[Esapi-user] what is the status of c++/c modules comparing to Java or Python?

Tzury Bar Yochay tzury.by at reguluslabs.com
Fri Oct 14 09:38:49 EDT 2011


Kevin,

Thanks for long and detailed answer.
If I get you right, at the bottom line, the Java is the way to go if one
wish to get the most out of the ESAPI.
Even python which seems to have all features is based on version 1.4.

Am I right?


On Fri, Oct 14, 2011 at 3:19 PM, Kevin W. Wall <kevin.w.wall at gmail.com>wrote:

> On Fri, Oct 14, 2011 at 2:31 AM, Tzury Bar Yochay
> <tzury.by at reguluslabs.com> wrote:
> >
> > Being interesting of integrating the ESAPI into and existing c server,
> > I was wondering about those two, c and c++ whether they are made equal in
> terms of features list,
> > and what is there in the Java/python which is not yet supported in the c
> and c++ modules.
> > is there a comparison table available anywhere?
>
> Hi. First of all, I would say both the C and C++ versions are scaled way
> back in
> comparison to the security components of the Java implementation.
>
> Secondly, it should be noted that neither the C nor C++ versions have even
> had any release candidates built for them, so clearly neither are ready for
> prime time. At this point, they should at best be considered alpha quality.
> The ESAPI for C project has not had much activity on it since March, while
> the ESAPI for C++ project has two project committers in particular
> (Jeff Walton and Daniel Amodio) who have been going like game busters.
>
> Thirdly it should be mentioned that the ESAPI for C project seems to have
> been built on ESAPI 1.4 (Java version), whereas the ESAPI for C++ project
> is based on the ESAPI 2.0 Java version. In particular, this means that the
> crypto in the ESAPI for C project is broken and should be avoided. Not
> sure how long until it gets fixed but there are a lot of pretty good crypto
> libraries for C out there. (Please contact me off list if you want
> recommendations.)
>
> Lastly, there is a traditional 'scorecard' comparision of security
> components
> provided and whether they are based on ESAPI 1.4 or 2.0 in a talk I gave
> to our local OWASP chapter back in August that you can find here:
> https://www.owasp.org/index.php/File:OWASP_ESAPI-2011.ppt
> The scorecard is on slide # 23. The ESAPI for C project is not included
> here (lack of space; all told, there are something like 13 or 14
> language implementations in various stages at last count), but the
> ESAPI for C++ is described here.  Some day, with the help of all
> the individual ESAPI project leads, I'd like to do something more like
> a 'gradecard' than just a simple 'scorecard', where we have an
> honest self-assessment of which security controls are enterprise
> ready by grading them A, B, C, etc. I'll probably wait until ESAPI
> moves to SourceForge for that and then work with Chris Schmidt
> to make that happen.
>
> Anyhow, hope that helps a bit to add some clarity.
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents."        -- Nathaniel Borenstein
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20111014/b36861da/attachment.html 


More information about the Esapi-user mailing list