[Esapi-user] what is the status of c++/c modules comparing to Java or Python?

Kevin W. Wall kevin.w.wall at gmail.com
Fri Oct 14 09:19:05 EDT 2011

On Fri, Oct 14, 2011 at 2:31 AM, Tzury Bar Yochay
<tzury.by at reguluslabs.com> wrote:
> Being interesting of integrating the ESAPI into and existing c server,
> I was wondering about those two, c and c++ whether they are made equal in terms of features list,
> and what is there in the Java/python which is not yet supported in the c and c++ modules.
> is there a comparison table available anywhere?

Hi. First of all, I would say both the C and C++ versions are scaled way back in
comparison to the security components of the Java implementation.

Secondly, it should be noted that neither the C nor C++ versions have even
had any release candidates built for them, so clearly neither are ready for
prime time. At this point, they should at best be considered alpha quality.
The ESAPI for C project has not had much activity on it since March, while
the ESAPI for C++ project has two project committers in particular
(Jeff Walton and Daniel Amodio) who have been going like game busters.

Thirdly it should be mentioned that the ESAPI for C project seems to have
been built on ESAPI 1.4 (Java version), whereas the ESAPI for C++ project
is based on the ESAPI 2.0 Java version. In particular, this means that the
crypto in the ESAPI for C project is broken and should be avoided. Not
sure how long until it gets fixed but there are a lot of pretty good crypto
libraries for C out there. (Please contact me off list if you want

Lastly, there is a traditional 'scorecard' comparision of security components
provided and whether they are based on ESAPI 1.4 or 2.0 in a talk I gave
to our local OWASP chapter back in August that you can find here:
The scorecard is on slide # 23. The ESAPI for C project is not included
here (lack of space; all told, there are something like 13 or 14
language implementations in various stages at last count), but the
ESAPI for C++ is described here.  Some day, with the help of all
the individual ESAPI project leads, I'd like to do something more like
a 'gradecard' than just a simple 'scorecard', where we have an
honest self-assessment of which security controls are enterprise
ready by grading them A, B, C, etc. I'll probably wait until ESAPI
moves to SourceForge for that and then work with Chris Schmidt
to make that happen.

Anyhow, hope that helps a bit to add some clarity.
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the Esapi-user mailing list