[Esapi-user] use 1.4 or RC7

Kevin W. Wall kevin.w.wall at gmail.com
Mon Sep 20 19:11:21 EDT 2010


Weiler, Jim wrote:
> Hi Folks,
> 
> We're about to start using ESAPI Java and I'm trying to see how close V
> 2 RC7 is to GA. I've looked on the OWASP and Google sites to try to get
> a sense of RC7 stability - our app architecture folks are naturally
> hesitant to use RC level code. I thought I'd ask for some opinions here.

Jim,

Unless your company has some "issues" about using open source code that
is not yet *officially* GA, I'd recommend sticking with 2.0-RC7.  There have
been quite a few bug fixes in 2.0, only some of which have been back-ported
to 1.4. In addition, the symmetric encryption in ESAPI 1.4 was badly broken.
See "Why Is OWASP Changing ESAPI Encryption?" at
<http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-readme-crypto-changes.html>
for details on that.

Also, IMHO, the interfaces presented in ESAPI 2.0-rc7 are pretty solid, so
I don't really expect any difficulties in you migrating from 2.0-rc7 to the
2.0 GA version. It should just involve dropping in a new jar and retesting.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Esapi-user mailing list