[Esapi-user] use 1.4 or RC7

Kevin W. Wall kevin.w.wall at gmail.com
Mon Sep 20 19:11:21 EDT 2010

Weiler, Jim wrote:
> Hi Folks,
> We're about to start using ESAPI Java and I'm trying to see how close V
> 2 RC7 is to GA. I've looked on the OWASP and Google sites to try to get
> a sense of RC7 stability - our app architecture folks are naturally
> hesitant to use RC level code. I thought I'd ask for some opinions here.


Unless your company has some "issues" about using open source code that
is not yet *officially* GA, I'd recommend sticking with 2.0-RC7.  There have
been quite a few bug fixes in 2.0, only some of which have been back-ported
to 1.4. In addition, the symmetric encryption in ESAPI 1.4 was badly broken.
See "Why Is OWASP Changing ESAPI Encryption?" at
for details on that.

Also, IMHO, the interfaces presented in ESAPI 2.0-rc7 are pretty solid, so
I don't really expect any difficulties in you migrating from 2.0-rc7 to the
2.0 GA version. It should just involve dropping in a new jar and retesting.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list