[Owasp-board] ESAPI

Jim Manico jim.manico at owasp.org
Wed Jan 16 06:38:12 UTC 2013

I agree 100%, Seba. I feel the current release of ESAPI is not super stable or at the right quality level.  I agree that paying a developer is 100% only a short term solution to get the project to a "well" state. We totally need to revisit how to keep ESAPI relevant and useful in support of our mission. 

On a bigger note, I would love to see all of the secure coding tool projects (owasp reform, the many esapi sub projects, java html sanitizer, java json sanetizer, java owasp encoder and antisamy) brought under a well managed umbrella.

I keep a close eye and help run these three Java secure coding projects:

1) https://www.owasp.org/index.php/OWASP_JSON_Sanitizer
2) https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
3) https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project

I actually recruited the developers for these three projects. Jeff Ichnowski is a PHD computer scientist into compiler theory. Mike Samuel is from the Google AppSec team and wrote his HTML parser from scratch and has the chops to do it. AND THEY FULLY MAINTAIN THESE PROJECTS. I've seen motion on all three projects in the last 2 weeks. The quality of the code of these projects is very high compared to the others in this category and are all made for google-level high performance computing for web apps/services. These three are the real deal.

The OWASP Reform Encoder http://code.google.com/p/reform/source/list is actually quite useful as it is, it's not super high performance but it is reasonable and simple code and approach. It has not been updated since 2008 so I consider this abandoned.

AntiSamy is also an abandoned project with major existing bugs and low activity since 2010.

ESAPI for Java (the main version of ESAPI) lost major activity and momentum in July 2011.

Now my thoughts on moving forward:

1) I think investing in an encoding library for every language (OWASP Reform) is a great idea. I would love someone to pick up Reform and update it.
2) ESAPI for Java is the flagship part of ESAPI, I'd love to pay to have a developer squash the existing major bugs and push out a few more releases. I agree, this is just temporary solution but one that I think is necessary if we want to positively influence developers.

- Jim 

> Hi Jim
> sounds like a good suggestion for the short term
> on longer term, ESAPI needs a committed project manager and project/support
> team to evolve it in the de facto standard security framework
> example/implementation supported by a reliable community
> Samantha: what are your thoughts?
> --seba
> On Tue, Jan 15, 2013 at 9:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> We have 5k in funding for ESAPI. ESAPI for Java is the main version of
>> Most everyone who was on the project dropped out, myself included.
>> Kevin Wall is the "last man standing" working on the project. And frankly,
>> his code is the highest quality - by far - on the project.
>> Can we spend some of the 5k in ESAPI funding to pay Kevin to finish the
>> next release?
>> He did not ask for this, this is my suggestion to use funds to move a key
>> project along in support of our mission.
>> - Jim
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board

More information about the Owasp-board mailing list