[Owasp-board] ESAPI

Jim Manico jim.manico at owasp.org
Wed Jan 16 19:55:06 UTC 2013


ESAPI may be flagship from a OWASP point of view, but as a software engineer of almost 20 years, and as someone who has seen dozens of organizations try to use ESAPI for Java...

...ESAPI is not even close to production quality. It's a great research project, and has a lot of excellent code, and is very usable. But as a project that is drop in ready to use for secure coding at a level of professionalism as say, Apache projects? No way, and that is ok.


I feel we should either:

1) Demote ESAPI away from Flagship until it can be cleaned up and updated.
2) Spend some $ to pay an engineer to update it.

But leaving ESAPI as Flagship without updating it while it is largely inactive is 100% unacceptable in my mind. It makes us look like a laughingstock in the developer community even it it makes us look good in the security community.

- Jim



> Hello Seba and Jim,
> 
> I certainly do think that ESAPI needs a committed project leader and a
> dedicated project support team to help take it to the next level of
> development. As ESAPI is one of our Flagship projects, I see nothing wrong
> with giving the initiative an extra amount of support from the foundation.
> That being said, the amount of support we choose to give this project will
> need to be reproduced for at least all 15 Flagship projects. I suggest we
> keep this in mind when discussing how to provide support to ESAPI.
> 
> SG
> 
> On Wed, Jan 16, 2013 at 6:13 AM, Seba <seba at owasp.org> wrote:
> 
>> Hi Jim
>> sounds like a good suggestion for the short term
>> on longer term, ESAPI needs a committed project manager and
>> project/support team to evolve it in the de facto standard security
>> framework example/implementation supported by a reliable community
>>
>> Samantha: what are your thoughts?
>>
>> --seba
>>
>>
>> On Tue, Jan 15, 2013 at 9:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> We have 5k in funding for ESAPI. ESAPI for Java is the main version of
>>> ESAPI.
>>>
>>> Most everyone who was on the project dropped out, myself included.
>>>
>>> Kevin Wall is the "last man standing" working on the project. And
>>> frankly, his code is the highest quality - by far - on the project.
>>>
>>> Can we spend some of the 5k in ESAPI funding to pay Kevin to finish the
>>> next release?
>>>
>>> He did not ask for this, this is my suggestion to use funds to move a key
>>> project along in support of our mission.
>>>
>>> - Jim
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>
>>
> 
> 



More information about the Owasp-board mailing list