[Owasp-leaders] [Esapi-dev] OWASP CSRFGuard

Jim Manico jim.manico at owasp.org
Sun Oct 31 22:38:23 EDT 2010


I'm very glad to hear that you are stepping back into CSRFGuard leadership.

CSRFGuard is actually very complex, with many modes of operation and 
significant technical complexity.

I support CSRFGuard being a separate project if it stays well 
maintained. ESAPI may want to integrate the CSRFGuard project someday 
(soon), and to do that we do not need to absorb it necessarily.

Let's see how this "CSRFGuard revival" goes and address ESAPI 
integration a month or two down the line, cool everyone?

- Jim

> I don't actually. CSRF controls are not loosely coupled in ESAPI. I've 
> worked with many developers trying to integrate one or more 
> stand-alone security controls (ex: CSRF protection) from ESAPI which 
> resulted in a lot of headache as a result of everything being so 
> tightly integrated. There is significant value in having separate and 
> stand-alone controls with very few dependencies.
> -Eric
> On Fri, Oct 29, 2010 at 11:53 AM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>     > My gut feel here is that we gain a lot more by merging the work
>     done here into ESAPI.
>     I agree 100%, I’m glad you said it first. J
>     - Jim
>     *From:*Chris Schmidt [mailto:chrisisbeef at gmail.com
>     <mailto:chrisisbeef at gmail.com>]
>     *Sent:* Friday, October 29, 2010 8:36 PM
>     *To:* Jim Manico; Esapi-dev at lists.owasp.org
>     <mailto:Esapi-dev at lists.owasp.org>; SC-L at securecoding.org
>     <mailto:SC-L at securecoding.org>
>     *Cc:* owasp-leaders at lists.owasp.org
>     <mailto:owasp-leaders at lists.owasp.org>
>     *Subject:* Re: [Esapi-dev] OWASP CSRFGuard
>     My gut feel here is that we gain a lot more by merging the work
>     done here into ESAPI. CSRFGuard is and has been a great project,
>     but as it stands – unmaintained right now (although it is a very
>     simple project, with a very low level of maintenance) it seems to
>     me that a lot of traction and momentum could be gained for the
>     code by merging with the ESAPI project which is one of the more
>     active OWASP Projects AFAIK.
>     This is really just my $0.02 and I don’t want to discount the work
>     that has been done on CSRF-Guard. As I stated it is a great
>     project and I personally have used it in 3 projects succesfully,
>     but I also think that as such a small project it seems to be an
>     easy one to forget about in the grand scheme of things.
>     On 10/29/10 9:09 AM, "Jim Manico" <jim.manico at owasp.org
>     <http://[email protected]>> wrote:
>     Hello,
>     The OWASP CSRF guard project (
>     http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project )
>     has recently been deemed “inactive” and I’m trying to help bring
>     it back to life.
>     I’m taking a survey of folks who have used CSRFGuard. In
>     particular, I would like to understand any potential modifications
>     CSRFGuard users have had  to make in order to implement it
>     successfully for their website. I’d also like to hear of any
>     success stories of using CSRFGuard out of the box.
>     Any feedback regarding this matter is greatly appreciated.
>     Thanks kindly + Aloha,
>     Jim Manico
>     OWASP Podcast Producer
>     OWASP ESAPI Project Manager
>     http://manico.net
>     _______________________________________________
>     Esapi-dev mailing list
>     Esapi-dev at lists.owasp.org <http://[email protected]>
>     https://lists.owasp.org/mailman/listinfo/esapi-dev
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101101/f8ae14db/attachment.html 

More information about the OWASP-Leaders mailing list