Dear Andi, Thank you so much for your kind reply. I agree that targeting v2 for the assessment would be sensible and the milestone release and the demo app could be just fine for our purposes.
We'll have a look at the docker image and play a bit with the demo app to get familiarized with them; thank you very much for pointing us to those resources, they'll be of great help. Regards. On 2020/04/05 06:48:01, Andi Huber <[email protected]> wrote: > Dear Paulo, > > I'm one of the more involved developers on Apache Isis. I'm happy to help you > getting started with the framework or answer questions. > > I'd say at least 90% of our current effort goes into work on Apache Isis > Version 2. The final release might still take some couple of months, but we > do have intermediate milestone releases on our way there. We just released > Milestone 3. > > I think for us, it would make more sense having Apache Isis Version 2 > assessed, even though we have no final release yet. > > For starters, we do have a Docker Image [1] that's built on a daily basis, > showcasing many of the framework features. You might consider whether this > application can be used as a starting point for your assessment. > > You might also consider having Slack chats with me and our community. Feel > free to join via [2]. > > Cheers Andi > > [1] https://hub.docker.com/r/apacheisis/demo-springboot > [2] https://cwiki.apache.org/confluence/display/ISIS/Signing+up+to+Slack > > On 2020/04/05 00:19:52, Paulo Cesar Sequeira Gutierrez > <[email protected]> wrote: > > Dear Apache Isis Developers, > > > > My name is Paulo Sequeira and I am studying at a Master's in Cybersecurity > > program at Universidad Cenfotec, Costa Rica. > > > > I'm writing to let you know that a colleague and I have become interested > > in the work you're doing with the Apache Isis framework and making it the > > subject of some research we are carrying out at this time. > > > > In this research we want to assess the impact and benefits that the > > framework provides to the security of applications based on it; our > > hypothesis is that, similarly to how the framework can enable greater > > productivity by letting the developer focus more on the domain modeling and > > the business logic, liberating him from having to deal with low-level, > > complex and overwhelming details of properly implementing a working UI, the > > framework can also improve the baseline security of the resulting > > application because many common security vulnerabilities arise from those > > aspects of the application implementation that it may already be taking > > care of on behalf of the developer: validation checks to prevent injection, > > session management, XSS protection, access controls, and others. > > > > Our preliminary review of research literature suggests these are aspects of > > the Naked Objects approach or Apache Isis that may not have specifically > > been targeted in studies, so that's where we want to focus on. > > > > An initial step in this research would be to run example Apache Isis > > applications through a security verification procedure (we have chosen the > > OWASP Application Security Verification Standard as a starting point) to > > assess the security baseline of the applications the framework currently > > generates. But as you could imagine, such assessments may require > > assistance on the part of developers of the application and the framework > > being assessed; additionally, we would like to make sure that any findings > > are properly reported and discussed with you before any publication (we > > hope :-) ) takes place. > > > > That's why we want to make that you aware of our intentions and to ask if > > this initiative may be of interest to you, if cooperation with it is > > feasible, and how you'd think it can best be carried out. > > > > Thank you very much for your kind attention. > > > > Cordially, > > > > Paulo C. Sequeira GutiƩrrez > > >
