A Security Project for CFML

So I thought I would take a few minutes and blog about what I am working on. I don't expect anyone to care. Feel free to stop reading. I just wanted to write about something that does not require hours of research. I also wanted to just write SOMETHING, to get me back into it so that I do not become to lax in my blogging.

OWASP ESAPI for CFML

This is something that I had not really planned on talking about until it was closer to usable. But it is also something that I was hoping would be closer to usable by now.

The Open Web Application Security Project, which I have blogged about before, is a group of developers and security professionals whose goals is to promote the improvement of security in web applications and to make the web a safer place to surf.

One of the Projects of OWASP is the Enterprise Security API (ESAPI).

"The ESAPI is a free and open collection of all the security methods that a developer needs to build a secure web application."

-OWASP

I learned about ESAPI at a OWASP mini-conference in St. Paul last year. After the presentation, I spoke with Jeff Williams about the project (which is current for Java) and about making CFML version. He said that no one was working on it yet and that he would love to see it happen. Currently, there are groups working on versions for .NET and PHP.

I decided to start looking at the project to see how hard it would be to make a CFML version of it. It is a lot of work, but I am enjoying it. It is taking longer than I thought it would for a few reasons.

  • It is a set of Java interfaces. I am not a Java developers, so I struggle a bit with understanding what is going on in the API
  • Java applications are written differently that CFML applications. So some of the methods in the interfaces do not apply, and some new methods are needed.
  • Creating an API is HARD. There are so many things to think about. And since I have never done it, it is doubly so. I was hoping when I started that it would just be real straight forward. Not so.
  • It requires a lot of research to understand what is going on (security-wise) and then more research to understand how the same things need to be handled in CFML and if they do need to be handled.
  • It is hard to think through all of the different ways the API might be used. (i.e. procedurally, OO, in an MVC Framework, AOP, etc.)
  • I want to try to make it work equally well in ColdFusion, Railo, and OpenBD.

The OWASP ESAPI project is a set of Java Interfaces that are intended to be used for developers to build their own Enterprise Security Implementation. The methods in the interfaces are empty. They are intended to be a starting point and to cover all of the security bases.

They do take it one step further by creating a reference implementation for Java developers to start with. They can use that reference implementation as is, or customize it to work for their enterprise.

The point of the ESAPI project, as I understand it, is to save time and money while still building secure applications through implementing a standard secure API. It is far easier to teach your developers how to use the methods in ESAPI than it is to teach them the volumes of information there is to know about writing a secure application without it.

One of the points I have seen mentioned in numerous presentations about ESAPI is that developers across the enterprise should NOT be writing their own security implementations. They should all be writing to the same security API. This way, they do not all need to be security experts and they can concentrate on what they do best. Then the security API can be handled by the developers who ARE security experts.

Since Interface support in CFML is limited (and from what I understand Interfaces are not very popular) I have not started a CFML version of the ESAPI interfaces. I have, instead, started doing the reference implementation.

I am not yet sure if this CFML ESAPI project is more than I can handle. I am really learning a lot from working on it, but it is slow going. If anyone is interested in helping, I would love to hear from you. I will say though, that this is not for CFML novices.

The people that could help me most would be:

  • CFML API Experts - Someone who can tell me if what I am doing is one the right track for the goals of the project
  • AOP Experts - Someone who can look at this say if it would work as well when implemented through AOP as it would when used inline
  • Experienced OO Developers - Someone who can tell me if the design patterns being used are being properly used and will not cause performance problems in a CFML environment
  • MVC Experts - Someone who can tell me if this type of API could be used easily from within a given MVC framework.
  • CFML/OpenBD/Railo Internals Experts - Those who can tell me if something is being done in an inefficient (or just plain wrong) way, or to tell me if something doesn't seem right for one engine or another.

Wow, that list got longer than I expected it to. Maybe I do need more help than I thought. If you are interested, please feel free to contact me via my contact form.

Comments
Jason Dean's Gravatar I should probably mention. This is not an Official OWASP project. Maybe someday it will be, but not right now.
# Posted By Jason Dean | 2/3/09 10:08 AM
dt's Gravatar Good luck.

I've used the OWASP ESAPI API to do exactly what your saying. It's good to tackle only what you need at the start and only the functions you need too.

The AccessController, AccessReferenceMap, Authenticator, Encryptor, Logger, Randomizer, SecurityConfiguration, User and the Validator.

The Encoder is necessary too. But for me it just encapsulates the java version of the encoder. There is no way a sane person ports over what the encoder does.

And then of course there is the book - https://www.owasp.org/images/7/79/ESAPI_Book.pdf

I've had to refactor and I will continue to refactor cause I didn't study enough before implementing.

Define your scope. Good luck.

Good luck.
# Posted By dt | 2/3/09 10:40 AM
bill shelton's Gravatar Jason, count me in!
# Posted By bill shelton | 2/4/09 4:01 AM
dt's Gravatar and me to i guess.
# Posted By dt | 2/4/09 4:12 PM
Jason Dean's Gravatar Awesome. Glad to have some interest. I'll email you guys offline.
# Posted By Jason Dean | 2/5/09 8:56 AM
Peter J. Farrell's Gravatar Jason, hit me up the next time I get to the CFUG about this. More than willing to help you by discussing any API/MVC stuff. I've learned a lot (of little lessons to be humble) about building API with my involvement in Mach-II in the past few years.

Also, I've done a lot of work read / translating Java code into CFML because I do a lot of research on new features for Mach-II by looking at other frameworks in other languages (so far this year I've learned a bit too much from Rails, CakePHP, Django and Spring to name a few).

Very curious to see where you are going with this...
# Posted By Peter J. Farrell | 2/18/09 2:00 AM
Jason Dean's Gravatar @ Peter, thanks for the offer. I will do that.
# Posted By Jason Dean | 2/18/09 12:50 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner