[Esapi-user] WAF

Jim Manico jim.manico at owasp.org
Tue Mar 8 01:16:36 EST 2011

I agree 100% that the ESAPI WAF should be split out into its own
project. Arshan (the original author) asked for this in the first place!

How about we start a new project: owasp-java-waf to work on this code

Arshan, are you ok with this sir?

- Jim

> Kevin,
> On Fri, Feb 4, 2011 at 6:34 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
>> Anyhow, as I've discussed with Jim, Chris, Jeff, and Arshan,
>> the WAF JUnit tests (and possibly some others related to
>> access control) are failing (well, giving 'errors' actually).
>> When I run all the tests, I am now getting something like 66
>> 'errors'.  I never touched the WAF code so not sure what is
>> going on, other than as I mentioned in previous off-list
>> emails that I did blow away my $HOME/.esapi directory which
>> had a lot of WAF and access control files populated in it.
>> It was shortly after I blew that directory away that I started
>> noticing these failures in the JUnit tests.  But Jim and Chris
>> said to commit the code anyhow and they would take a look at it.
>> For those of you who are ambitious, you might try retrieving and
>> building from the SVN trunk and see if you can reproduce it. It
>> could just be my environment.
> I am involved with the update to WAFEC and I have proposed that it
> include an evaluation of a number of WAF implementations i.e. IronBee
> and ModSecurity as per
> http://lists.webappsec.org/pipermail/wasc-wafec_lists.webappsec.org/2011-February/000036.html
> I would be interested in including ESAPI-WAF to this scope as an
> software example based on Java.
>>From reading the mailing list archive and
> http://code.google.com/p/owasp-esapi-java/issues/list?q=waf I
> understand there might (not) be some issues with the current RC source
> which I would be interested in attempting to resolve.
> Is this of interest and if so what are the next steps?
> I would recommend that this be undertaken in a new SVN repository (to
> that of ESAPI) so that I don't delay the 2.0 release.
> Please let me know your thoughts?

More information about the Esapi-user mailing list