[Esapi-user] [Esapi-dev] ESAPI WAF

Jim Manico jim.manico at owasp.org
Mon Nov 1 00:07:28 EDT 2010

I agree 100% Jeff. A production quality SWAF would be great for ESAPI!

But we need this to be production quality, the current WAF was dumped on 
ESAPI and never maintained. This kind of cowboy-coding must end. The 
ESAPI WAF is beta at best, and it's sold as production quality. It does 
not use the ESAPI logging mechanism, it dragged in dependencies, etc. It 
needs love before 2.0 goes GA.

- Jim

> My opinion is that every web application needs a way to quickly patch
> vulnerabilities when they are discovered until they can get fixed right.
> To me, this is a fundamental security control and something that falls
> squarely into the ESAPI mission.
> --Jeff
> -----Original Message-----
> From: esapi-dev-bounces at lists.owasp.org
> [mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Jim Manico
> Sent: Monday, November 01, 2010 12:00 AM
> To: ESAPI-Developers; ESAPI Users List; Arshan Dabirsiaghi
> Subject: [Esapi-dev] ESAPI WAF
> Is anyone using the ESAPI WAF? I'd love to hear about your experiences
> with it.
> I personally want to remove it from the code-base, but I do acknowledge
> that it solves a crucial political itch for PCI-DSS that is important.
> Luckily, Arshan has offered to clean up that code before the 2.0
> release. :)
> Cheers,
> Jim
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev

More information about the Esapi-user mailing list