[Esapi-dev] Status of the ESAPI .NET Project and the ESAPI .NET/J2EE relationship

Dinis Cruz dinis.cruz at gmail.com
Fri Sep 3 14:32:21 EDT 2010 

Hi, a client rencently asked me if we could recomend/use the ESAPI .NET for
remediation advise, and since I'm not sure about the status of this project,
here are my questions:

Sorry about if some of this questions have basic answers but I'm still
getting my head around how ESAPI works

   - Alex, are you still leading this project and doing active development?
   - Are these the main ESAPI .NET pages?:
   http://forum.owasp.org/index.php/ESAPI#tab=.NET ,
   http://forum.owasp.org/index.php/ESAPI_DotNET_Readme ,
   http://keepitlocked.net/archive/2009/07/29/owasp-net-esapi-0-2-released.aspx(with
the source code at
   http://code.google.com/p/owasp-esapi-dotnet/)
   - It looks like there is no separate project and mailing-list for the
      ESAPI .Net, right?
      - What is the current development state of the ESAPI .NET port of the
   current ESAPI v1.4 and v2.0 releases?
      - The question here is basically "How much of the ESAPI J2EE v1.4 and
      v2.0 implementation and goodness is currently available in the
.NET version
   - in
   http://keepitlocked.net/archive/2009/07/29/owasp-net-esapi-0-2-released.aspx(Sep
09) Alex
   * *comments:* "How is the .NET ESAPI different from the Java
ESAPI?:...The two projects are very similar in spirit, but there are
some key
   differences. Most of the differences exist because the .NET ESAPI is a less
   complex project, although in some cases they exist because I disagree with
   the direction of the Java team...."*
   - My question is: How can we quantify these differences?
      - If I wanted to compare the Java Classes with the .NET classes what
      should I look out for?
         - For example, from
         http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc7/apidocs/org/owasp/esapi/Encoder.htmland
         http://alexsmolen.com/dotnetesapidoc/html/6ba1114f-ebff-42f3-bda9-666037ea3160.htmit
looks like the J2EE
         *org.owasp.esapi.Encoder* should match the *Owasp.Esapi.Endoder*
         namespace
         - Is the espectation that there should be a direct match (both in
         name and behaviour) between the classes, methods, properties
and fields
         between these two projects/classes?
         - Is there a minimum base line for each ESAPI implementation?
   - is it these interfaces:
      http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc7/apidocs/org/owasp/esapi/package-summary.html
      - is it the unit tests?
   - Where can I see some stats for the ESAPI .NET usage?
      - Should I be recomending its use?
   - Is there a comparison of the current ESAPI .NET implementation and what
   is currently provided by .NET BCL (v2.0. v3.5 and v4.0) , AntiXSS,
   EnterpriseLibrary, ASP.NET MCV?
      - I'm trying to answer the question: *"We already use XYZ, what does
      ESAPI gives me that we already don't have and, why should we add another
      DLL/Dependency to our project?"*

Thanks

Dinis Cruz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100903/2c7ba4f6/attachment.html

More information about the Esapi-dev mailing list