[Owasp-leaders] [Esapi-dev] OWASP CSRFGuard

Jeff Williams jeff.williams at owasp.org
Mon Nov 1 07:55:00 EDT 2010

The ESAPI project is wrestling with how to best solve this problem right


On the one hand, controls like the CSRFGuard should stand alone, so that
they can be easily integrated into existing applications or adopted by
projects that have other application security solutions.


On the other hand, there are good reasons why a CSRF protection should be
tied into a security framework. You get logging, strong randomness,
authentication integration, authorization integration, security
configuration, etc.


We'll try to keep the technical discussion off the leaders list and on the
ESAPI-dev list.  But we do need your help!  We're working out the best ways
to solve application security problems and capturing them in code.  Come
join in the fun!




From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of eric sheridan
Sent: Sunday, October 31, 2010 7:58 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] [Esapi-dev] OWASP CSRFGuard


I don't actually. CSRF controls are not loosely coupled in ESAPI. I've
worked with many developers trying to integrate one or more stand-alone
security controls (ex: CSRF protection) from ESAPI which resulted in a lot
of headache as a result of everything being so tightly integrated. There is
significant value in having separate and stand-alone controls with very few


On Fri, Oct 29, 2010 at 11:53 AM, Jim Manico <jim.manico at owasp.org> wrote:

> My gut feel here is that we gain a lot more by merging the work done here
into ESAPI. 


I agree 100%, I'm glad you said it first. J


- Jim


From: Chris Schmidt [mailto:chrisisbeef at gmail.com] 
Sent: Friday, October 29, 2010 8:36 PM
To: Jim Manico; Esapi-dev at lists.owasp.org; SC-L at securecoding.org
Cc: owasp-leaders at lists.owasp.org
Subject: Re: [Esapi-dev] OWASP CSRFGuard


My gut feel here is that we gain a lot more by merging the work done here
into ESAPI. CSRFGuard is and has been a great project, but as it stands -
unmaintained right now (although it is a very simple project, with a very
low level of maintenance) it seems to me that a lot of traction and momentum
could be gained for the code by merging with the ESAPI project which is one
of the more active OWASP Projects AFAIK.

This is really just my $0.02 and I don't want to discount the work that has
been done on CSRF-Guard. As I stated it is a great project and I personally
have used it in 3 projects succesfully, but I also think that as such a
small project it seems to be an easy one to forget about in the grand scheme
of things.

On 10/29/10 9:09 AM, "Jim Manico" <jim.manico at owasp.org> wrote:

The OWASP CSRF guard project (
http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project ) has
recently been deemed "inactive" and I'm trying to help bring it back to
I'm taking a survey of folks who have used CSRFGuard. In particular, I would
like to understand any potential modifications CSRFGuard users have had  to
make in order to implement it successfully for their website. I'd also like
to hear of any success stories of using CSRFGuard out of the box.
Any feedback regarding this matter is greatly appreciated. 
Thanks kindly + Aloha,
Jim Manico
OWASP Podcast Producer
OWASP ESAPI Project Manager


Esapi-dev mailing list
Esapi-dev at lists.owasp.org

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101101/24cd2159/attachment-0001.html 

More information about the OWASP-Leaders mailing list