Roman Hustad roman.hustad at yahoo.com
Thu Aug 20 02:01:16 EDT 2009

I would like to propose that the main ESAPI list is split into ESAPI-dev and ESAPI-user.  

The reason for this is that I suspect there are many lurkers on this list who are actually trying to implement ESAPI but don't feel comfortable seeking help on the list because of all the development chatter.  Most of you are probably familiar with this arrangement for other open-source projects and IMHO it works pretty well.  The simple fact is that there are very few posts here from the masses, and for ESAPI to be adopted widely we need to have a lot of volume; first so that there is obvious momentum - with a "tipping point" someday; and second to ensure that the API actually works well for most of the target audience in the real world.  

I say this as someone who has preached ESAPI as a security consultant since it was introduced, and am now implementing it on a legacy system back in the enterprise development world.  (More feedback to come as our project progresses.)  I want ESAPI to succeed!

As a data point for consideration, perhaps the list owner would be willing to share the current number of subscribers for the existing ESAPI lists.  This level of transparency was well received on the SC-L list recently.   

Thanks for your consideration of the idea,

Roman Hustad

More information about the OWASP-ESAPI mailing list