[Owasp-guide] A much better idea - let's use the ESAPI as our basis for the Guide 3.0
sergeslists at gmail.com
Sun Nov 18 04:53:54 EST 2007
Cool, I'll start looking into ESAPI then...
On Nov 18, 2007 1:52 AM, Andrew van der Stock <vanderaj at owasp.org> wrote:
> Hi there,
> Jeff Williams has written an "Enterprise Security API" (ESAPI) in Java. It
> provides the correct way to do security tasks either in abstract form, or as
> a complete implementation. You can learn about the ESAPI here:
> I'll divvy up chapters to folks who claim them. The ESAPI (deliberately)
> covers about 80% of the required functionality for a secure application, so
> it will be important for us to ensure that we have adequate coverage later.
> As the .NET folks don't use ESAPI yet, and may never choose to use ESAPI,
> coupled with other platforms which may never get ESAPI, we will need to
> cover off what ESAPI does in a generic way.
> Serg - instead of grabbing a single chapter here or there, what I'd like for
> you to do instead is grab the latest ESAPI code from the link above, and
> port that to PHP. It's about 3500 lines of Java. Having a complete PHP
> implementation of ESAPI will be a fantastic resource for PHP folks, who are
> bereft of any significant security implementations. We will then use ESAPI
> snippets written in both languages as examples.
> All - read the ESAPI documentation and become familiar with it. If you feel
> up to it, feel free to port ESAPI to your favorite platform (.NET,
> ColdFusion, etc). Just let us know that you're doing that.
> Let's start over the Guide's outline based upon the ESAPI's capabilities. I
> will build an empty Guide shell in Google Code for us to work with in a few
> Andrew van der Stock
> Executive Director, OWASP
> Lead Author, OWASP Guide
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
More information about the Owasp-guide