This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Enterprise Security API"

From OWASP
Jump to: navigation, search
Line 3: Line 3:
 
Many organizations share similar security concerns and require a similar set of security controls to address these concerns. Many platforms, frameworks, and toolkits contain security mechanisms, but they are frequently complex and require security expertise to use correctly. The purpose of the ESAPI is to provide a simple interface that provides all the ordinary security functions a developer is likely to need in a clear, consistent, and easy to use way.
 
Many organizations share similar security concerns and require a similar set of security controls to address these concerns. Many platforms, frameworks, and toolkits contain security mechanisms, but they are frequently complex and require security expertise to use correctly. The purpose of the ESAPI is to provide a simple interface that provides all the ordinary security functions a developer is likely to need in a clear, consistent, and easy to use way.
  
[[Image:OWASP ESAPI Architecture.png]]
+
* [[Image:OWASP ESAPI Architecture.png]]
  
[[Image:OWASP ESAPI Top Ten.png]]
+
* [[Image:OWASP ESAPI Top Ten.png]]
  
We hope that organizations will adopt the ESAPI and build their applications to use it. While we will provide a reference implementation of the ESAPI, we expect that most organizations will modify and extend this implementation to suit their own internal security mechanisms. For example, the access control functions may be modified to use a set of roles determined by an existing network access control system. Or the logging function may be implemented as a wrapper of an existing logging infrastructure.
+
There are two key parts to the ESAPI:
 +
* A set of interfaces
 +
* A reference implementation
  
 
By using the ESAPI, applications across an organization will be easier to develop, more consistent, and easier to update in a single place. The use of the ESAPI will make it much easier for static analysis tools to verify an application, as the ESAPI calls can be built into the ruleset.
 
By using the ESAPI, applications across an organization will be easier to develop, more consistent, and easier to update in a single place. The use of the ESAPI will make it much easier for static analysis tools to verify an application, as the ESAPI calls can be built into the ruleset.
 +
 +
Join the [http://lists.owasp.org/mailman/listinfo/owasp-esapi OWASP ESAPI mailing list] and help make ESAPI better!
  
 
==Download Now==
 
==Download Now==
 +
 +
This release is the first public release and will undoubtably undergo significant revision over the coming months. We are seeking organizations willing to pilot this ESAPI and work with us to make this library better.  Please contact [email protected] for more information.
  
 
* [http://www.owasp.org/images/8/84/Esapi1.0.zip Full software baseline]
 
* [http://www.owasp.org/images/8/84/Esapi1.0.zip Full software baseline]
Line 19: Line 25:
 
* [http://www.owasp.org/images/8/8e/Esapi_test.zip Simple test app and user admin interface]
 
* [http://www.owasp.org/images/8/8e/Esapi_test.zip Simple test app and user admin interface]
  
==ESAPI Design Goals==
+
==Documentation==
 
 
* Easy to retrofit to existing applications
 
* Easy to extend and customize
 
* Dead simple to understand and use with confidence
 
* Based on use cases
 
* Full test case suite
 
* Must support organizations with no other security infrastructure
 
* Absolute emphasis on correctness over performance
 
* Focus on the most risky areas, and leave out less important areas for simplicity
 
* Include only methods that would be useful in a large percentage of applications
 
  
==ESAPI Design Choices==
+
Lots more information in the PowerPoint presentation contained in the documentation folder in the full release zip file.
  
* Interfaces with concrete reference implementation
+
There is also quite a bit of information in the javadoc documentation for the project, and the installation and build guide.
* The interface only contains the public methods a developer would be expected to call
 
* Avoid confusing "pluggable" implementations
 
* Simple singleton approach with many non-static methods
 
* Threadsafe
 

Revision as of 08:18, 16 November 2007

OWASP Enterprise Security API (ESAPI) Project

Many organizations share similar security concerns and require a similar set of security controls to address these concerns. Many platforms, frameworks, and toolkits contain security mechanisms, but they are frequently complex and require security expertise to use correctly. The purpose of the ESAPI is to provide a simple interface that provides all the ordinary security functions a developer is likely to need in a clear, consistent, and easy to use way.

There are two key parts to the ESAPI:

  • A set of interfaces
  • A reference implementation

By using the ESAPI, applications across an organization will be easier to develop, more consistent, and easier to update in a single place. The use of the ESAPI will make it much easier for static analysis tools to verify an application, as the ESAPI calls can be built into the ruleset.

Join the OWASP ESAPI mailing list and help make ESAPI better!

Download Now

This release is the first public release and will undoubtably undergo significant revision over the coming months. We are seeking organizations willing to pilot this ESAPI and work with us to make this library better. Please contact [email protected] for more information.

Documentation

Lots more information in the PowerPoint presentation contained in the documentation folder in the full release zip file.

There is also quite a bit of information in the javadoc documentation for the project, and the installation and build guide.

Retrieved from "https://wiki.owasp.org/index.php?title=Category:OWASP_Enterprise_Security_API&oldid=23463"