[Esapi-user] ESAPI 2.0 for Java & Risk Assessment

Chris Schmidt chrisisbeef at gmail.com
Mon Aug 16 18:40:25 EDT 2010


ESAPI 2.0 is currently undergoing a code review by the NSA for the 2.0 
GA release. Tentative release timeframe will be fall - but this could 

ESAPI 2.0 RC7 will be available within the next few days with some bug 
fixes to issues that were found in RC6 (some concurrency and singleton 
issues) so I would definately go with that instead, but you are more 
than welcome to browse our bug database on Google Code at


As for running this in production systems, the upgrade path from 2.0 RC7 
-> 2.0 GA will be minor so provided any of the open bug's in google code 
are not showstoppers for you, I would say pending an audit from your 
internal dev/security teams it should be fine in production. I know that 
several people are already using 2.0 in production applications and to 
the best of my knowledge I have heard nothing that calls out a serious 
risk to doing so.

Feel free to send along any questions that you may have during your 
review and we will answer them as promptly as possible.

Chris Schmidt

On 8/16/2010 4:35 PM, Springett Steven wrote:
> I've recently 'discovered' ESAPI for Java and am evaluating 2.0.  I'm 
> trying to determine the risk involved in including 2.0rc6 in 
> production code. Currently I'm utilizing the Randomizer and 
> SecurityWrapper classes. Possibly more in the future.
> I haven't been able to find a roadmap or a list of known issues, so I 
> haven't been able to collect enough information to make a decision 
> yet. So, if any user of the Java 2.0 API can provide feedback on their 
> experience with the API or even some classes/packages to stay away 
> from for the time being, it would very helpful.
> On a related note, is there a target date for 2.0?
> The apps I'm working on target Java 1.6.
> --Steve
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100816/2cc9df2f/attachment.html 

More information about the Esapi-user mailing list