[Esapi-user] ESAPI WAF

Jim Manico jim.manico at owasp.org
Tue Sep 14 22:31:03 EDT 2010

Thoughts from Arshan below.


From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi at aspectsecurity.com] 
Sent: Tuesday, September 14, 2010 9:32 PM
To: James Manico; ESAPI-Developers; esapi-user at lists.owasp.org
Subject: RE: ESAPI WAF




You may have to forward this on to the lists, since I'm not subscribed to


I understand your concerns. I think there are a few good reasons for keeping
it in:


1. This has been marketed as part of ESAPI (including its automatic
satisfaction of PCI requirements).

2. This has been piloted by multiple companies and may introduce limited
back breakage.

3. It's been in 2.0 RC builds for almost a year and has zero effect on
applications that don't use it.

4. It's a good piece of functionality that will probably die if removed from


I regret that the obvious incongruence with the rest of the ESAPI project
wasn't seen as a big enough deal to warrant a possible exclusion until now,
as opposed to when I started the work when I could have easily made it a
separate project.


Virtual patches are deployed by many companies, and the ESAPI WAF fills that
obvious need in the J2EE world nicely.





From: James Manico [mailto:jim at manico.net]
Sent: Tue 9/14/2010 9:07 PM
To: ESAPI-Developers; esapi-user at lists.owasp.org; Arshan Dabirsiaghi
Subject: ESAPI WAF

We would like to pull the ESAPI WAF from the core ESAPI project for
the 2.0 final release. It does not "fit" in the core project in a
number of ways and merits it's own project.

Speak now or forever hold your peace.


-Jim Manico
http://manico.net <http://manico.net/> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100914/282461c7/attachment.html 

More information about the Esapi-user mailing list