Jari,
It is possible to build secure web applications using either of those frameworks. The question then becomes: "which one offers the best security by default". At the web tier there will only be a handful of features that will be relevant to security, so I would look for:
- Anti-XSS: Does the framework encode HTML content in fields by default? Field values, content and attributes.
- Does the framework provide adequate guidance to use this safe encoded way of doing things as opposed to the non-safe way (i.e. how likely are developers to use the frameworks encoding mechanism and not try to bypass it)
- Does the framework provide CSRF protection be default? Sometimes this happens when the framework supports page-flows, it includes a nonce in POST requests to control the order of pages in a wizard, and so you get CSRF protection free of charge.
- How well does the framework integrate with the authentication and access control framework?
regards,
Stephen
On 19 May 2011, at 18:38, Jari Pirhonen wrote:
Jari,
It is possible to build secure web applications using either of those frameworks. The question then becomes: "which one offers the best security by default". At the web tier there will only be a handful of features that will be relevant to security, so I would look for:
- Anti-XSS: Does the framework encode HTML content in fields by default? Field values, content and attributes.
- Does the framework provide adequate guidance to use this safe encoded way of doing things as opposed to the non-safe way (i.e. how likely are developers to use the frameworks encoding mechanism and not try to bypass it)
- Does the framework provide CSRF protection be default? Sometimes this happens when the framework supports page-flows, it includes a nonce in POST requests to control the order of pages in a wizard, and so you get CSRF protection free of charge.
- How well does the framework integrate with the authentication and access control framework?
regards,
Stephen
On 19 May 2011, at 18:38, Jari Pirhonen wrote:
> Hi,
>
> I was asked about security of Wickets compared to Struts. I'm not familiar with either of those. I didn't find any good security comparisons or Wicket security challenges with Google, except that Wicket is apparently more complicated to use.
>
> I would appreciate any information you can give or point out.
>
> best regards,
> Jari
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org