[Owasp-board] ESAPI - results

Kevin W. Wall kevin.w.wall at gmail.com
Sat Jun 14 21:42:17 UTC 2014


On Sat, Jun 14, 2014 at 4:29 PM, Jim Manico <jim.manico at owasp.org> wrote:
> There are still major security bugs and design flaws in the current ESAPI
> for Java:
>
> 1) Singleton design leads to concurrency bugs
> 2) Poor use of random generation effects CSRF tokens and other areas...
>
> I could go on, see...
>
> https://code.google.com/p/owasp-esapi-java/issues/list?can=2&q=&sort=priority&colspec=ID%20Type%20Status%20Priority%20Milestone%20Component%20Owner%20Summary
>
> ... for the 169 existing bugs recorded against ESAPI for Java.
>
> Can we make fixing at least some of these condition for flagship?

Sure, as long as you agree if any of it is in code that you wrote, you
have to fix it! :)

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.


More information about the Owasp-board mailing list