[Owasp-leaders] I am glad to announce I've just set a new project up - OWASP Secure Web Application Framework Manifesto, led by Rohit Sethi.

Chris Schmidt chris.schmidt at owasp.org
Mon Oct 11 12:47:52 EDT 2010


Just to follow up on one thing ­ The ultimate goal of the ESAPI project is
to develop the controls in hopes that eventually there won¹t be a need for
this to be a third party library. I think our goals are actually 100%
in-line with each other ­ it would be great if the WAFM (making up acronyms
as I go here) project could focus on getting Framework developers and even
the language developers themselves to integrate ESAPI controls into their
code (there are rumors of this happening with Open JDK7 already) rather than
trying to re-create or repurpose the code that has already been written for
ESAPI. 

This is just my $0.02 ­ not trying to tell you how to run your project, just
offering some insight from the ESAPI Team¹s side of the fence. :)

Regardless, I think it is imperative that we keep in close contact and
update eachother frequently on new developments.

~Chris 

On 10/11/10 10:34 AM, "Sethi, Rohit" <rohit at securitycompass.com> wrote:

> Sorry, I hit send accidentally there. The 2nd last paragraph should read:
>  
> The simplest example of this is looking at ESAPI tag libraries in java ­ e.g.
> <esapi:encodeForJavaScript>${unsafeval}</ esapi: encodeForJavaScript > versus
> simply having <c:out value=²${unsafeval}²>understand that it¹s in JavaScript
> context and encode for JavaScript automatically. In other words, application
> developers are blissfully unaware that their code is being protected for them
> unless it somehow breaks their functionality. I know this example is a rather
> complex one to implement, but I think it illustrates the point. In terms of
> implementation, the JSTL developers might seek to take advantage of what ESAPI
> has already done.
>  
> Ultimately both of these projects have the same goal ­ and I agree with you
> that they should feed off of each other whenever possible.
>  
> Thanks,
>  
> 
> Rohit Sethi
> Director, Professional Services
> Security Compass
> http://www.securitycompass.com <http://www.securitycompass.com/>
> Direct : 888-777-2211 ext. 102
> Mobile: 732.546.4473
> Twitter: rksethi
>  
> 
> From: Sethi, Rohit
> Sent: Monday, October 11, 2010 12:28 PM
> To: 'owasp-leaders at lists.owasp.org'; 'Paulo Coimbra'; 'Craig Younkins'
> Subject: RE: [Owasp-leaders] I am glad to announce I've just set a new project
> up - OWASP Secure Web Application Framework Manifesto, led by Rohit Sethi.
>  
> I certainly think that we should leverage as much ESAPI code as possible.
> There is no sense in rewriting what the ESAPI developers have already put
> countless hours building, testing, and refactoring into.
>  
> The main difference here is that the Secure Web Application Framework
> Manifesto project seeks to integrate the security features into the frameworks
> rather than being a third party add-on to the frameworks.  ESAPI is something
> that people can use today ­ this project is more about the future and is not
> as immediately useful as ESAPI. Eventually, we hope that framework developers
> will attempt to differentiate themselves by how much of the manifesto they
> adhere to. In other words, we¹re hoping that when framework developers lay out
> their plans for the next release they integrate manifesto requirements into
> them. The simplest example of this is loo
>  
> Craig, I would love to discuss with you directly when you have the time.
>  
> 
> Rohit Sethi
> Director, Professional Services
> Security Compass
> http://www.securitycompass.com <http://www.securitycompass.com/>
> Twitter: rksethi
>  
> 
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dave Wichers
> Sent: Monday, October 11, 2010 12:17 PM
> To: owasp-leaders at lists.owasp.org; Paulo Coimbra; Craig Younkins
> Subject: Re: [Owasp-leaders] I am glad to announce I've just set a new project
> up - OWASP Secure Web Application Framework Manifesto, led by Rohit Sethi.
>  
> Craig Younkins developed the ESAPI for Python project so I think you should
> definitely coordinate with him.
>  
> I think integrating ESAPI for Python into or with Django would be a great
> first example of ESAPI integration into a framework. ESAPI integration with
> frameworks (like Spring in the Java world) is a critical next step for ESAPI.
>  
> Rohit ­ do you think having this as a separate project for ESAPI makes sense,
> or should we have this be an adjunct to ESAPI. I thinking that having them
> related to would provide more visibility to both projects. But I¹m interested
> in your thoughts.
>  
> -Dave
>  
> 
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Sethi, Rohit
> Sent: Monday, October 11, 2010 11:54 AM
> To: Paulo Coimbra; owasp-leaders at lists.owasp.org
> Cc: Tom Aratyn; Patrick Szeto
> Subject: Re: [Owasp-leaders] I am glad to announce I've just set a new project
> up - OWASP Secure Web Application Framework Manifesto, led by Rohit Sethi.
>  
> Leaders,
>  
> We believe that building the right controls into web application frameworks
> will drive more secure applications. Our intent is to move this effort beyond
> documentation and into real code ­ starting with building many of these
> requirements to the Django framework or a spin-off. This is a particularly
> important opportunity for students and researchers who wish to make a real
> impact to secure application development.  We are interested in reaching out
> the Django community to get their buy-in on this. If you have contacts with
> their developers please let us know.
>  
> We will soon be looking for people to help review this project and move it
> into a stable release. Please also let me know if you are interested in this
> regard.
>  
> Thank you,
>  
> 
> Rohit Sethi
> Director, Professional Services
> Security Compass
> http://www.securitycompass.com <http://www.securitycompass.com/>
> Twitter: rksethi
>  
> 
> From: Paulo Coimbra [mailto:paulo.coimbra at owasp.org]
> Sent: Friday, October 08, 2010 6:58 PM
> To: owasp-leaders at lists.owasp.org
> Cc: Sethi, Rohit; Chan, Yuk Fai; Tom Aratyn; Patrick Szeto
> Subject: I am glad to announce I've just set a new project up - OWASP Secure
> Web Application Framework Manifesto, led by Rohit Sethi.
>  
> Leaders,
>  
> I am glad to announce I¹ve just set a new project up ­ the OWASP Secure Web
> Application Framework Manifesto, led by Rohit Sethi. Please welcome his new
> OWASP initiative!
>  
> http://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Manifest
> o#tab=Project_About
>  
> http://www.owasp.org/index.php/User:Rksethi
>  
> As always, your suggestions and contributions would be greatly appreciated.
>  
> In addition, this project already has a very mature release, OWASP Secure Web
> Application Framework Manifesto/Version v0.08 ­ please glance at it.
>  
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Framework
> _Manifesto/Releases/Current
>  
> If the project leader and his contributors ultimately decide to have this
> release assessed as I am counting on, I will update you.
>  
> Many thanks, regards,
>  
> Paulo Coimbra,
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>  
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101011/e9ec944f/attachment.html 


More information about the OWASP-Leaders mailing list