So I thought I would take a few minutes and blog about what I am working on. I don't expect anyone to care. Feel free to stop reading. I just wanted to write about something that does not require hours of research. I also wanted to just write SOMETHING, to get me back into it so that I do not become to lax in my blogging.
OWASP ESAPI for CFMLThis is something that I had not really planned on talking about until it was closer to usable. But it is also something that I was hoping would be closer to usable by now.
The Open Web Application Security Project, which I have blogged about before, is a group of developers and security professionals whose goals is to promote the improvement of security in web applications and to make the web a safer place to surf.
One of the Projects of OWASP is the Enterprise Security API (ESAPI).
"The ESAPI is a free and open collection of all the security methods that a developer needs to build a secure web application."
I learned about ESAPI at a OWASP mini-conference in St. Paul last year. After the presentation, I spoke with Jeff Williams about the project (which is current for Java) and about making CFML version. He said that no one was working on it yet and that he would love to see it happen. Currently, there are groups working on versions for .NET and PHP.
I decided to start looking at the project to see how hard it would be to make a CFML version of it. It is a lot of work, but I am enjoying it. It is taking longer than I thought it would for a few reasons.
- It is a set of Java interfaces. I am not a Java developers, so I struggle a bit with understanding what is going on in the API
- Java applications are written differently that CFML applications. So some of the methods in the interfaces do not apply, and some new methods are needed.
- Creating an API is HARD. There are so many things to think about. And since I have never done it, it is doubly so. I was hoping when I started that it would just be real straight forward. Not so.
- It requires a lot of research to understand what is going on (security-wise) and then more research to understand how the same things need to be handled in CFML and if they do need to be handled.
- It is hard to think through all of the different ways the API might be used. (i.e. procedurally, OO, in an MVC Framework, AOP, etc.)
- I want to try to make it work equally well in ColdFusion, Railo, and OpenBD.
The OWASP ESAPI project is a set of Java Interfaces that are intended to be used for developers to build their own Enterprise Security Implementation. The methods in the interfaces are empty. They are intended to be a starting point and to cover all of the security bases.
They do take it one step further by creating a reference implementation for Java developers to start with. They can use that reference implementation as is, or customize it to work for their enterprise.
The point of the ESAPI project, as I understand it, is to save time and money while still building secure applications through implementing a standard secure API. It is far easier to teach your developers how to use the methods in ESAPI than it is to teach them the volumes of information there is to know about writing a secure application without it.
One of the points I have seen mentioned in numerous presentations about ESAPI is that developers across the enterprise should NOT be writing their own security implementations. They should all be writing to the same security API. This way, they do not all need to be security experts and they can concentrate on what they do best. Then the security API can be handled by the developers who ARE security experts.
Since Interface support in CFML is limited (and from what I understand Interfaces are not very popular) I have not started a CFML version of the ESAPI interfaces. I have, instead, started doing the reference implementation.
I am not yet sure if this CFML ESAPI project is more than I can handle. I am really learning a lot from working on it, but it is slow going. If anyone is interested in helping, I would love to hear from you. I will say though, that this is not for CFML novices.
The people that could help me most would be:
- CFML API Experts - Someone who can tell me if what I am doing is one the right track for the goals of the project
- AOP Experts - Someone who can look at this say if it would work as well when implemented through AOP as it would when used inline
- Experienced OO Developers - Someone who can tell me if the design patterns being used are being properly used and will not cause performance problems in a CFML environment
- MVC Experts - Someone who can tell me if this type of API could be used easily from within a given MVC framework.
- CFML/OpenBD/Railo Internals Experts - Those who can tell me if something is being done in an inefficient (or just plain wrong) way, or to tell me if something doesn't seem right for one engine or another.
Wow, that list got longer than I expected it to. Maybe I do need more help than I thought. If you are interested, please feel free to contact me via my contact form.