This article discusses security functions. The open source project OWASP ESAPI* of OWASP also provides reference for the realization of the security module, when developers are not sure how to formulate a good security module.
There are a variety of different versions of web languages in ESAPI, in which the Java version is the most complete.
As indicated in Web Framework Security, implementing many security features on the development of framework will greatly reduce the development cost of the programmer. This is an experience worth promotion.
During the development phase, a best practice is to work out development standards and include safety solutions for the benefit of the developers. For example, in the “Web framework security,” we saw that in fighting against XSS attacks, all the variables need to be encoded for rendering the correct output. In order to do this we realized safe macros in the template:
XML coding input, will process XML Encode out put
#SXML($xml)
JS coding input, will process JavaScript Encode out put
#SJS($js)
To overcome similar problems, Microsoft provides developers with a safety function library. These functions should be included in the specifications for development. In code review stage, we can check if the output variables use the security functions by means of white-box scanning. Those that do not use these safe functions are considered as not being in line with the safety standards. This process can also be self-inspected by the developer.
When a developer writes his own codes, such as for customizing a process for HTML page output, the implementation of this process may not be safe. The safety engineer needs to read through all of the logic in the code to approve it, which would be time consuming.
Including security solutions into development specifications is the real implementation of security solutions. This is not only for the convenience of developers to write secure codes, but also helps security audits.