Dear Apache Isis Developers, My name is Paulo Sequeira and I am studying at a Master's in Cybersecurity program at Universidad Cenfotec, Costa Rica.
I'm writing to let you know that a colleague and I have become interested in the work you're doing with the Apache Isis framework and making it the subject of some research we are carrying out at this time. In this research we want to assess the impact and benefits that the framework provides to the security of applications based on it; our hypothesis is that, similarly to how the framework can enable greater productivity by letting the developer focus more on the domain modeling and the business logic, liberating him from having to deal with low-level, complex and overwhelming details of properly implementing a working UI, the framework can also improve the baseline security of the resulting application because many common security vulnerabilities arise from those aspects of the application implementation that it may already be taking care of on behalf of the developer: validation checks to prevent injection, session management, XSS protection, access controls, and others. Our preliminary review of research literature suggests these are aspects of the Naked Objects approach or Apache Isis that may not have specifically been targeted in studies, so that's where we want to focus on. An initial step in this research would be to run example Apache Isis applications through a security verification procedure (we have chosen the OWASP Application Security Verification Standard as a starting point) to assess the security baseline of the applications the framework currently generates. But as you could imagine, such assessments may require assistance on the part of developers of the application and the framework being assessed; additionally, we would like to make sure that any findings are properly reported and discussed with you before any publication (we hope :-) ) takes place. That's why we want to make that you aware of our intentions and to ask if this initiative may be of interest to you, if cooperation with it is feasible, and how you'd think it can best be carried out. Thank you very much for your kind attention. Cordially, Paulo C. Sequeira GutiƩrrez
