[Owasp-board] [Esapi-dev] ESAPI Java and Authenticated encryption implementation

Jim Manico jim.manico at owasp.org
Thu Aug 22 21:38:18 UTC 2013

The next step is to give Kevin and Chris some time to make a public disclosure statement. I am fairly sure they are both willing to do the right thing here since the cat is already out of the bag. If there is no action in this front, I'll do it myself - but I'd much rather see this come from the ESAPI project leaders.

Unfortunately, the reporting individual decided to disclose publicly instead of giving us the time to fix it first. If the disclosure was private, then I think Kevin and Chris should have been given the time to patch before the official bug report. The only reason I think we need to make a public official statement on this now is because the bad guys already have this information. 

Right now there are over 4000 organizations that depend on ESAPI for security of critical systems. We need to let them know they are depending on insecure software and provide guidance as to how to fix the problem.

Transparency does two things : it breeds trust and it defeats cronyism.

Kevin Wall and Chris Schmidt have spent countless hours working on ESAPI. In no way do I want to shame them.

But this bug is so critical, that I think we should be willing to pay Kevin or someone else to invest serious time in providing a major revision of ESAPI (version 2.5?) that fixes this problem as soon as possible.

My 2 cents,
- Jim

> Hmm... Good point, Jim.
> What next, indeed! Can we have some suggestions on how to move forward with
> this issue? Kevin and Chris, I would like to hear your thoughts on how we
> can rectify the situation.
> On Thu, Aug 22, 2013 at 12:30 PM, Kevin W. Wall <kevin.w.wall at gmail.com>wrote:
>> Jim... agree. In this specific case, using GitHub would not make a
>> difference. The person reported this referenced the Google Code site and
>> for whatever reason chose to post to the ESAPI Dev mailing list rather than
>> submitting a Google issue. (Not that I'm against using GitHub though. Chris
>> and I have discussed it.)
>> -kevin
>> Sent from my Droid; please excuse typos.
>> On Aug 22, 2013 3:24 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>> Google Code offers bug tracking and anyone can submit a patch to us...
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>> On Aug 22, 2013, at 9:06 PM, Dennis Groves <dennis.groves at owasp.org>
>>> wrote:
>>>> This is a great reason for the code to be in github, we could then
>>> leverage the github infrastructure for bug tracking to identify and
>>> communicate serious issues such as this, as well as giving the community
>>> open access to fix it.
>>>> On 22 Aug 2013, at 3:45, Michael Coates wrote:
>>>>> I am curious about the disclosure policy / approach for reported
>>>>> vulnerabilities in code we provide. Who is the current esapi leader we
>>> should ask?
>>>> [Dennis Groves](http://about.me/dennis.groves), MSc
>>>> [Email me](mailto:dennis.groves at owasp.org) or [schedule a meeting](
>>> http://goo.gl/8sPIy).
>>>>    Unless someone like you...cares a whole awful lot...
>>>>    nothing is going to get better...It's not."
>>>>                                            -- The Lorax

More information about the Owasp-board mailing list