an application level.
As far as validating and sanitizing inputs goes, there's a breathtaking degree of flexibility with Xpages. It does, at this point, need to be engaged on a field-by-field basis. It would definitely be interesting to design something that enforced this at an application level.
03/04/10 @ 14:24
Comment feed for this postLeave a comment
Yet another Domino/Websphere Admin blog.
About me:
Lotus Notes/Domino Admin
Websphere Commerce Admin
sceptic
critic
About me:
Lotus Notes/Domino Admin
Websphere Commerce Admin
sceptic
critic
