[Owasp-leaders] OWASP ESAPI Project Status

Jim Manico jim.manico at owasp.org
Sat Mar 29 13:02:21 UTC 2014


If we set our sights to small usable components instead of huge securing
coding frameworks we can win. I shepherd several projects at OWASP that
coincidentally Apache Shiro will be using to help add AntiXSS capabilities.

I'm not hot on the "standard" that ESAPI is seeking, it's a good idea, but
I'd rather focus on giving devs something that is immediately usable and
helpful to solve a discrete problem *in a production quality high
performance way*. This is why I'm so fond the the work of Jeff Ichnowski
(Java Encoder Project) and Mike Samuel (OWASP HTML Sanitizer and OWASP JSON
encoder). These gents are both PhD level software engineers and applied
defensive AppSec experts. They are not software engineering hackers. ;)

We are going to slice and dice ESAPI into several small projects under a
non-ESAPI banner. Trust me, this is the right path to serve the mission of
helping devs build secure web applications.

Jim Manico
(808) 652-3805

On Mar 29, 2014, at 6:10 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

I think this is a great step for ESAPI which maybe will help it (ESAPI) to
have a much more realistic and achievable focus.

Kudos to Kevin for doing this and allowing the correct mapping of ESAPI

I've written (in 2010, 2011) about my views about ESAPI and where it should
go (i.e. ESTAPI):

   - The ESTAPI idea <http://blog.diniscruz.com/2011/06/estapi-idea.html>
   - A couple more comments on ESAPI and

   - Recommending

And in case you missed these, recently (2013) I was able to consume ESAPI
java from .NET (i.e. the O2 Platform)

   - Loading OWASP ESAPI jar and its dependencies from C# (using

   - View ESAPI 11 Encodings methods in real-time via an ASP.NET Web

   - Another step in the use of ESAPI and AppSensor Jars from .Net/C#
   (using Jni4Net)<http://blog.diniscruz.com/2013/06/another-step-in-use-of-esapi-and.html>

   - First execution of ESAPI.jar Encoder methods from O2's C#

Btw, I still think ESAPI is a great idea and something that just about all
frameworks and companies needs (i.e. an Enterprise Security APIs).

The problem was that OWASP's community tried to be a 'professional
development org', which is something that (with some minor exceptions) we
are not capable of. Organisations/groups like http://shiro.apache.org/ are
much more suited for that type of 'mission critical development'


On 29 March 2014 06:08, Jim Manico <jim.manico at owasp.org> wrote:

> Why you should no longer use the OWASP ESAPI project, why you should not
> be recommending the OWASP ESAPI project, and why the OWASP ESAPI project is
> not deserving of flagship status.
> http://off-the-wall-security.blogspot.in/2014/03/esapi-no-
> longer-owasp-flagship-project.html
> - Jim
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140329/b2d84bf2/attachment.html>

More information about the OWASP-Leaders mailing list