Dear Paulo, I'm one of the more involved developers on Apache Isis. I'm happy to help you getting started with the framework or answer questions.
I'd say at least 90% of our current effort goes into work on Apache Isis Version 2. The final release might still take some couple of months, but we do have intermediate milestone releases on our way there. We just released Milestone 3. I think for us, it would make more sense having Apache Isis Version 2 assessed, even though we have no final release yet. For starters, we do have a Docker Image [1] that's built on a daily basis, showcasing many of the framework features. You might consider whether this application can be used as a starting point for your assessment. You might also consider having Slack chats with me and our community. Feel free to join via [2]. Cheers Andi [1] https://hub.docker.com/r/apacheisis/demo-springboot [2] https://cwiki.apache.org/confluence/display/ISIS/Signing+up+to+Slack On 2020/04/05 00:19:52, Paulo Cesar Sequeira Gutierrez <psequei...@ucenfotec.ac.cr> wrote: > Dear Apache Isis Developers, > > My name is Paulo Sequeira and I am studying at a Master's in Cybersecurity > program at Universidad Cenfotec, Costa Rica. > > I'm writing to let you know that a colleague and I have become interested > in the work you're doing with the Apache Isis framework and making it the > subject of some research we are carrying out at this time. > > In this research we want to assess the impact and benefits that the > framework provides to the security of applications based on it; our > hypothesis is that, similarly to how the framework can enable greater > productivity by letting the developer focus more on the domain modeling and > the business logic, liberating him from having to deal with low-level, > complex and overwhelming details of properly implementing a working UI, the > framework can also improve the baseline security of the resulting > application because many common security vulnerabilities arise from those > aspects of the application implementation that it may already be taking > care of on behalf of the developer: validation checks to prevent injection, > session management, XSS protection, access controls, and others. > > Our preliminary review of research literature suggests these are aspects of > the Naked Objects approach or Apache Isis that may not have specifically > been targeted in studies, so that's where we want to focus on. > > An initial step in this research would be to run example Apache Isis > applications through a security verification procedure (we have chosen the > OWASP Application Security Verification Standard as a starting point) to > assess the security baseline of the applications the framework currently > generates. But as you could imagine, such assessments may require > assistance on the part of developers of the application and the framework > being assessed; additionally, we would like to make sure that any findings > are properly reported and discussed with you before any publication (we > hope :-) ) takes place. > > That's why we want to make that you aware of our intentions and to ask if > this initiative may be of interest to you, if cooperation with it is > feasible, and how you'd think it can best be carried out. > > Thank you very much for your kind attention. > > Cordially, > > Paulo C. Sequeira GutiƩrrez >
