[Esapi-user] ESAPI 2.0 for Java & Risk Assessment
Chris Schmidt
chrisisbeef at gmail.com
Mon Aug 16 18:40:25 EDT 2010
Steven,
ESAPI 2.0 is currently undergoing a code review by the NSA for the 2.0
GA release. Tentative release timeframe will be fall - but this could
change.
ESAPI 2.0 RC7 will be available within the next few days with some bug
fixes to issues that were found in RC6 (some concurrency and singleton
issues) so I would definately go with that instead, but you are more
than welcome to browse our bug database on Google Code at
http://owasp-esapi.googlecode.com
As for running this in production systems, the upgrade path from 2.0 RC7
-> 2.0 GA will be minor so provided any of the open bug's in google code
are not showstoppers for you, I would say pending an audit from your
internal dev/security teams it should be fine in production. I know that
several people are already using 2.0 in production applications and to
the best of my knowledge I have heard nothing that calls out a serious
risk to doing so.
Feel free to send along any questions that you may have during your
review and we will answer them as promptly as possible.
Thanks,
Chris Schmidt
On 8/16/2010 4:35 PM, Springett Steven wrote:
> I've recently 'discovered' ESAPI for Java and am evaluating 2.0. I'm
> trying to determine the risk involved in including 2.0rc6 in
> production code. Currently I'm utilizing the Randomizer and
> SecurityWrapper classes. Possibly more in the future.
>
> I haven't been able to find a roadmap or a list of known issues, so I
> haven't been able to collect enough information to make a decision
> yet. So, if any user of the Java 2.0 API can provide feedback on their
> experience with the API or even some classes/packages to stay away
> from for the time being, it would very helpful.
>
> On a related note, is there a target date for 2.0?
>
> The apps I'm working on target Java 1.6.
>
> --Steve
>
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100816/2cc9df2f/attachment.html
More information about the Esapi-user
mailing list