Web application security - the fast guide 1.1 | Page 177
Chapter 9 - Secure Application Development
P a g e | 177
of XXS attack satisfactory level and Use standard PBKDF (password based key
derivation function) and AES (advanced encryption standard) implemented in
openSSL library to do your encryption to be at least sure that there is no shortcut
there that will lead to easily defeat your encryption.
The table below shows some of commonly used functionalities and known
robust libraries available to achieve those functionalities.
Functionality Language or framework
C/C++ Library
Open SSL License
Apache-style
Cryptography Java/C#
Java, .NET, PHP, Python,
Classic ASP, ColdFusion BouncyCastle MIT X11-style
OWASP ESAPI BSD
Java, .NET OWASP AntiSamy BSD
.NET Microsoft Web
Protection Library
(a.k.a Anti XSS) MS-PL
OWASP ESAPI BSD
OWASP ESAPI BSD
.NET Microsoft Web
Protection Library
(a.k.a Anti XSS) MS-PL
Java, PHP, Classic ASP OWASP ESAPI BSD
HTML& script
sanitization
Authentication&
Authorization
Output encoding
Java, .NET, PHP, Python,
Classic ASP, Cold fusion
Java, .NET, PHP, Python,
Ruby, Classic ASP, Java
script, Cold fusion,
Objective c
File Access
9.3.3 Code review:
you noticed that the manual code review didn’t appear in the SDL which is
surprising somehow, but noting that developers are not that good at manual
review because normally this type of systematic tedious boring tasks are not
where developers outperform. additionally, the amount of effort invested in this
task gives a very low return specially with no extra information on a potential
existing problem.
9.3.4 Use static Analysis tools:
it is known that code review is one of the ways a static analysis can be done
where (static) refer to (without code execution).
static analysis is usually focus on increasing reliability, maintainability,
Testability, reusability, portability and efficiency of developed software but as
mentioned doing that manually has a limited return so using tools to automate
static analysis tasks with a manual touch every once and while to eliminate
(False Positive) is a very good approach.