[Owasp-board] ESAPI - results

Kevin W. Wall kevin.w.wall at gmail.com
Sun Jun 15 01:13:53 UTC 2014


On Sat, Jun 14, 2014 at 8:48 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Kevin,
>
> I will jump back in and help, but I want to say it again, my only goal
> here is to make sure we do not call a security library a production
> ready security library when it itself has significant security
> vulnerabilities and functionality bugs.

I have no problem with that. I never claimed that it was "production ready"
in the first place, at least if viewed as a whole. Perhaps some pieces like
the encoders were, but there were other parts that were nothing more
them toy reference implementations.

> But let me flip the question, what bugs do •you• think needs fixing
> before ESAPI for Java can be deemed production quality?
>
> Perhaps we could triage the list and make a proposal/suggestion to
> Johanna? I'll help rally other folks to help if you do....

That sounds good. I'll have to go thru the list as I don't really want
to shoot from the hip here. Also, I think that we should do this in
terms of reassessing the context. That is specifically, I think we should
deal with the realistic assumption that it is unlikely there will be
an ESAPI 3.0 (at least anytime soon, and by "soon" I mean within
a year or less) and just try to reach a point of stability where ESAPI
is not bleeding too badly. To me, that means that we would accept
it with most of its present warts (e.g., the 30 or so dependencies
that it presently has -- at least for now) and focus on bug fixing
and finishing the documentation such that we don't get the same
questions coming up in Stack Overflow over and over again. (Example:
where is the HOW-TO FAQ? Oh, we don't have one.)

So, I'll get back to you on this in a couple of days. (Okay,
maybe not until Wed or Thursday as I have a local OWASP
chapter meeting on Tues evening and a few World Cup
matches to watch between now and then. :)

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.


More information about the Owasp-board mailing list