[Esapi-user] [Esapi-dev] It's SOUP!!!

Chris Schmidt chris.schmidt at owasp.org
Fri Feb 4 13:01:36 EST 2011


Agreed 100% - It is also invaluable to the developers to ensure that they
are delivering the quality that we demand

Thanks Juan!


On 2/4/11 10:51 AM, "Jeff Williams" <jeff.williams at owasp.org> wrote:

> Hi Juan,
> 
> Is there a report or something that you can publish about your review?  This
> kind of thing is invaluable for others to gain confidence in the security of
> our work.
> 
> Thanks!
> 
> --Jeff
> 
> 
> -----Original Message-----
> From: esapi-dev-bounces at lists.owasp.org
> [mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Calderon, Juan
> Carlos (GE, Corporate, consultant)
> Sent: Friday, February 04, 2011 9:29 AM
> To: Kevin W. Wall; ESAPI-Developers; ESAPI-Users
> Subject: Re: [Esapi-dev] It's SOUP!!!
> 
> I am very familiar with WAF, actually I did a line-by-line code review of
> it.  
> 
> ESAPI WAF uses a XML policy file for configuration that should be in your
> $HOME/.esapi directory. If you wiped that file then I guess most of the test
> cases will fail.
> 
> WAF also heavily uses ESAPI logging facilities, but I assume ESAPI is
> working fine in your environment.
> 
> Regards,
> Juan C Calderon
> 
> -----Original Message-----
> From: esapi-dev-bounces at lists.owasp.org
> [mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
> Sent: Friday, February 04, 2011 1:34 AM
> To: ESAPI-Developers; ESAPI-Users
> Subject: [Esapi-dev] It's SOUP!!!
> 
> OK boys and girls, geeks and nerds, hackers, crackers, and anyone still
> patient enough to read my emails...  I'll make this short...
> really.
> 
> I've finished committing a bejillion things and closed out about
> 5 or so Google Issues.  The biggest changes were as a result of the crypto
> review process done by the NSA as well as Jeff Walton.
> (Jeff, would appreciate if you could take a quick look at the new
> KeyDerivationFunction class. Thanks!)
> 
> Anyhow, as I've discussed with Jim, Chris, Jeff, and Arshan, the WAF JUnit
> tests (and possibly some others related to access control) are failing
> (well, giving 'errors' actually).
> When I run all the tests, I am now getting something like 66 'errors'.
> I never touched the WAF code so not sure what is going on, other than as I
> mentioned in previous off-list emails that I did blow away my $HOME/.esapi
> directory which had a lot of WAF and access control files populated in it.
> It was shortly after I blew that directory away that I started noticing
> these failures in the JUnit tests.  But Jim and Chris said to commit the
> code anyhow and they would take a look at it.
> For those of you who are ambitious, you might try retrieving and building
> from the SVN trunk and see if you can reproduce it. It could just be my
> environment.
> 
> For now, I'm off to bed. Will check back in latter tomorrow.
> Later,
> -kevin
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree, is
> by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
> 
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

Chris Schmidt
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
Blog: http://yet-another-dev.blogspot.com





More information about the Esapi-user mailing list