[Owasp-guide] A much better idea - let's use the ESAPI as our basis for the Guide 3.0

Andrew van der Stock vanderaj at owasp.org
Sat Nov 17 09:52:10 EST 2007

Hi there,

Jeff Williams has written an "Enterprise Security API" (ESAPI) in  
Java. It provides the correct way to do security tasks either in  
abstract form, or as a complete implementation. You can learn about  
the ESAPI here:


I'll divvy up chapters to folks who claim them. The ESAPI  
(deliberately) covers about 80% of the required functionality for a  
secure application, so it will be important for us to ensure that we  
have adequate coverage later. As the .NET folks don't use ESAPI yet,  
and may never choose to use ESAPI, coupled with other platforms which  
may never get ESAPI, we will need to cover off what ESAPI does in a  
generic way.

Serg - instead of grabbing a single chapter here or there, what I'd  
like for you to do instead is grab the latest ESAPI code from the link  
above, and port that to PHP. It's about 3500 lines of Java. Having a  
complete PHP implementation of ESAPI will be a fantastic resource for  
PHP folks, who are bereft of any significant security implementations.  
We will then use ESAPI snippets written in both languages as examples.

All - read the ESAPI documentation and become familiar with it. If you  
feel up to it, feel free to port ESAPI to your favorite platform  
(.NET, ColdFusion, etc). Just let us know that you're doing that.

Let's start over the Guide's outline based upon the ESAPI's  
capabilities.  I will build an empty Guide shell in Google Code for us  
to work with in a few days.


Andrew van der Stock
Executive Director, OWASP
Lead Author, OWASP Guide

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20071117/ae23cfb2/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2458 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-guide/attachments/20071117/ae23cfb2/attachment.bin 

More information about the Owasp-guide mailing list