struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arshan Dabirsiaghi" <arshan.dabirsia...@aspectsecurity.com>
Subject Application security gap analysis in Struts2
Date Tue, 05 May 2009 14:17:57 GMT
Struts2 folks,
 
The Intrinsic Security Working Group (ISWG) at OWASP (http://www.owasp.org) has been researching
what security countermeasures an application architect or technical lead must plan for when
creating a Struts2 application. The result of this research is a document that we are looking
for feedback about from the Struts2 community of users and developers.
 
Mainly, we wanted to research what web application attacks developers of Struts2 applications
would have to compensate for, and what, if any, security improvements could be made to the
Struts2 framework to enable more secure web applications. 
 
The document is located here:
http://www.owasp.org/images/b/be/A_Gap_Analysis_of_Application_Security_in_Struts2.pdf
 
We look forward to your feedback. There are a million applications written with Struts1 out
there, and before all the large enterprises start pumping out the next generation of applications
in Struts2, we want to make sure we've done our due diligence.
 
Again, the purpose of this research was not to find vulnerabilities in Struts2, but to see
how we could improve the framework to enable more secure applications.
 
Thanks for your time,
Arshan Dabirsiagh

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message