This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Enterprise Security API"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
==OWASP Enterprise Security API (ESAPI) Project==
 
==OWASP Enterprise Security API (ESAPI) Project==
  
Many organizations share similar security concerns and require a similar set of security controls to address these concerns. Many platforms, frameworks, and toolkits contain security mechanisms, but they are frequently complex and require security expertise to use correctly. The purpose of the ESAPI is to provide a simple interface that provides all the ordinary security functions a developer is likely to need in a clear, consistent, and easy to use way.
+
The ESAPI is a collection of all the security methods that a developer needs to build a secure web application. You can just use the interfaces and build your own implementation using your company's infrastructure. Or, you can use the reference implementation as a starting point.
  
The ESAPI architecture is very simple, just a collection of classes that encapsulate the key security operations most applications need:
+
Unfortunately, the available platforms, frameworks, and toolkits (Java EE, Struts, Spring, etc...) simply do not provide enough protection. This leaves developers with responsibility for designing and building security mechanisms.  This reinventing the wheel for every application leads to wasted time and massive security holes.
  
Hi everyone,
+
The ESAPI architecture is very simple, just a collection of classes that encapsulate the key security operations most applications need.
  
I’ve really been getting a lot from the discussion on the list (and some side discussions). Based on the feedback I’ve made a number of enhancements to the ESAPI and it’s time for another release.  Below are the changes in this version.  Also, the code is now in the SVN repository at googlecode. I’ll be posting updated zip and jar files soon.
+
* Javadoc online: http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/index.html
  
* Javadoc online: http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/index.html
 
 
* Code repository (subversion): http://code.google.com/p/owasp-esapi-java/
 
* Code repository (subversion): http://code.google.com/p/owasp-esapi-java/
 +
 
* Report issues: http://code.google.com/p/owasp-esapi-java/issues/list
 
* Report issues: http://code.google.com/p/owasp-esapi-java/issues/list
  

Revision as of 19:00, 20 January 2008

OWASP Enterprise Security API (ESAPI) Project

The ESAPI is a collection of all the security methods that a developer needs to build a secure web application. You can just use the interfaces and build your own implementation using your company's infrastructure. Or, you can use the reference implementation as a starting point.

Unfortunately, the available platforms, frameworks, and toolkits (Java EE, Struts, Spring, etc...) simply do not provide enough protection. This leaves developers with responsibility for designing and building security mechanisms. This reinventing the wheel for every application leads to wasted time and massive security holes.

The ESAPI architecture is very simple, just a collection of classes that encapsulate the key security operations most applications need.

Architecture

OWASP_ESAPI_Architecture.png

The ESAPI covers most of the key security challenges facing application developers. ESAPI provides the capability for developers to create applications that are protected against almost all of the risks described in the OWASP Top Ten. Compare this coverage with automated scanning and static analysis tools, and then consider how your time is best spent.

OWASP_ESAPI_Top_Ten.png

There are two key parts to the ESAPI:

  • A set of interfaces
  • A reference implementation

By using the ESAPI, applications across an organization will be easier to develop, more consistent, and easier to update in a single place. The use of the ESAPI will make it much easier for static analysis tools to verify an application, as the ESAPI calls can be built into the ruleset.

Join the OWASP ESAPI mailing list and help make ESAPI better!

Download Now

This release is the first public release and will undoubtably undergo significant revision over the coming months. We are seeking organizations willing to pilot this ESAPI and work with us to make this library better. Please contact [email protected] for more information.

Documentation

Lots more information in the PowerPoint presentation contained in the documentation folder in the full release zip file.

There is also quite a bit of information in the javadoc documentation for the project, and the installation and build guide.

Retrieved from "https://wiki.owasp.org/index.php?title=Category:OWASP_Enterprise_Security_API&oldid=24584"