Need to Add Protection to Java Web Application. Where to start?
I work on a web application, written in Java and JSF, that needs to add cross site scripting, cross site request forgery, SQL injection protection etc. How do I get started here? Are there free HP products I can integrate into our solution?
CSRF - OWASP CSRFGuard
XSS - OWASP Stinger or Java Struts for input validation and OWASP Java Encoder Project for output encoding. (always check both directions!)
SQLi - Hibernate
HP Fortify has a number of tools for runtime, static and dynamic testing of Java applications that offer free trials you can use.
- HP Fortify on Demand (FoD) - Free Trial - Is a dynamic SaaS testing solution service that enables organizations to quickly test the application security of a few applications or launch a comprehensive security program without additional investment in software and personnel - Managed Application Security Testing Services, Fortify on Demand | HP® Official Site
- HP Application Defender - Free Trial - Enable security teams to be confident that Java and .NET applications are running safely in production and not presenting any threat to business assets - Runtime Application Self-Protection, Application Defender | HP® Official Site
- HP ArcSight Application View - Free Trial - combines Fortify runtime analysis and application monitoring from ArcSight ESM. Experience for yourself how its threat intelligence feeds help you defend your applications and data against threats that might otherwise fly under your radar - Free HP ArcSight Application View Trial | HP® Official Site
I saw "...that needs to add cross site scripting, cross site request forgery, SQL injection protection etc...." and we offer free trials of application protection at runtime using App Defender and AppView. My apologies Patrick if I misread your question about "HP products" that can integrate into your solution. We have free trials but nothing free for continual use.
Thanks for the information guys! Actually I'm looking for both; software to integrate into our solution to beef up security and testing tools to verify that we're safe.
I have Fortify SCA on my PC and use it frequently. I wish I had WebInspect.
In regards to software to integrate in, I've got to believe that somewhere in HP someone has developed a CSRFGuard-like solution for an JSF application to prevent CSRF and has also developed a servlet filter that prevents XSS attacks. Rather than recreate the wheel I was wondering/hoping there'd be some software we could reuse or leverage.
I'll have to take a look at Stinger and the Java Encoder project for XSS prevention.
ApplicationDefender sounds intriguing to me. I've passed that information onto the solution architect. It'd be nice if it was free. It might be a hard sell to our customer.