[Owasp-appsensor-project] Fwd: AppSensor & ESAPI
Jim Manico
jim.manico at owasp.org
Mon Nov 1 04:59:23 EDT 2010
John,
Do you have a moment let us know exactly what part of AppSensor, ESAPI uses?
It's its a pain to review all this, kick it back to me and I'll dig.
Thanks John,
Jim
> Kevin,
> Hi, Glad you are considering AppSensor. I attempted answers inline -
> if you have further questions, let me know.
> Thanks,
> John
>
> On Sun, Oct 31, 2010 at 1:23 PM, Michael Coates
> <michael.coates at owasp.org <mailto:michael.coates at owasp.org>> wrote:
>
> Forwarding to AppSensor mailing list. I think John will have the
> most current info for several of these questions.
>
> But, we do need to get the appsensor.jar as a feature download.
> We don't want people to build from scratch if they don't want to.
>
> -------- Original Message --------
> Subject: AppSensor & ESAPI
> Date: Sun, 31 Oct 2010 09:37:31 -0400
> From: Kevin W. Wall <kevin.w.wall at gmail.com>
> <mailto:kevin.w.wall at gmail.com>
> Organization: Qwest IT - Application Security Team
> To: Michael Coates <michael.coates at owasp.org>
> <mailto:michael.coates at owasp.org>
>
>
>
> Michael,
>
> I just watched your AppSec USA 2010 video presentation about AppSensor& ESAPI
> yesterday. (Thanks for the credit as contributor BTW. Totally unexpected.)
>
> In it, you mentioned that it was planned to have appsensor.jar bundled with
> ESAPI as of ESAPI 2.0rc8. Since I don't see it in ESAPI even in 2.0rc10,
> I'm guessing that there was a delay for some reason.
>
> I copied Jim on this email b/c he was discussing this with us. I
> personally am not sure what's required on the ESAPI side to get
> AppSensor bundled. I can say AppSensor depends on ESAPI in some of
> it's code (ESAPI is a maven dependency of AppSensor). I would be
> happy to do whatever I can to get it included in the bundle. Jim, any
> thoughts?
>
> So then I go to look for the AppSensor tutorial and the AppSensor jar file
> at the AppSensor Google Code site and I don't find either. (The tutorial is
> under '/' of the trunk under the svn/trunk though, so I did get it.) But
> surprisingly (to me, at least) was the fact that I could not find appsensor.jar
> anywhere under the featured or previous Downloads. (Do you expect people to
> build it from scratch?)
>
> Right now, there are 3 ways to get the jar, and I agree this should be
> reorganized ... we all admit documentation is our next hurdle. The
> first is to build from scratch as you mentioned, unpalatable to most.
> The second is to grab the jar from the link on
> http://www.owasp.org/index.php/AppSensor_Developer_Guide. The third
> is to add it as a maven dependency - AppSensor is in Maven central
> (same as ESAPI as of 2.0RC10. We really do need to move towards
> producing a deliverable similar to ESAPI that is a zip w/ the
> jar/dependencies/javadoc/config files, etc. in a zip or something like
> that, but we're not there yet.
>
> Anyway, the reason that I am bringing this up is that I am about ready to
> start working on the ESAPI crypto for the 2.1 branch and I see many places
> where I'd like to wire-in AppSensor detection points into either JavaEncryptor
> or perhaps even EncryptionException. If AppSensor was truly bundled as part of
> ESAPI that would be fairly easy to do. OTOH, if it is not, I may need to
> rethink this because I don't want to create yet another dependency on an
> external class library. (ESAPI already has something like 30+ jars that it
> is dependent upon.)
>
> Glad you're thinking of going this way, again, I'd need to talk to Jim
> about bundling.
>
> Lastly, from your AppSec USA 2010 video, I recall you stating that that the
> way that AppSensor would be enabled in ESAPI would be to set
>
> ESAPI.IntrusionDetector=org.owasp.appsensor.intrusiondetection.AppSensorIntrusionDetector
>
> in the ESAPI.properties file. However, I also vaguely recall discussion
> as to how that property should not be used as that would disable
> ESAPI's built-in WAF and I thought that I remember Jeff Williams arguing that
> AppSensor and the ESAPI WAF were _complimentary_ rather than _competing_
> technologies so therefore they should use different properties in ESAPI.
> Anyway, I am not sure that this has been resolved or not, so would appreciate
> an update in this area as well.
>
> This will probably have to be cleared up with Jeff and/or Jim. I
> haven't seen anything in the intrusion detector code that says
> anything about the WAF, but I could be wrong. I agree with Jeff's
> core point, but if that configuration is true, then I think the
> current setup is confusing. The WAF should have separate
> configuration. I wouldn't necessarily hook the WAF into the intrusion
> detection config, since some folks would want to use one or the other.
> Also wanted to point out that in addition to changing that 1-line
> config, you do need to add the appsensor.properties file (goes in the
> same folder as the esapi.properties), and make sure the config is
> right there. That config file is in svn.
>
> Thanks,
> -kevin
> P.S.- If you wish to reply to the OWASP-AppSensor-Project mailing list, that's
> fine as I subscribe to that. Just wasn't sure if this was to appropriate
> to ask this there as I'm not sure if that's a developers list or a users
> list.
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
>
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> <mailto:Owasp-appsensor-project at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20101101/a56773cf/attachment-0001.html
More information about the Owasp-appsensor-project
mailing list