[Owasp-board] ESAPI libraries-preliminary tests results

Jim Manico jim.manico at owasp.org
Tue Jun 17 22:25:54 UTC 2014


I would love to see you lead this effort. When can you get an initial
design to us?

Jim Manico
(808) 652-3805

On Jun 18, 2014, at 6:09 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

I still think that the ESTAPI (or even just STAPI) would be a great way to
add value here: http://blog.diniscruz.com/2011/06/estapi-idea.html

And I can tell you that as a developer, I could really do with ESTAPI tests
to ensure (and prove) that my app is secure
On 17 Jun 2014 14:01, "Jim Manico" <jim.manico at owasp.org> wrote:

>  Josh,
> This is the way to go. Don't expect them to join us, we need to join them.
> * In the Java world, there is the JCP (Java Community Process) and other
> languages have similar communities. Milton Smith is a great egg and a good
> friend, but he will just direct us to join the JCP and participate in
> building the next version of Java (Java 9/10 are being worked on now).
> * .NET just open sourced most of .NET. Our best bet is to join
> dotnetfoundation.org and participate there.
> Josh, right on. I am with you on this mission 100%, it's the right path.
> Go to them, do not expect them to come to us as OWASP stands today.
> - Jim
>  I had an interesting conversation with Mark Curphey while he was in
> Austin this week and at one point we got to talking about ESAPI.
> Personally, I love the idea of having functions that you can call to ensure
> security of your code, but it did get me wondering if the API approach was
> the best one.  Thinking at a higher level, what if OWASP tried to foster
> relationships with the companies and organizations who are actually writing
> the languages themselves and tried to influence that way?  For example, we
> could start talking with Oracle about Java security and try to contribute
> directly to the security of Java itself, rather than trying to write an API
> around it.  I would be happy to make an introduction to Milton Smith, the
> Sr. Principle Product Security Manager at Oracle for Java.  He was involved
> with OWASP Austin before moving to take the job with Oracle.  For .NET,
> Mark said that he could make introductions to the right people at Microsoft
> and I know Michael Howard, who would likely be happy to introduce us to the
> right people as well.  In any case, what if we threw out the notion of an
> Enterprise Security API entirely and instead tried to bake that
> functionality directly into the product so that it was secure by default?
> What do you think?
>  ~josh
> On Thu, Jun 12, 2014 at 8:44 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
> wrote:
>>  On Thu, Jun 12, 2014 at 8:40 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>> > Hi Esapi Team members
>> >
>> > I have begin with the verification process of activity level in the
>> > libraries
>> > based on the activity level I'll continue to create test cases for those
>> > libraries that are been actively maintained or show a significance
>> level of
>> > maturity.
>> >
>> > From this preliminary tests I have checked and create tasks in JIRA for
>> >
>> > Perl==> Last maintained 3 years ago
>> > C++
>> > Python==>last release from 3 years ago
>> > .NET==>last release from 3 years ago
>> > C==>Source code last updated 2 years ago
>> > Java
>> > Classic ASP==>last release from 3 years ago
>> >
>> > The projects highlighted in yellow have a very low development activity
>> but
>> > also very little participation of the community.
>> >
>> > The other projects show a significant maturity level and activity.
>> >
>> > I must say that all of the ESAPI projects show a high level of code
>> > development but the yellow ones are not been maintained in  along time.
>> >
>> > I would like to know if as project leaders, do you consider that these
>> > (yellow) projects are indeed inactive?
>> >
>> > If that's the case, are you planning to revive  them in a close
>> future(lets
>> > say 6 months)?
>> >
>> > I'm trying to test effectively and a project that shows that does not
>> fit
>> > the preliminary health criteria cannot be consider a flagship project.
>> >
>> > If anyone has missed the mailing list regarding this I suggest to check
>> to
>> > check it here:
>> >
>> > https://www.owasp.org/index.php/Proposal_Project_Review_QA_Approach
>> >
>> > Please let me know your situation regarding these projects. It is
>> essential
>> > to determine the path of the further test plan.
>>  Hi Johanna,
>> Truthfully, I think it is unlikely that any any of these various ESAPI
>> projects, with the possible exception
>> of ESAPI Java is ever going to be revived. Jeffrey Walton was mostly
>> keeping the ESAPI C++ project
>> alive but he was disillusioned with what he perceived as OWASP politics
>> and decided to quit the project,
>> which is a shame because he had made some excellent contributions to that
>> and some of the
>> OWASP cheat sheets.
>> At one point about a year and a half ago, I thought there was a
>> possibility of reviving the ESAPI .NET
>> version. Someone had tentatively stepped up to work on it, but that too
>> died out. Since that time, I
>> think that having a ESAPI .NET implementation really doesn't matter very
>> much anymore because
>> the latest .NET Frameworks themselves have almost everything that ESAPI
>> has (with the sole
>> exception of support for authenticated encryption and a built-in WAF). It
>> certainly is solid on the
>> validation and encoding side where we saw about 90% of the ESAPI use
>> occurring.
>> Lastly, you probably should add ESAPI PHP to the list. There is also one
>> for Sales Force (maintained
>> by them) and one for Cold Fusion (which I think that Adobe might
>> maintain). There's also a
>> JavaScript version, but it mostly only does encoding and some validation.
>> I've only been involved in the Java, C, and C++ versions however so I
>> can't really comment on
>> the others.  Chris Schmidt may be able to add more (CC'ing him as well as
>> the ESAPI Dev list).
>> -kevin
>> --
>> Blog: http://off-the-wall-security.blogspot.com/
>> NSA: All your crypto bit are belong to us.
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>  --
> You received this message because you are subscribed to the Google Groups
> "OWASP Projects Task Force" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-projects-task-force+unsubscribe at googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140618/f98f65fb/attachment.html>

More information about the Owasp-board mailing list