[Esapi-user] Recommending ESAPI?
dinis.cruz at googlemail.com
Sat Jan 9 19:48:02 EST 2010
Following the recent thread on Java 6 security and ESAPI, I just would like
to ask the following clarifications:
1) For an existing web application currently using a MVC framework (like
Spring or Struts) are we today (9th Jan 2009) officially recommending that
this web application development team adds OWASP's ESAPI.jar to the list of
'external' APIs (i.e. libs) they use, support and maintain?
2) When adopting the OWASP ESAPI's J2EE implementation, is ESAPI.jar ALL
they need to add? or are there other dependencies (i.e. jars) that also need to
be added, supported and maintained? (for example on the '*Dependencies'
section of the ESAPI Java
(i.e. Tab) it seems to imply that there are other *.jars needed)*
3) Where can I find detailed information about each of the 9 Security
Controls that ESAPI.jar currently supports: 1) Authentication, 2) Access
control, 3) Input validation, 4) Output encoding/escaping, 5) Cryptography,
6) Error handling and logging, 7) Communication security, 8) HTTP security
and 9) Security configuration? (I took this list of controls from the
to ESAPI pdf) <http://www.owasp.org/images/8/81/Esapi-datasheet.pdf>
*4) When adopting EASPI.jar, are we recommending that the developers should
adopt or retrofit their existing code on the areas affected by those 9
Security Controls? (i.e. code related to: Authentication, Access
control, Input validation, Output encoding/escaping, Cryptography, Error
handling and logging, Communication security, HTTP security and Security
*5) Should we recommend the adoption of ALL 9 Security Controls? or are
there some controls that are not ready today (9 Jan 2009) for production
environments and should not be recommended? (for example is the
'Authentication' control as mature as the 'Error handling and logging'
*6) Are there commercial (i.e. paid) support services available for the
companies who want to add ESAPI.jar to they application?*
7) What is the version of ESAPI.jar that we should recommend? the version
1.4 (which looks like a stable release) or the version 2.0 rc4 (which looks
like it is a Release Candidate)
8) Where can I find the documentation of where and how ESAPI should be used?
More importantly, where can I find the information of how it CAN NOT or
SHOULD NOT be used (i.e. the cases where even when the EASPI.jar are used,
the application is still vulnerable)
9) if there list of companies that have currently added ESAPI.jar to their
applications and have deployed it? (i.e. real world usage of EASPI)
10) Has the recommended ESAPI.jar (1.4 or 2.0 rc4) been through a security
review? and if so where can I read its report?
11) *when Jim says "... you can build a new secure app without an ESAPI. But
libs like OWASP ESAPI will get you there faster and cheaper....", do we
have peer-reviewed data that suports this claim? *
*12) Is there a roadmap or how-to for companies that wish to adopt ESAPI.jar
on an a) new application or b) existing real-world application'?*
*13) What about the current implementations of ESAPI for the other
languages. Are we also recommending their use?*
*14) If a development team decides to use (for example) Spring and ESAPI
together in their (new or existing) application, what are the recommended
'parts' from each of those APIs (Spring and EASPI) that the developers
should be using? (for example: a) use Encoding from ESAPI, b) use
Authentication from Spring, c) use Authorization from ESAPI, d) use Error
Handling from Spring, e) use Logging from ESAPI, etc...)*
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user