[Esapi-user] ESAPI 2.0 for Java & Risk Assessment

Steve Springett sspringett at us.axway.com
Wed Aug 18 18:28:58 EDT 2010


Chris,

Thanks for the reply and the info. Much appreciated. Looking forward to 
integrating rc7 in our production code.

Thanks again,
Steve

> Date: Mon, 16 Aug 2010 16:40:25 -0600
> From: Chris Schmidt<chrisisbeef at gmail.com>
> Subject: Re: [Esapi-user] ESAPI 2.0 for Java&  Risk Assessment
> To: esapi-user at lists.owasp.org
> Message-ID:<4C69BE59.2020402 at gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
>    Steven,
>
> ESAPI 2.0 is currently undergoing a code review by the NSA for the 2.0
> GA release. Tentative release timeframe will be fall - but this could
> change.
>
> ESAPI 2.0 RC7 will be available within the next few days with some bug
> fixes to issues that were found in RC6 (some concurrency and singleton
> issues) so I would definately go with that instead, but you are more
> than welcome to browse our bug database on Google Code at
>
> http://owasp-esapi.googlecode.com
>
> As for running this in production systems, the upgrade path from 2.0 RC7
> ->  2.0 GA will be minor so provided any of the open bug's in google code
> are not showstoppers for you, I would say pending an audit from your
> internal dev/security teams it should be fine in production. I know that
> several people are already using 2.0 in production applications and to
> the best of my knowledge I have heard nothing that calls out a serious
> risk to doing so.
>
> Feel free to send along any questions that you may have during your
> review and we will answer them as promptly as possible.
>
> Thanks,
> Chris Schmidt
>
> On 8/16/2010 4:35 PM, Springett Steven wrote:
>    
>> I've recently 'discovered' ESAPI for Java and am evaluating 2.0.  I'm
>> trying to determine the risk involved in including 2.0rc6 in
>> production code. Currently I'm utilizing the Randomizer and
>> SecurityWrapper classes. Possibly more in the future.
>>
>> I haven't been able to find a roadmap or a list of known issues, so I
>> haven't been able to collect enough information to make a decision
>> yet. So, if any user of the Java 2.0 API can provide feedback on their
>> experience with the API or even some classes/packages to stay away
>> from for the time being, it would very helpful.
>>
>> On a related note, is there a target date for 2.0?
>>
>> The apps I'm working on target Java 1.6.
>>
>> --Steve
>>
>>      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100818/7f63932f/attachment.html 


More information about the Esapi-user mailing list