[Esapi-user] Using ESAPI for security in our Web Application

Kevin W. Wall kevin.w.wall at gmail.com
Mon Dec 10 04:59:58 UTC 2012

On Sun, Dec 9, 2012 at 10:55 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Sun, Dec 9, 2012 at 10:37 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
>> Virtually every compilation error involving ESAPI is going to be some sort
>> of class path problem. There are close to 30 dependencies for ESAPI.
> 30 dependencies? Ouch. That's 30 points of failure outside your control.

Hey, what can I say? I'm not trying to defend it. It's widely recognized
as a major issue and probably has done more to keep ESAPI 2.x
from being adopted than any other single factor.

Unfortunately, it was designed as a monolithic security API and
it's difficult to change without major changes to the architecture
and almost certainly breaking backward compatibility in some
areas as well.

I have been making some progress in slowing whittling down
3rd party dependencies; I have an experimental branch (still
not committed) where I've replaced AntiSamy with the OWASP
Java HTML Sanitizer project and that dropped the # of
dependencies by about 4 or 5 IIRC.

However, since I've been working on other things (e.g., a few
OWASP cheat sheets, the OWASP dev guide, John Steven's
Password Storage, GSoC AppSensor project, etc.) and haven't
been able to garner any other volunteer help things are going
much slower than desired.

> I guess now is a good time to ask: what procedures are in place to
> make sure ESAPI is always current with respect to its dependencies?
> Does ESAPI reference the external repos to ensure the externals are
> always up to date?

In the experimental branch that I have (again, not committed),
I am using Grant Murphy's (from RedHat) enforce-victims-rule
Maven plugin (https://github.com/gcmurphy/enforce-victims-rule).
It at least tells you when updates to dependencies and other
plugins are available.  That's probably the best I can do in the
short term.  Of course, even if there are updates identified, one
has to retest and fix anything that breaks as a result updating
a dependency, so it doesn't do all the work for you, but it's a
good start.

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the Esapi-user mailing list