[Owasp-appsensor-project] ESAPI WAF Contribution

Kevin W. Wall kevin.w.wall at gmail.com
Tue Feb 14 02:11:34 UTC 2012


Looping in the AppSensor team...

Michael, John, Colin, et al,

On Thu, Feb 2, 2012 at 1:45 PM, James Manico <jim at manico.net> wrote:
> Looping in ESAPI leads...
>
> --
> Jim Manico
> VP, Security Architecture
> WhiteHat Security
> (808) 652-3805
>
> On Feb 2, 2012, at 8:42 AM, Jon Gill <jagill.vt at gmail.com> wrote:
>
> Hi Arshan & Jim,
>
> Roger and I had committed a contribution for ESAPI WAF back in August 2011.
> I was just pinging you both in case you had not seen it.
>
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=244
>
> Thanks!
> Jon

Can you take a look at this work that Jon Gill and Roger Seagle
did regarding the extending ESAPI WAF and make sure that it is still
compatible with using AppSensor within ESAPI? I'm not sure
I could make an accurate assessment without diving significantly
into AppSensor. The changes to ESAPI WAF is limited to these 6
ESAPI source files:

    src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java
    src/main/java/org/owasp/esapi/waf/configuration/AppGuardianConfiguration.java
    src/main/java/org/owasp/esapi/waf/configuration/ConfigurationParser.java
    src/main/java/org/owasp/esapi/waf/rules/Rule.java
    src/main/java/org/owasp/esapi/waf/rules/SimpleVirtualPatchRule.java
    src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletRequest.javaes:

If these changes are not compatible with using AppSensor with ESAPI, would
this be something that maybe the AppSensor gang would be interested in
considering with a similar extension?

Thanks,
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein


More information about the Owasp-appsensor-project mailing list