<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
    <title></title>
  </head>
  <body text="#000000" bgcolor="#ffffff">
    Eric,<br>
    <br>
    I'm very glad to hear that you are stepping back into CSRFGuard
    leadership.<br>
    <br>
    CSRFGuard is actually very complex, with many modes of operation and
    significant technical complexity.<br>
    <br>
    I support CSRFGuard being a separate project if it stays well
    maintained. ESAPI may want to integrate the CSRFGuard project
    someday (soon), and to do that we do not need to absorb it
    necessarily.<br>
    <br>
    Let's see how this "CSRFGuard revival" goes and address ESAPI
    integration a month or two down the line, cool everyone?<br>
    <br>
    - Jim<br>
    <br>
    <blockquote
      cite="mid:AANLkTikKsB3VOFhhb5NjOBR6HBaM+zx+Onhq4y5q2jeZ@mail.gmail.com"
      type="cite">
      <meta http-equiv="Context-Type" content="text/html;
        charset=windows-1252">
      I don't actually. CSRF controls are not loosely coupled in ESAPI.
      I've worked with many developers trying to integrate one or more
      stand-alone security controls (ex: CSRF protection) from ESAPI
      which resulted in a lot of headache as a result of everything
      being so tightly integrated. There is significant value in having
      separate and stand-alone controls with very few dependencies.<br>
      <br>
      -Eric<br>
      <br>
      <div>On Fri, Oct 29, 2010 at 11:53 AM, Jim Manico <span>&lt;<a
            moz-do-not-send="true" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>&gt;</span>
        wrote:<br>
        <blockquote>
          <div lang="EN-US">
            <div>
              <div>
                <p><span>&gt; </span><span>My
                    gut feel here is that we gain a lot more by merging
                    the work done here into
                    ESAPI. </span></p>
                <p><span>†</span></p>
                <p><span>I agree 100%, Iím glad you said it first. </span><span>J</span><span></span></p>
                <p><span>†</span></p>
                <p><span>- Jim</span></p>
                <p><span>†</span></p>
                <div>
                  <div>
                    <p><b><span>From:</span></b><span> Chris Schmidt
                        [mailto:<a moz-do-not-send="true"
                          href="mailto:chrisisbeef@gmail.com">chrisisbeef@gmail.com</a>]
                        <br>
                        <b>Sent:</b> Friday, October 29, 2010 8:36 PM<br>
                        <b>To:</b> Jim Manico; <a
                          moz-do-not-send="true"
                          href="mailto:Esapi-dev@lists.owasp.org">Esapi-dev@lists.owasp.org</a>;
                        <a moz-do-not-send="true"
                          href="mailto:SC-L@securecoding.org">SC-L@securecoding.org</a><br>
                        <b>Cc:</b> <a moz-do-not-send="true"
                          href="mailto:owasp-leaders@lists.owasp.org">owasp-leaders@lists.owasp.org</a><br>
                        <b>Subject:</b> Re: [Esapi-dev] OWASP CSRFGuard</span></p>
                  </div>
                </div>
                <p>†</p>
                <p><span>My gut feel here is that we gain a lot more
                    by merging the work done here into ESAPI. CSRFGuard
                    is and has been a great project,
                    but as it stands Ė unmaintained right now (although
                    it is a very simple
                    project, with a very low level of maintenance) it
                    seems to me that a lot of
                    traction and momentum could be gained for the code
                    by merging with the ESAPI
                    project which is one of the more active OWASP
                    Projects AFAIK.<br>
                    <br>
                    This is really just my $0.02 and I donít want to
                    discount the work that
                    has been done on CSRF-Guard. As I stated it is a
                    great project and I personally
                    have used it in 3 projects succesfully, but I also
                    think that as such a small
                    project it seems to be an easy one to forget about
                    in the grand scheme of
                    things.<br>
                    <br>
                    <br>
                    On 10/29/10 9:09 AM, "Jim Manico" &lt;<a
                      moz-do-not-send="true"
                      href="http://jim.manico@owasp.org">jim.manico@owasp.org</a>&gt;
                    wrote:</span></p>
              </div>
              <div>
                <div>
                  <p><span>Hello,<br>
                      †<br>
                      The OWASP CSRF guard project ( <a
                        moz-do-not-send="true"
                        href="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project">http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project</a>
                      ) has recently been deemed ďinactiveĒ and Iím
                      trying to help
                      bring it back to life.<br>
                      †<br>
                      Iím taking a survey of folks who have used
                      CSRFGuard. In particular, I
                      would like to understand any potential
                      modifications CSRFGuard users have had
                      †to make in order to implement it successfully for
                      their website.
                      Iíd also like to hear of any success stories of
                      using CSRFGuard out of
                      the box.<br>
                      †<br>
                      Any feedback regarding this matter is greatly
                      appreciated. <br>
                      †<br>
                      Thanks kindly + Aloha,<br>
                      †<br>
                      Jim Manico<br>
                      OWASP Podcast Producer<br>
                      OWASP ESAPI Project Manager<br>
                      <a moz-do-not-send="true" href="http://manico.net">http://manico.net</a>
                      †</span></p>
                </div>
              </div>
              <div><span> </span></div>
              <div>
                <p><span>_______________________________________________<br>
                    Esapi-dev mailing list<br>
                    <a moz-do-not-send="true"
                      href="http://Esapi-dev@lists.owasp.org">Esapi-dev@lists.owasp.org</a><br>
                    <a moz-do-not-send="true"
                      href="https://lists.owasp.org/mailman/listinfo/esapi-dev">https://lists.owasp.org/mailman/listinfo/esapi-dev</a></span></p>
              </div>
            </div>
          </div>
          <br>
          _______________________________________________<br>
          OWASP-Leaders mailing list<br>
          <a moz-do-not-send="true"
            href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
          <a moz-do-not-send="true"
            href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
          <br>
        </blockquote>
      </div>
      <br>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
OWASP-Leaders mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>