[Owasp-board] ESAPI - results
jim.manico at owasp.org
Sat Jun 14 20:29:58 UTC 2014
There are still major security bugs and design flaws in the current ESAPI
1) Singleton design leads to concurrency bugs
2) Poor use of random generation effects CSRF tokens and other areas...
I could go on, see...
... for the 169 existing bugs recorded against ESAPI for Java.
Can we make fixing at least some of these condition for flagship?
On Jun 15, 2014, at 4:21 AM, johanna curiel curiel <johanna.curiel at owasp.org>
Hi Board members
After doing some testing and source code analysis of ESAPI, and contacting
their project leaders I can conclude that:
- The only project that can be considered as Flagship is ESAPI Java
- There are no future plans for the other projects to continue
- Other projects have become outdated and have come to end end of their
- There is very little participation from the community in these
projects including ESAPI Java
ESAPI Java is surviving but is not strong as compare to ZAP for example.
Kevin is the only active contributor so far and this is not a good sign
for sustainability of a project.
I think it will be fair to say that we can allow ESAPI Java to be there
because of its maturity level for a while more but we need to monitor its
progress in the coming months
I propose we update this info but I would like to know your opinion.
I'm going to do some Code analysis on Esapi Java for vulnerabilities and
that will be my final test
The other projects will be set as inactive in the WIki
Owasp-board mailing list
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board