What are some recommended libraries for securing code
Question
What third-party libraries and frameworks are available to help secure my application?
Answer
The VA Software Assurance Program Office generally provides architectural recommendations for the use of third-party security libraries, frameworks, and potentially VA infrastructure services as they are identified during ATO code review checks. The purpose of this note is to provide some additional recommendations outside of our reports. Our office does not generally require the use of any particular third-party library or framework for securing applications. There are many libraries, frameworks, and built-in programming language features available to help secure applications.
No one library provides all the protections an application may require, so often a set of libraries are required to provide a full set of features. The use of a security library or framework does not necessarily mean the application is secure. It must be used correctly in the context of the application. For example, sanitizing data for cross-site scripting does not make it safe to write to a log file. This technical note provides some suggested tools and the security services that they provide.
The table below is organized according to security services provided:
| Programming Language | Third-Party Library/Framework | Data Validation, Sanitation, or Encoding | CSRF Protections | Secure Replacement APIs | XML/Schema Protections | Session Management | Notes |
|---|---|---|---|---|---|---|---|
| Java/JSP, JavaScript | OWASP ESAPI |  | | ||||
| PHP | HTML Purifier | | Sanitizes HTML text | ||||
| Java | Apache CXF Framework | | |||||
| Java | Spring Security | | | ||||
| Java | OWASP AntiSamy | | Sanitizes HTML & CSS text | ||||
| Java | OWASP CSRFGuard | | |||||
| Java | Apache Commons Validator | | |||||
| Java | OWASP Java Encoder |  | OWASP considers this an incubator project | ||||
| Java | OWASP HTML Sanitizer | | OWASP considers this an incubator project | ||||
| PHP | OWASP CSRFProtector | | OWASP considers this an incubator project | ||||
| .NET | HtmlSanitizer | | Sanitizes HTML text | ||||
| JavaScript | Google htmlsanitizer.js | | Sanitizes HTML text | ||||
| JavaScript | DOMPurify | | Sanitizes HTML text | ||||
| Python | Bleach | | Sanitizes HTML text | ||||
| Java | SerialKiller | | Java serialized data | ||||
| Java | OWASP Stinger |  | It is not recommended to use this third-party library. For more information, please see CVE-2007-4385 |