[Esapi-user] [Owasp-leaders] Crypto attack and OWASP

Kevin W. Wall kevin.w.wall at gmail.com
Tue May 4 00:24:50 EDT 2010

Jim Manico wrote:
> We deprecated 1.4 encryption and are seeking bids for professional  
> cryptographic-centric review of ESAPI 2.0 rc6 before we promote ESAPI  
> to GA (general availability). I have stated on several occasions that  
> no one should be using ESAPI for cryptographic storage in production  
> apps - yet.
> However, I do have issue with the irresponsible nature of this  
> disclosure:
>  >  We leave the finding of thes bugs as an exercise for readers
> And I know that members of OWASP would NEVER pull a stunt like this to  
> any vendor. Our ethics put community and open way above glory-seeking,  
> correct?

I plan on contacting Rizzo and Duong tomorrow. In the meantime, I have
created issue #120 on Google issues list to describe this security defect.
(In case anyone wishes to track it.)  As Jim and I have both stated on
numerous occasions, please do not use OWASP ESAPI crypto in ESAPI 2.0
until after we have had it reviewed by some qualified cryptographers.
As for crypto in ESAPI 1.4, I recommend avoiding it like the plague. ;-)

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list