[Owasp-board] ESAPI libraries-preliminary tests results
Jim Manico
jim.manico at owasp.org
Tue Jun 17 13:00:58 UTC 2014
Josh,
This is the way to go. Don't expect them to join us, we need to join them.
* In the Java world, there is the JCP (Java Community Process) and other
languages have similar communities. Milton Smith is a great egg and a
good friend, but he will just direct us to join the JCP and participate
in building the next version of Java (Java 9/10 are being worked on now).
* .NET just open sourced most of .NET. Our best bet is to join
dotnetfoundation.org and participate there.
Josh, right on. I am with you on this mission 100%, it's the right path.
Go to them, do not expect them to come to us as OWASP stands today.
- Jim
> I had an interesting conversation with Mark Curphey while he was in
> Austin this week and at one point we got to talking about ESAPI.
> Personally, I love the idea of having functions that you can call to
> ensure security of your code, but it did get me wondering if the API
> approach was the best one. Thinking at a higher level, what if OWASP
> tried to foster relationships with the companies and organizations who
> are actually writing the languages themselves and tried to influence
> that way? For example, we could start talking with Oracle about Java
> security and try to contribute directly to the security of Java
> itself, rather than trying to write an API around it. I would be
> happy to make an introduction to Milton Smith, the Sr. Principle
> Product Security Manager at Oracle for Java. He was involved with
> OWASP Austin before moving to take the job with Oracle. For .NET,
> Mark said that he could make introductions to the right people at
> Microsoft and I know Michael Howard, who would likely be happy to
> introduce us to the right people as well. In any case, what if we
> threw out the notion of an Enterprise Security API entirely and
> instead tried to bake that functionality directly into the product so
> that it was secure by default? What do you think?
>
> ~josh
>
>
> On Thu, Jun 12, 2014 at 8:44 PM, Kevin W. Wall <kevin.w.wall at gmail.com
> <mailto:kevin.w.wall at gmail.com>> wrote:
>
> On Thu, Jun 12, 2014 at 8:40 PM, johanna curiel curiel
> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
> > Hi Esapi Team members
> >
> > I have begin with the verification process of activity level in
> the ESAPI
> > libraries
> > based on the activity level I'll continue to create test cases
> for those
> > libraries that are been actively maintained or show a
> significance level of
> > maturity.
> >
> > From this preliminary tests I have checked and create tasks in
> JIRA for
> >
> >Perl==> Last maintained 3 years ago
> > C++
> > Python==>last release from 3 years ago
> > .NET==>last release from 3 years ago
> > C==>Source code last updated 2 years ago
> > Java
> > Classic ASP==>last release from 3 years ago
> >
> > The projects highlighted in yellow have a very low development
> activity but
> > also very little participation of the community.
> >
> > The other projects show a significant maturity level and activity.
> >
> > I must say that all of the ESAPI projects show a high level of code
> > development but the yellow ones are not been maintained in
> along time.
> >
> > I would like to know if as project leaders, do you consider that
> these
> > (yellow) projects are indeed inactive?
> >
> > If that's the case, are you planning to revive them in a close
> future(lets
> > say 6 months)?
> >
> > I'm trying to test effectively and a project that shows that
> does not fit
> > the preliminary health criteria cannot be consider a flagship
> project.
> >
> > If anyone has missed the mailing list regarding this I suggest
> to check to
> > check it here:
> >
> > https://www.owasp.org/index.php/Proposal_Project_Review_QA_Approach
> >
> > Please let me know your situation regarding these projects. It
> is essential
> > to determine the path of the further test plan.
>
> Hi Johanna,
>
> Truthfully, I think it is unlikely that any any of these various
> ESAPI projects, with the possible exception
> of ESAPI Java is ever going to be revived. Jeffrey Walton was
> mostly keeping the ESAPI C++ project
> alive but he was disillusioned with what he perceived as OWASP
> politics and decided to quit the project,
> which is a shame because he had made some excellent contributions
> to that and some of the
> OWASP cheat sheets.
>
> At one point about a year and a half ago, I thought there was a
> possibility of reviving the ESAPI .NET
> version. Someone had tentatively stepped up to work on it, but
> that too died out. Since that time, I
> think that having a ESAPI .NET implementation really doesn't
> matter very much anymore because
> the latest .NET Frameworks themselves have almost everything that
> ESAPI has (with the sole
> exception of support for authenticated encryption and a built-in
> WAF). It certainly is solid on the
> validation and encoding side where we saw about 90% of the ESAPI
> use occurring.
>
> Lastly, you probably should add ESAPI PHP to the list. There is
> also one for Sales Force (maintained
> by them) and one for Cold Fusion (which I think that Adobe might
> maintain). There's also a
> JavaScript version, but it mostly only does encoding and some
> validation.
>
> I've only been involved in the Java, C, and C++ versions however
> so I can't really comment on
> the others. Chris Schmidt may be able to add more (CC'ing him as
> well as the ESAPI Dev list).
>
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> NSA: All your crypto bit are belong to us.
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140617/4fc678dc/attachment.html>
More information about the Owasp-board
mailing list