File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes a3-Broken Authentication and Session Management Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "a3-Broken Authentication and Session Management" Watch "a3-Broken Authentication and Session Management" New topic
Author

a3-Broken Authentication and Session Management

megan smith
Greenhorn

Joined: Nov 30, 2009
Posts: 22
Top 3 risk as per OWASP is Broken Authentication and Session Management even though OWASP is not mentioning Authorization. My questions is how much detail your Book is covering about this topic. The prevention as OWASAP is extensive code review. My question is how much this is viable?
Sunny Wear
author
Greenhorn

Joined: Jul 25, 2005
Posts: 17
Hello Megan,
Thank you for your question!

I decided to have the ebook address CSRF and some points on Session Fixation. This is in one of the five chapters. I explain the attack and have an illustration as well as the mitigation techniques, particularly as given by OWASP. There are many variations on Session Mgmt attacks, but the ebook is meant to be a quick hit to address these in the immediate. I also have a chapter on Peer Code
Reviews and yes, you are correct, they can be laborious and tedious, but necessary. That's why we can look to some boths, either purchased or free, to help facilitate these efforts.

I believe there really is no substitute for the Peer Code Review process. Having other humans look at your code and provide feedback is invaluable especially since the tools can sometimes give
false positives, or worse, false negatives!


"So this is how liberty dies - to thunderous applause" -- Padme (Star Wars - Episode III)
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: a3-Broken Authentication and Session Management
 
Similar Threads
EJB Questions
login-config for two war's
OWASP: conformity
Session
Logging in to a site programmatically