[Esapi-user] WAF

Christian Heinrich christian.heinrich at owasp.org
Sun Mar 6 23:51:41 EST 2011


Kevin,

On Fri, Feb 4, 2011 at 6:34 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> Anyhow, as I've discussed with Jim, Chris, Jeff, and Arshan,
> the WAF JUnit tests (and possibly some others related to
> access control) are failing (well, giving 'errors' actually).
> When I run all the tests, I am now getting something like 66
> 'errors'.  I never touched the WAF code so not sure what is
> going on, other than as I mentioned in previous off-list
> emails that I did blow away my $HOME/.esapi directory which
> had a lot of WAF and access control files populated in it.
> It was shortly after I blew that directory away that I started
> noticing these failures in the JUnit tests.  But Jim and Chris
> said to commit the code anyhow and they would take a look at it.
> For those of you who are ambitious, you might try retrieving and
> building from the SVN trunk and see if you can reproduce it. It
> could just be my environment.

I am involved with the update to WAFEC and I have proposed that it
include an evaluation of a number of WAF implementations i.e. IronBee
and ModSecurity as per
http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/000036.html

I would be interested in including ESAPI-WAF to this scope as an
software example based on Java.

>From reading the mailing list archive and
http://code.google.com/p/owasp-esapi-java/issues/list?q=waf I
understand there might (not) be some issues with the current RC source
which I would be interested in attempting to resolve.

Is this of interest and if so what are the next steps?

I would recommend that this be undertaken in a new SVN repository (to
that of ESAPI) so that I don't delay the 2.0 release.

Please let me know your thoughts?


-- 
Regards,
Christian Heinrich
http://www.owasp.org/index.php/user:cmlh


More information about the Esapi-user mailing list