<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<meta content="text/html; charset=ISO-8859-1"
<body text="#000000" bgcolor="#ffffff">
<small><font face="Helvetica, Arial, sans-serif">Chris,</font></small> <br>
<small><font face="Helvetica, Arial, sans-serif">Thanks for the reply
and the info. Much appreciated. Looking forward to integrating rc7 in
our production code.<br>
<pre wrap="">Date: Mon, 16 Aug 2010 16:40:25 -0600
From: Chris Schmidt <a class="moz-txt-link-rfc2396E" href="mailto:email@example.com"><firstname.lastname@example.org></a>
Subject: Re: [Esapi-user] ESAPI 2.0 for Java & Risk Assessment
To: <a class="moz-txt-link-abbreviated" href="mailto:email@example.com">firstname.lastname@example.org</a>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:4C69BE59.email@example.com"><4C69BE59.firstname.lastname@example.org></a>
Content-Type: text/plain; charset="iso-8859-1"
ESAPI 2.0 is currently undergoing a code review by the NSA for the 2.0
GA release. Tentative release timeframe will be fall - but this could
ESAPI 2.0 RC7 will be available within the next few days with some bug
fixes to issues that were found in RC6 (some concurrency and singleton
issues) so I would definately go with that instead, but you are more
than welcome to browse our bug database on Google Code at
<a class="moz-txt-link-freetext" href="http://owasp-esapi.googlecode.com">http://owasp-esapi.googlecode.com</a>
As for running this in production systems, the upgrade path from 2.0 RC7
-> 2.0 GA will be minor so provided any of the open bug's in google code
are not showstoppers for you, I would say pending an audit from your
internal dev/security teams it should be fine in production. I know that
several people are already using 2.0 in production applications and to
the best of my knowledge I have heard nothing that calls out a serious
risk to doing so.
Feel free to send along any questions that you may have during your
review and we will answer them as promptly as possible.
On 8/16/2010 4:35 PM, Springett Steven wrote:
<pre wrap="">I've recently 'discovered' ESAPI for Java and am evaluating 2.0. I'm
trying to determine the risk involved in including 2.0rc6 in
production code. Currently I'm utilizing the Randomizer and
SecurityWrapper classes. Possibly more in the future.
I haven't been able to find a roadmap or a list of known issues, so I
haven't been able to collect enough information to make a decision
yet. So, if any user of the Java 2.0 API can provide feedback on their
experience with the API or even some classes/packages to stay away
from for the time being, it would very helpful.
On a related note, is there a target date for 2.0?
The apps I'm working on target Java 1.6.