[Esapi-user] [Esapi-dev] It's SOUP!!!

Jeff Williams jeff.williams at owasp.org
Fri Feb 4 12:51:55 EST 2011


Hi Juan,

Is there a report or something that you can publish about your review?  This
kind of thing is invaluable for others to gain confidence in the security of
our work.

Thanks!

--Jeff


-----Original Message-----
From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Calderon, Juan
Carlos (GE, Corporate, consultant)
Sent: Friday, February 04, 2011 9:29 AM
To: Kevin W. Wall; ESAPI-Developers; ESAPI-Users
Subject: Re: [Esapi-dev] It's SOUP!!!

I am very familiar with WAF, actually I did a line-by-line code review of
it.  

ESAPI WAF uses a XML policy file for configuration that should be in your
$HOME/.esapi directory. If you wiped that file then I guess most of the test
cases will fail.

WAF also heavily uses ESAPI logging facilities, but I assume ESAPI is
working fine in your environment.

Regards,
Juan C Calderon

-----Original Message-----
From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
Sent: Friday, February 04, 2011 1:34 AM
To: ESAPI-Developers; ESAPI-Users
Subject: [Esapi-dev] It's SOUP!!!

OK boys and girls, geeks and nerds, hackers, crackers, and anyone still
patient enough to read my emails...  I'll make this short...
really.

I've finished committing a bejillion things and closed out about
5 or so Google Issues.  The biggest changes were as a result of the crypto
review process done by the NSA as well as Jeff Walton.
(Jeff, would appreciate if you could take a quick look at the new
KeyDerivationFunction class. Thanks!)

Anyhow, as I've discussed with Jim, Chris, Jeff, and Arshan, the WAF JUnit
tests (and possibly some others related to access control) are failing
(well, giving 'errors' actually).
When I run all the tests, I am now getting something like 66 'errors'.
I never touched the WAF code so not sure what is going on, other than as I
mentioned in previous off-list emails that I did blow away my $HOME/.esapi
directory which had a lot of WAF and access control files populated in it.
It was shortly after I blew that directory away that I started noticing
these failures in the JUnit tests.  But Jim and Chris said to commit the
code anyhow and they would take a look at it.
For those of you who are ambitious, you might try retrieving and building
from the SVN trunk and see if you can reproduce it. It could just be my
environment.

For now, I'm off to bed. Will check back in latter tomorrow.
Later,
-kevin
--
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree, is
by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

_______________________________________________
Esapi-dev mailing list
Esapi-dev at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-dev
_______________________________________________
Esapi-dev mailing list
Esapi-dev at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-dev



More information about the Esapi-user mailing list