[Esapi-dev] Fwd: [Owasp-dotnet] Fwd: Status of the ESAPI .NET Project and the ESAPI .NET/J2EE relationship

Mon Sep 6 01:43:49 EDT 2010

Alex asked me to forward this email to the ESAPI-Dev list since he is not
subscribed

---------- Forwarded message ----------
From: Alex Smolen <me at alexsmolen.com>
Date: 3 September 2010 21:52
Subject: Re: [Owasp-dotnet] Fwd: Status of the ESAPI .NET Project and the
ESAPI .NET/J2EE relationship
To: dinis cruz <dinis.cruz at owasp.org>
Cc: "OWASP .NET" <owasp-dotnet at lists.owasp.org>, esapi-dev at lists.owasp.org

Hey Dinis,

Thanks for this - I've been meaning to send out an email for a while.
Responses below.

On Sep 3, 2010, at 11:38 AM, dinis cruz wrote:

 Sent today to the ESAPI-Dev list
>
> Dinis Cruz
>
>
> ---------- Forwarded message ----------
> From: Dinis Cruz <dinis.cruz at gmail.com>
> Date: 3 September 2010 19:32
> Subject: Status of the ESAPI .NET Project and the ESAPI .NET/J2EE
> relationship
> To: ESAPI-Developers <esapi-dev at lists.owasp.org>, Alex Smolen <
> me at alexsmolen.com>
> Cc: owasp-dotnet at lists.sourceforge.net
>
>
> Hi, a client rencently asked me if we could recomend/use the ESAPI .NET for
> remediation advise, and since I'm not sure about the status of this project,
> here are my questions:
>
> Sorry about if some of this questions have basic answers but I'm still
> getting my head around how ESAPI works
>        • Alex, are you still leading this project and doing active
> development?
>

I am leading the project by default, although I haven't worked on it for a
while. Here's some problems I ran into:

1) MS has a bunch of security architecture built-in to ASP.NET that Java
simply doesn't have. The Membership API and AntiXSS are two huge codebases
that are good enough for ASP.NET developers and have significant overlap
with the Java ESAPI.

2) A previous contributor to the project for added some changes that I don't
like between release .2 and .21. I haven't gotten around to rolling back,
but I'd like to.

3) I'm at school, on a Mac, and not doing active .NET development any more.
I don't have a good environment for working on the project.

If anyone wants to take it over, it's up for grabs. If not, I'll continue to
support it, but for now it's not getting the love it needs :)

        • Are these the main ESAPI .NET pages?:
> http://forum.owasp.org/index.php/ESAPI#tab=.NET ,
> http://forum.owasp.org/index.php/ESAPI_DotNET_Readme ,
> http://keepitlocked.net/archive/2009/07/29/owasp-net-esapi-0-2-released.aspx(with the source code at
> http://code.google.com/p/owasp-esapi-dotnet/)
>

The main pages for the  .NET ESAPI (which is the proper naming convention,
since esapi.net is some weird website) are the Google code page and the
OWASP page you mentioned.

                • It looks like there is no separate project and
> mailing-list for the ESAPI .Net, right?
>

There is no separate mailing list.

        • What is the current development state of the ESAPI .NET port of
> the current ESAPI v1.4 and v2.0 releases?
>

I haven't looked at the Java ESAPI since 1.4. There hasn't been much of a
push on my part to mirror the Java version lately.

                • The question here is basically "How much of the ESAPI J2EE
> v1.4 and v2.0 implementation and goodness is currently available in the .NET
> version
>
>        • in
> http://keepitlocked.net/archive/2009/07/29/owasp-net-esapi-0-2-released.aspx(Sep 09) Alex comments: "How is the .NET ESAPI different from the Java
> ESAPI?: ...The two projects are very similar in spirit, but there are some
> key differences. Most of the differences exist because the .NET ESAPI is a
> less complex project, although in some cases they exist because I disagree
> with the direction of the Java team...."
>                • My question is: How can we quantify these differences?
>

I tried to qualitatively describe the differences in that blog post, I'm not
sure how much use it would be to try to quantify them. Generally,
ASP.NETand Java do things differently. I felt that I had two options:
to mirror the
Java ESAPI and make the .NET ESAPI awkward to use (which I did in the first
rev) or adapt the .NET ESAPI to be "a library of useful security
architecture for ASP.NET applications" and keep with the spirit of the Java
API rather than the letter. I've pursued the latter, and I haven't heard
many complaints, but if people feel differently I'd be happy to hear it.

                • If I wanted to compare the Java Classes with the .NET
> classes what should I look out for?
>
>                        • For example, from
> http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc7/apidocs/org/owasp/esapi/Encoder.htmland
> http://alexsmolen.com/dotnetesapidoc/html/6ba1114f-ebff-42f3-bda9-666037ea3160.htmit looks like the J2EE org.owasp.esapi.Encoder should match the
> Owasp.Esapi.Endoder  namespace
>

Yeah, we did things differently here. Our validator and encoder have a map
of constants to encoders and valdiators rather than methods names referring
to validators and encoders. I prefer our way, so that's how I did it.

                        • Is the espectation that there should be a direct
> match (both in name and behaviour) between the classes, methods, properties
> and fields between these two projects/classes?
>

No, not as I see it.

        • Is there a minimum base line for each ESAPI implementation?
>
>                • is it these interfaces:
> http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc7/apidocs/org/owasp/esapi/package-summary.html
>                • is it the unit tests?
>

I'm not aware of a base line. I'd be happy to hear others thoughts about
this.

        • Where can I see some stats for the ESAPI .NET usage?
>

Google code has some stats for checkins, downloads, etc. Other than that I'm
aware of any.

                • Should I be recomending its use?
>
>        • Is there a comparison of the current ESAPI .NET implementation and
> what is currently provided by .NET BCL (v2.0. v3.5 and v4.0) , AntiXSS,
> EnterpriseLibrary, ASP.NET MCV?            • I'm trying to answer the
> question: "We already use XYZ, what does ESAPI gives me that we already
> don't have and, why should we add another DLL/Dependency to our project?"
> Thanks
>
>
I would recommend that people look at it and see if it would be useful to
them. I haven't gotten enough quality feedback to say if it's useful or not,
and I think the few things it does do that ASP.NET doesn't (regenerate the
session ID, more complete CSRF protection, default framebusting, etc) may
not be enough of a win to download and use the whole framework, unless you
plan to extend it yourself.

The best place to start would the OWASP .NET ESAPI Swingset project, which
shows how all of the functionality integrates with a typical
ASP.NETapplication. I'd also recommend using the release0.2 branch of
the .NET
ESAPI library itself which doesn't have the IMO wacky configuration stuff
that was added later.

If there is a genuine interest in the project, that would generate interest
on my part and I might get back to active development. But I'm not sure that
there's enough of a market for a .NET ESAPI to spend the time working on it.

Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100906/ed4440a3/attachment.html 