[owasp-intrinsic-security] [Owasp-leaders] Web application framework security comparison

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Wed Jan 28 13:31:56 EST 2009

I initially had one, but it was not a fair comparison. ESAPI is a security framework, which frankly should contain all of the things we are looking for, but it doesn't actually provide a framework for building web applications. The purpose is to give people picking technologies what frameworks will provide them with the most opportunity for security out of the box, and putting ESAPI in there made it look like a product promo.
I think if we had .NET w/ ESAPI and J2EE w/ ESAPI columns that would be fair. It would be an easy way to track how ESAPI is maintaining synchronicity across versions, but maybe on a seperate sheet.


From: owasp-leaders-bounces at lists.owasp.org on behalf of Goldschmidt, Cassio
Sent: Wed 1/28/2009 11:08 AM
To: owasp-leaders at lists.owasp.org
Cc: owasp-intrinsic-security at lists.owasp.org
Subject: Re: [Owasp-leaders] Web application framework security comparison

This is really helpful Arshan and team! Should we also add a column to the matrix for ESAPI?

On Wed, Jan 28, 2009 at 7:41 AM, Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com> wrote:

	Thanks to those of you who made it out to Portugal for the EU Summit. One of our working sessions was focused on creating a consumer report on the security provided by web application frameworks. After some huge initial draft work there, I'm happy to have a beta ready. Of course maintaining this will be a moving target, but right now I'm soliciting a last call for comments and suggestions before making it available to the world at large.
	The key is on the spreadsheet. Ideally I would like every tuple that's not "No Plans" to have a supporting comment or link. If you can provide one or can argue for a different value for any tuple, please get back to me soon.
	Thanks to everyone for all your help up to this point - let's get this thing finished so we can get it out the public. I'm sorry I can't let everyone have edit privileges, but I had to make a million reverts when I did that before because I wasn't clear enough with my goals for the spreadsheet, so please just email me and the group your suggestions!

	OWASP-Leaders mailing list
	OWASP-Leaders at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20090128/0f6fae67/attachment-0001.html 

More information about the owasp-intrinsic-security mailing list