[Owasp-board] ESAPI - results

Jim Manico jim.manico at owasp.org
Sat Jun 14 20:29:58 UTC 2014

There are still major security bugs and design flaws in the current ESAPI
for Java:

1) Singleton design leads to concurrency bugs
2) Poor use of random generation effects CSRF tokens and other areas...

I could go on, see...


... for the 169 existing bugs recorded against ESAPI for Java.

Can we make fixing at least some of these condition for flagship?

Jim Manico
(808) 652-3805

On Jun 15, 2014, at 4:21 AM, johanna curiel curiel <johanna.curiel at owasp.org>

Hi Board members

After doing some testing and source code analysis of ESAPI, and contacting
their project leaders I can conclude that:

   - The only project that can be considered as Flagship is ESAPI Java
   - There are no future plans for the other projects to continue
   - Other projects have become outdated and have come to end end of their
   development cycle
   - There is very little participation from the community in these
   projects including ESAPI Java

ESAPI Java is surviving but is not strong as compare to ZAP for example.
Kevin is the  only active contributor so far and this is not a good sign
for sustainability of a project.

I think it will be fair to say that we can allow ESAPI Java to be there
because of its maturity level for a while more but we need to monitor its
progress in the coming months

I propose we update this info but I would like to know your opinion.

I'm going to do some Code analysis on Esapi Java for vulnerabilities and
that will be my final test

The other projects will be set as inactive in the WIki



Owasp-board mailing list
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140615/d139f5e6/attachment.html>

More information about the Owasp-board mailing list