[Owasp-leaders] [Esapi-dev] OWASP CSRFGuard

Chris Schmidt chris.schmidt at owasp.org
Sun Oct 31 23:07:30 EDT 2010


Is there any reason that there cannot be AppSensor like integration points
between CSRFGuard and ESAPI?


On 10/31/10 10:38 PM, "Jim Manico" <jim.manico at owasp.org> wrote:

>    Eric,
>  
>  I'm very glad to hear that you are stepping back into CSRFGuard leadership.
>  
>  CSRFGuard is actually very complex, with many modes of operation and
> significant technical complexity.
>  
>  I support CSRFGuard being a separate project if it stays well maintained.
> ESAPI may want to integrate the CSRFGuard project someday (soon), and to do
> that we do not need to absorb it necessarily.
>  
>  Let's see how this "CSRFGuard revival" goes and address ESAPI integration a
> month or two down the line, cool everyone?
>  
>  - Jim
>  
>  
>>   I don't actually. CSRF controls are not loosely coupled in ESAPI. I've
>> worked with many developers trying to integrate one or more stand-alone
>> security controls (ex: CSRF protection) from ESAPI which resulted in a lot of
>> headache as a result of everything being so tightly integrated. There is
>> significant value in having separate and stand-alone controls with very few
>> dependencies.
>>  
>>  -Eric
>>  
>>  
>> On Fri, Oct 29, 2010 at 11:53 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>  
>>>  
>>>  
>>>  
>>>  
>>> 
>>>> > My gut feel here is that we gain a lot more by merging the work done here
>>>> into ESAPI. 
>>>  
>>> 
>>>  
>>>  
>>> 
>>> I agree 100%, I¹m glad you said it first. J
>>>  
>>> 
>>>  
>>>  
>>> 
>>> - Jim
>>>  
>>> 
>>>  
>>>  
>>>  
>>>  
>>> 
>>> From: Chris Schmidt [mailto:chrisisbeef at gmail.com]
>>>  Sent: Friday, October 29, 2010 8:36 PM
>>>  To: Jim Manico; Esapi-dev at lists.owasp.org; SC-L at securecoding.org
>>>  Cc: owasp-leaders at lists.owasp.org
>>>  Subject: Re: [Esapi-dev] OWASP CSRFGuard
>>>  
>>>  
>>>  
>>> 
>>>  
>>>  
>>> 
>>> My gut feel here is that we gain a lot more by merging the work done here
>>> into ESAPI. CSRFGuard is and has been a great project, but as it stands ­
>>> unmaintained right now (although it is a very simple project, with a very
>>> low level of maintenance) it seems to me that a lot of traction and momentum
>>> could be gained for the code by merging with the ESAPI project which is one
>>> of the more active OWASP Projects AFAIK.
>>>  
>>>  This is really just my $0.02 and I don¹t want to discount the work that has
>>> been done on CSRF-Guard. As I stated it is a great project and I personally
>>> have used it in 3 projects succesfully, but I also think that as such a
>>> small project it seems to be an easy one to forget about in the grand scheme
>>> of things.
>>>  
>>>  
>>>  On 10/29/10 9:09 AM, "Jim Manico" <jim.manico at owasp.org
>>> <http://[email protected]> > wrote:
>>>  
>>>  
>>>  
>>>  
>>> 
>>> Hello,
>>>   
>>>  The OWASP CSRF guard project (
>>> http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project ) has
>>> recently been deemed ³inactive² and I¹m trying to help bring it back to
>>> life.
>>>   
>>>  I¹m taking a survey of folks who have used CSRFGuard. In particular, I
>>> would like to understand any potential modifications CSRFGuard users have
>>> had  to make in order to implement it successfully for their website. I¹d
>>> also like to hear of any success stories of using CSRFGuard out of the box.
>>>   
>>>  Any feedback regarding this matter is greatly appreciated.
>>>   
>>>  Thanks kindly + Aloha,
>>>   
>>>  Jim Manico
>>>  OWASP Podcast Producer
>>>  OWASP ESAPI Project Manager
>>>  http://manico.net  
>>>  
>>>  
>>>  
>>>  
>>>  
>>>  
>>> 
>>> _______________________________________________
>>>  Esapi-dev mailing list
>>>  Esapi-dev at lists.owasp.org <http://[email protected]>
>>>  https://lists.owasp.org/mailman/listinfo/esapi-dev
>>>  
>>>  
>>>  
>>>  
>>>  _______________________________________________
>>>  OWASP-Leaders mailing list
>>>  OWASP-Leaders at lists.owasp.org
>>>  https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>  
>>>  
>>  
>>  
>>  
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>  
>  
>  
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101031/e183f6cb/attachment-0001.html 


More information about the OWASP-Leaders mailing list