[Owasp-leaders] [Esapi-dev] OWASP CSRFGuard

eric sheridan eric.sheridan at owasp.org
Sun Oct 31 19:58:08 EDT 2010


I don't actually. CSRF controls are not loosely coupled in ESAPI. I've
worked with many developers trying to integrate one or more stand-alone
security controls (ex: CSRF protection) from ESAPI which resulted in a lot
of headache as a result of everything being so tightly integrated. There is
significant value in having separate and stand-alone controls with very few
dependencies.

-Eric

On Fri, Oct 29, 2010 at 11:53 AM, Jim Manico <jim.manico at owasp.org> wrote:

>  > My gut feel here is that we gain a lot more by merging the work done
> here into ESAPI.
>
>
>
> I agree 100%, I’m glad you said it first. J
>
>
>
> - Jim
>
>
>
> *From:* Chris Schmidt [mailto:chrisisbeef at gmail.com]
> *Sent:* Friday, October 29, 2010 8:36 PM
> *To:* Jim Manico; Esapi-dev at lists.owasp.org; SC-L at securecoding.org
> *Cc:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Esapi-dev] OWASP CSRFGuard
>
>
>
> My gut feel here is that we gain a lot more by merging the work done here
> into ESAPI. CSRFGuard is and has been a great project, but as it stands –
> unmaintained right now (although it is a very simple project, with a very
> low level of maintenance) it seems to me that a lot of traction and momentum
> could be gained for the code by merging with the ESAPI project which is one
> of the more active OWASP Projects AFAIK.
>
> This is really just my $0.02 and I don’t want to discount the work that has
> been done on CSRF-Guard. As I stated it is a great project and I personally
> have used it in 3 projects succesfully, but I also think that as such a
> small project it seems to be an easy one to forget about in the grand scheme
> of things.
>
>
> On 10/29/10 9:09 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
>
> Hello,
>
> The OWASP CSRF guard project (
> http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project ) has
> recently been deemed “inactive” and I’m trying to help bring it back to
> life.
>
> I’m taking a survey of folks who have used CSRFGuard. In particular, I
> would like to understand any potential modifications CSRFGuard users have
> had  to make in order to implement it successfully for their website. I’d
> also like to hear of any success stories of using CSRFGuard out of the box.
>
> Any feedback regarding this matter is greatly appreciated.
>
> Thanks kindly + Aloha,
>
> Jim Manico
> OWASP Podcast Producer
> OWASP ESAPI Project Manager
> http://manico.net
>  ------------------------------
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101031/a9cbea94/attachment.html 


More information about the OWASP-Leaders mailing list