Encryption with Enterprise Security API (ESAPI)

  • Posted August 13, 2010 at 00:30

OWASP Enterprise Security API (ESAPI) provides a security control library for helping programmers to integrate security into their applications. It is not a new framework, but it provides a common interface and reference implementations that can be benefited from other frameworks.

Security is a complex issue. The “weakest chain” is a well-known problem. If you need to provide security, you should consider all possible threats and relevant solutions. If you forget a control to integrate, then you would probably loose.

ESAPI aims to close this gap by providing a more “complete” best-practices for security controls. Let’s look at an encryption example in Java. In Listing 1, an AES symmetric encryption example which encrypts the given plain text with the secret key is shown. For readability, some details (e.g. includes, exceptions, comments etc.) are omitted.

Read the rest of this entry »

No Comments
Filed under: Cryptography, Secure Coding

IBM Database Encryption Expert

  • Posted April 29, 2010 at 21:30

For a customer project, we were asked a tool for database encryption. After some googling, I came across IBM Database Encryption Expert, which seems a great tool:

  • It encrypts and decrypts transparently the files on file systems and provides clear text context only for the authorized specified in the access control policies
  • It provides encryption of DB2 databases in offline mode (e.g. backup of databases)
  • It provides encryption of DB2 databases in online mode as well
  • It provides an interface for key management (encryption keys are stored within the DB2 database of Security Server in encrypted form)

Here is a video showing the tool in interaction.

What I wonder is the performance of online encryption. Does anybody have any experience with this issue?

No Comments
Filed under: Database Security