Difference between revisions of "ESAPI Roadmap"

Revision as of 19:28, 23 November 2010

Priorities

Focus on project charter... Volunteers get to work on what they want...

ESAPI 2.1

• Remove JavaEncryptor as singleton (required so we can use persistent asymmetric key pairs and create dsigs that persist across a JVM instance).
• Add simpler means to use different cipher algorithms and/or key sizes. (Requires a major kludge today, which is not really thread-safe.
• Support for persist asymmetric key pairs in either Java or PKCS#12 key stores.
• Separate out crypto properties from rest of ESAPI.propertie. (i.e., Google Issue #48).

Q1 2009

• Stabilize the API
  • Access control 2.0
  • Validation 2.0
  • Logging 2.0
  • Crypto 2.0

• Documentation
  • Getting started guide
  • How ESAPI makes you secure
  • Executive overview

Q2 2009

• CSRF protection
• Pilot

Q3 2009

• Update ESAPI 2.0 to take advantage of Java 5
• Improve Unit Test Coverage

Q4 2009

• Documentation - Installation Guide
• Reference Implementation - Encryption Refactor
• Ensure Thread-Safety
• Resolve Fortify and FindBugs issues
• Release ESAPI 2.0

Other Improvements

• Internationalization
• ESAPI Scala Edition
• ESAPI PHP Edition
• ESAPI .NET Edition

• Documentation
  • Guide to fixing specific vulnerabilities with ESAPI
  • How to integrate into existing app
  • Marketing pages to "sell" ESAPI
  • Threat Model for each control (assumptions and coverage)

• Filter to do intrusion detection and/or virtual patching (WAF?)
• Real example Struts application showing before and after security problems
• Easy and efficient dev environment and install w/ clear documentation
• Framework layer integration features (bridges?)
• Threat Model - SRA of encryption implementation
• Separate "day-to-day" calls from "admin-like" calls