<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Re: [Owasp-leaders] I am glad to announce I've just set a new project up
- OWASP Secure Web Application Framework Manifesto, led by Rohit Sethi.</title>
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=WordSection1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Craig, that&#8217;s a good point. We will focus on promoting reuse of
ESAPI code whenever possible.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<p class=MsoNormal style='text-autospace:none'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif";color:#1F497D'>Rohit Sethi<o:p></o:p></span></b></p>

<p class=MsoNormal style='text-autospace:none'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif";color:#333399'>Director, Professional
Services<o:p></o:p></span></b></p>

<p class=MsoNormal style='text-autospace:none'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif";color:#333399'>Security Compass<o:p></o:p></span></b></p>

<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif";color:#1F497D'><a
href="http://www.securitycompass.com/">http://www.securitycompass.com</a><o:p></o:p></span></p>

<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif";color:silver'>Direct : 888-777-2211 ext. 102<o:p></o:p></span></p>

<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif";color:silver'>Mobile: 732.546.4473<o:p></o:p></span></p>

<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif";color:silver'>Twitter: rksethi<o:p></o:p></span></p>

</div>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
owasp-leaders-bounces@lists.owasp.org
[mailto:owasp-leaders-bounces@lists.owasp.org] <b>On Behalf Of </b>Chris
Schmidt<br>
<b>Sent:</b> Monday, October 11, 2010 12:48 PM<br>
<b>To:</b> owasp-leaders@lists.owasp.org; Paulo Coimbra; Craig Younkins<br>
<b>Subject:</b> Re: [Owasp-leaders] I am glad to announce I've just set a new
project up - OWASP Secure Web Application Framework Manifesto, led by Rohit
Sethi.<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif"'>Just to follow up on one thing &#8211; The
ultimate goal of the ESAPI project is to develop the controls in hopes that
eventually there won&#8217;t be a <b>need</b> for this to be a third party library. I
think our goals are actually 100% in-line with each other &#8211; it would be great
if the WAFM (making up acronyms as I go here) project could focus on getting
Framework developers and even the language developers themselves to integrate
ESAPI controls into their code (there are rumors of this happening with Open
JDK7 already) rather than trying to re-create or repurpose the code that has
already been written for ESAPI. <br>
<br>
This is just my $0.02 &#8211; not trying to tell you how to run your project, just
offering some insight from the ESAPI Team&#8217;s side of the fence. :) <br>
<br>
Regardless, I think it is imperative that we keep in close contact and update
eachother frequently on new developments.<br>
<br>
~Chris <br>
<br>
On 10/11/10 10:34 AM, &quot;Sethi, Rohit&quot; &lt;<a
href="rohit@securitycompass.com">rohit@securitycompass.com</a>&gt; wrote:</span><o:p></o:p></p>

<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'>Sorry, I hit send
accidentally there. The 2nd last paragraph should read:<br>
&nbsp;<br>
The simplest example of this is looking at ESAPI tag libraries in java &#8211; e.g.
&lt;esapi:encodeForJavaScript&gt;${unsafeval}&lt;/ esapi: encodeForJavaScript
&gt; versus simply having &lt;c:out value=&#8221;${unsafeval}&#8221;&gt;<i>understand</i>
that it&#8217;s in JavaScript context and encode for JavaScript automatically. In
other words, application developers are blissfully unaware that their code is
being protected for them unless it somehow breaks their functionality. I know
this example is a rather complex one to implement, but I think it illustrates
the point. In terms of implementation, the JSTL developers might seek to take
advantage of what ESAPI has already done.<br>
&nbsp;<br>
Ultimately both of these projects have the same goal &#8211; and I agree with you
that they should feed off of each other whenever possible.<br>
&nbsp;<br>
Thanks,<br>
&nbsp;<br>
</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><br>
</span><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:#1F497D'>Rohit Sethi<br>
</span></b><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:#333399'>Director, Professional Services<br>
Security Compass<br>
</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:#1F497D'><a href="http://www.securitycompass.com">http://www.securitycompass.com</a>
&lt;<a href="http://www.securitycompass.com/">http://www.securitycompass.com/</a>&gt;
<br>
</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:silver'>Direct : 888-777-2211 ext. 102<br>
Mobile: 732.546.4473<br>
Twitter: rksethi<br>
</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><br>
</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><br>
</span><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Sethi, Rohit <br>
<b>Sent:</b> Monday, October 11, 2010 12:28 PM<br>
<b>To:</b> <a href="owasp-leaders@lists.owasp.org">'owasp-leaders@lists.owasp.org</a>';
'Paulo Coimbra'; 'Craig Younkins'<br>
<b>Subject:</b> RE: [Owasp-leaders] I am glad to announce I've just set a new
project up - OWASP Secure Web Application Framework Manifesto, led by Rohit
Sethi.<br>
</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><br>
<span style='color:#1F497D'>I certainly think that we should leverage as much
ESAPI code as possible. &nbsp;There is no sense in rewriting what the ESAPI
developers have already put countless hours building, testing, and refactoring into.
<br>
&nbsp;<br>
The main difference here is that the Secure Web Application Framework Manifesto
project seeks to integrate the security features <i>into</i> the frameworks
rather than being a third party add-on to the frameworks. &nbsp;ESAPI is
something that people can use today &#8211; this project is more about the future and
is not as immediately useful as ESAPI. Eventually, we hope that framework
developers will attempt to differentiate themselves by how much of the
manifesto they adhere to. In other words, we&#8217;re hoping that when framework
developers lay out their plans for the next release they integrate manifesto
requirements into them. The simplest example of this is loo<br>
&nbsp;<br>
Craig, I would love to discuss with you directly when you have the time.<br>
&nbsp;<br>
</span><br>
</span><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:#1F497D'>Rohit Sethi<br>
</span></b><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:#333399'>Director, Professional Services<br>
Security Compass<br>
</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:#1F497D'><a href="http://www.securitycompass.com">http://www.securitycompass.com</a>
&lt;<a href="http://www.securitycompass.com/">http://www.securitycompass.com/</a>&gt;
<br>
</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:silver'>Twitter: rksethi<br>
</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><br>
</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><br>
</span><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a
href="owasp-leaders-bounces@lists.owasp.org">owasp-leaders-bounces@lists.owasp.org</a>
[<a href="mailto:owasp-leaders-bounces@lists.owasp.org">mailto:owasp-leaders-bounces@lists.owasp.org</a>]
<b>On Behalf Of </b>Dave Wichers<br>
<b>Sent:</b> Monday, October 11, 2010 12:17 PM<br>
<b>To:</b> <a href="owasp-leaders@lists.owasp.org">owasp-leaders@lists.owasp.org</a>;
Paulo Coimbra; Craig Younkins<br>
<b>Subject:</b> Re: [Owasp-leaders] I am glad to announce I've just set a new
project up - OWASP Secure Web Application Framework Manifesto, led by Rohit
Sethi.<br>
</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><br>
<span style='color:#1F497D'>Craig Younkins developed the ESAPI for Python
project so I think you should definitely coordinate with him.<br>
&nbsp;<br>
I think integrating ESAPI for Python into or with Django would be a great first
example of ESAPI integration into a framework. ESAPI integration with
frameworks (like Spring in the Java world) is a critical next step for ESAPI.<br>
&nbsp;<br>
Rohit &#8211; do you think having this as a separate project for ESAPI makes sense,
or should we have this be an adjunct to ESAPI. I thinking that having them
related to would provide more visibility to both projects. But I&#8217;m interested
in your thoughts.<br>
&nbsp;<br>
-Dave<br>
&nbsp;<br>
</span><br>
<b>From:</b> <a href="owasp-leaders-bounces@lists.owasp.org">owasp-leaders-bounces@lists.owasp.org</a>
[<a href="mailto:owasp-leaders-bounces@lists.owasp.org">mailto:owasp-leaders-bounces@lists.owasp.org</a>]
<b>On Behalf Of </b>Sethi, Rohit<br>
<b>Sent:</b> Monday, October 11, 2010 11:54 AM<br>
<b>To:</b> Paulo Coimbra; <a href="owasp-leaders@lists.owasp.org">owasp-leaders@lists.owasp.org</a><br>
<b>Cc:</b> Tom Aratyn; Patrick Szeto<br>
<b>Subject:</b> Re: [Owasp-leaders] I am glad to announce I've just set a new
project up - OWASP Secure Web Application Framework Manifesto, led by Rohit
Sethi.<br>
&nbsp;<br>
<span style='color:#1F497D'>Leaders,<br>
&nbsp;<br>
We believe that building the right controls into web application frameworks
will drive more secure applications. Our intent is to move this effort beyond
documentation and into real code &#8211; starting with building many of these requirements
to the Django framework or a spin-off. This is a particularly important
opportunity for students and researchers who wish to make a real impact to
secure application development. &nbsp;We are interested in reaching out the
Django community to get their buy-in on this. If you have contacts with their
developers please let us know.<br>
&nbsp;<br>
We will soon be looking for people to help review this project and move it into
a stable release. Please also let me know if you are interested in this regard.<br>
&nbsp;<br>
Thank you,<br>
&nbsp;<br>
</span><br>
<b>Rohit Sethi<br>
Director, Professional Services<br>
Security Compass<br>
</b><a href="http://www.securitycompass.com">http://www.securitycompass.com</a>
&lt;<a href="http://www.securitycompass.com/">http://www.securitycompass.com/</a>&gt;
<br>
Twitter: rksethi<br>
<span style='color:#1F497D'><br>
</span><br>
<b>From:</b> Paulo Coimbra [<a href="mailto:paulo.coimbra@owasp.org">mailto:paulo.coimbra@owasp.org</a>]
<br>
<b>Sent:</b> Friday, October 08, 2010 6:58 PM<br>
<b>To:</b> <a href="owasp-leaders@lists.owasp.org">owasp-leaders@lists.owasp.org</a><br>
<b>Cc:</b> Sethi, Rohit; Chan, Yuk Fai; Tom Aratyn; Patrick Szeto<br>
<b>Subject:</b> I am glad to announce I've just set a new project up - OWASP
Secure Web Application Framework Manifesto, led by Rohit Sethi. <br>
&nbsp;<br>
<span style='color:#1F497D'>Leaders,<br>
</span><br>
<span style='color:#1F497D'>I am glad to announce I&#8217;ve just set a new project
up &#8211; the <b><i>OWASP Secure Web Application Framework Manifesto</i></b>, led by
<b><i>Rohit Sethi</i></b>.<b> </b>Please welcome his new OWASP initiative! <br>
<b><br>
</b><a
href="http://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Manifesto#tab=Project_About">http://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Manifesto#tab=Project_About</a>
<br>
&nbsp;<br>
<a href="http://www.owasp.org/index.php/User:Rksethi">http://www.owasp.org/index.php/User:Rksethi</a>
<br>
&nbsp;<br>
As always, your suggestions and contributions would be greatly appreciated.
&nbsp;&nbsp;<br>
&nbsp;<br>
In addition, this project already has a very mature release, <b><i>OWASP Secure
Web Application Framework Manifesto</i>/Version v0.08 </b>&#8211; please glance at
it.<br>
&nbsp;<br>
<a
href="http://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Framework_Manifesto/Releases/Current">http://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Framework_Manifesto/Releases/Current</a>
<br>
&nbsp;<br>
If the project leader and his contributors ultimately decide to have this
release assessed as I am counting on, I will update you. &nbsp;<br>
&nbsp;<br>
Many thanks, regards,<br>
</span><br>
Paulo Coimbra,<br>
OWASP Project Manager &lt;<a href="https://www.owasp.org/index.php/Main_Page">https://www.owasp.org/index.php/Main_Page</a>&gt;
<br>
&nbsp;<o:p></o:p></span></p>

<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>

<hr size=3 width="95%" align=center>

</span></div>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas'>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><o:p></o:p></p>

</div>

</body>

</html>