[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor

Kevin W. Wall kevin.w.wall at gmail.com
Sat Jan 16 09:50:35 EST 2010


Kevin W. Wall wrote:
> Fabio Cerullo wrote:
>> Kevin,
>>
>> based on initial conversations with development they are planning to use AES
>> in order to create a cryptographically secure token in the same sense that a
>> CSPRNG does... nothing more, nothing less.
>>
>> so based on your answer I would recommend the use of a CSPRNG in case the
>> application server supports it or else use ESAPI as a replacement for
>> CSPRNG.
> 
> Fabio,
> 
> What neglected to say, but should have, is that all commercial JavaEE
> application servers that I'm aware of (e.g., WebLogic Server, WebSphere,
> etc.) and many of the free ones (e.g., JBoss, Glassfish, etc.) already
> use a CSPRNG. So unless you are implementing your own session management,
> you probably don't need it. However, you should check the app server
> documentation or with your vendor to be sure.

I should have included Microsoft's IIS / ASP.NET in the above list.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Esapi-user mailing list