[Esapi-user] Recommending ESAPI?

Dinis Cruz dinis.cruz at googlemail.com
Sat Jan 9 22:22:37 EST 2010

(CCing esapi-user list)

My view is that OWASP should NOT be providing these commercial services
(even if it could afford to).

ESAPI to grow and be adopted needs to be commercially supported.

And it will happen, the only question I have is if Aspect Security will do
it first, or if somebody else will jump in and run with it.

Jeff & Dave, you need to make up your mind(s) on what you want to do with
Aspect and ESAPI in 2010 :)


2010/1/10 Mike Boberski <mike.boberski at gmail.com>

> Dinis, fair questions in my mind, BUT, I think your questions are not ones
> that can be answered in a single email, or even a single white paper or
> programming manual. They also I think over-simplify the "should I use ESAPI"
> question, not taking into account the other language versions for which some
> of these questions are either not applicable, or are answered differently
> based on language, I'm not sure that question #13 takes that into account
> when applied recursively to the other questions. Documentation is thin, to
> address one or two points specifically below. I wrote a design patterns doc
> that applies to all languages to explain how and under what circumstances
> one might consider customizing ESAPI (all languages), it's on the FAQ tab.
> Install guides and release notes are spotty across all languages, check out
> the PHP install guide and release notes to get an idea of what's to come in
> the future. Perhaps also check out the ESAPI datasheet ("introduction to
> ESAPI") also on the FAQ tab. Also, OWASP is a non-profit, so there are no
> professional services software development services offered by OWASP. Also,
> the user tab has organizations who have been using ESAPI, although no white
> papers have been published describing "this is what I did with ESAPI",
> although that type of document, documents like "this is how you build your
> own custom user/auth classes", are in the queue. I didn't realize how long
> this email got, sorry. The email caught my eye and I felt compelled to offer
> my $0.02. I'm sure Jim/Jeff will provide a point-by-point response.
> Best,
> Mike
> On Sat, Jan 9, 2010 at 7:48 PM, Dinis Cruz <dinis.cruz at googlemail.com>wrote:
>> Following the recent thread on Java 6 security and ESAPI, I just would
>> like to ask the following clarifications:
>>  1) For an existing web application currently using a MVC framework (like
>> Spring or Struts) are we today (9th Jan 2009) officially recommending that
>> this web application development team adds OWASP's ESAPI.jar to the list of
>> 'external' APIs (i.e. libs) they use, support and maintain?
>> 2) When adopting the OWASP ESAPI's J2EE implementation, is ESAPI.jar ALL
>> they need to add? or are there other dependencies (i.e. jars) that also need to
>> be added, supported and maintained? (for example on the '*Dependencies'
>> section of the ESAPI Java EE<http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Java_EE> page
>> (i.e. Tab) it seems to imply that there are other *.jars needed)*
>> *
>> *
>> 3) Where can I find detailed information about each of the 9 Security
>> Controls that ESAPI.jar currently supports: 1) Authentication, 2) Access
>> control, 3) Input validation, 4) Output encoding/escaping, 5) Cryptography,
>> 6) Error handling and logging, 7) Communication security, 8) HTTP security
>> and 9) Security configuration? (I took this list of controls from the Introduction
>> to ESAPI pdf) <http://www.owasp.org/images/8/81/Esapi-datasheet.pdf>
>> *4) When adopting EASPI.jar, are we recommending that the developers
>> should adopt or retrofit their existing code on the areas affected by those
>> 9 Security Controls? (i.e. code related to: Authentication, Access
>> control, Input validation, Output encoding/escaping, Cryptography, Error
>> handling and logging, Communication security, HTTP security and Security
>> configuration) *
>> *
>> *
>> *5) Should we recommend the adoption of ALL 9 Security Controls? or are
>> there some controls that are not ready today (9 Jan 2009) for production
>> environments and should not be recommended? (for example is the
>> 'Authentication' control as mature as the 'Error handling and logging'
>> control?)*
>> *
>> *
>> *6) Are there commercial (i.e. paid) support services available for the
>> companies who want to add ESAPI.jar to they application?*
>> *
>> *
>> 7) What is the version of ESAPI.jar that we should recommend? the version
>> 1.4 (which looks like a stable release) or the version 2.0 rc4 (which
>> looks like it is a Release Candidate)
>> 8) Where can I find the documentation of where and how ESAPI should be
>> used? More importantly, where can I find the information of how it CAN NOT
>> or SHOULD NOT be used (i.e. the cases where even when the EASPI.jar are
>> used, the application is still vulnerable)
>> 9) if there list of companies that have currently added ESAPI.jar to their
>> applications and have deployed it? (i.e. real world usage of EASPI)
>> 10) Has the recommended ESAPI.jar (1.4 or 2.0 rc4) been through a security
>> review? and if so where can I read its report?
>> 11) *when Jim says "... you can build a new secure app without an ESAPI.
>> But libs like OWASP ESAPI will get you there faster and cheaper....",  do
>> we have peer-reviewed data that suports this claim? *
>> *
>> *
>> *12) Is there a roadmap or how-to for companies that wish to adopt
>> ESAPI.jar on an a) new application or b) existing real-world application'?
>> *
>> *
>> *
>> *13) What about the current implementations of ESAPI for the other
>> languages. Are we also recommending their use?*
>> *
>> *
>> *14) If a development team decides to use (for example) Spring and ESAPI
>> together in their (new or existing) application, what are the recommended
>> 'parts' from each of those APIs (Spring and EASPI) that the developers
>> should be using? (for example: a) use Encoding from ESAPI, b) use
>> Authentication from Spring, c) use Authorization from ESAPI, d) use Error
>> Handling from Spring, e) use Logging from ESAPI, etc...)*
>> *
>> *
>> *Thanks*
>> *
>> *
>> *Dinis Cruz*
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100110/0a0e1e66/attachment-0001.html 

More information about the Esapi-user mailing list