This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "ESAPI Charter"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
 
==ESAPI Charter==
 
==ESAPI Charter==
  
The goal of the OWASP ESAPI Project is to ensure that "strong simple security controls are available to every developer in every environment."
+
The goal of the OWASP ESAPI Project is to ensure:
  
1) Strong - strong controls do not contain vulnerabilities and provide complete protection against the threats they were designed for.
+
  strong simple security controls are available
 +
  to every developer in every environment
  
2) Simple - controls that are not easy to use will most likely be misused by developers and create vulnerability
+
;Strong:Strong controls do not contain vulnerabilities and provide complete protection against the threats they were designed for.
  
3) Available - controls are available if they are present in the developer's environment in a way that makes them easy and obvious to use. The goal of the ESAPI project is not to replace good security controls that are already available in programming environments.  Nor is it our goal to make developers access security controls directly.  It's even better if the controls are already present or are integrated into a framework in a way that is invisible or automatic to developers.
+
;Simple:Controls that are not easy to use will most likely be misused by developers and create vulnerability
  
4) Every Developer - It is difficult to imagine a developer that does not need a set of basic security controls in their environment, from students to senior architects.
+
;Available:Controls are available if they are present in the developer's environment in a way that makes them easy and obvious to use. The goal of the ESAPI project is not to replace good security controls that are already available in programming environments.  Nor is it our goal to make developers access security controls directly.  It's even better if the controls are already present or are integrated into a framework in a way that is invisible or automatic to developers.
  
5) Every Environment - Our initial target is server-side web environments, then we plan to extend to both web service environments and client side frameworks, and eventually other non-web programming environments.
+
;Every Developer:It is difficult to imagine a developer that does not need a set of basic security controls in their environment, from students to senior architects.
 +
 
 +
;Every Environment:Our initial target is server-side web environments, then we plan to extend to both web service environments and client side frameworks, and eventually other non-web programming environments.
 +
 
 +
 
 +
== Coverage ==
 +
 
 +
Obviously we cannot provide security controls in every environment all at once. Therefore, we've decided to focus on several key software environments that are widely used and we will expand the list over time. Here is our current scorecard:
 +
 
 +
<table border="1" align="center" width="95%">
 +
 
 +
<tr align="center">
 +
  <td>Security Area</td>
 +
  <td>Java EE</td>
 +
  <td>.NET</td>
 +
  <td>PHP</td>
 +
  <td>Classic ASP</td>
 +
  <td>Haskell</td>
 +
  <td>Cold Fusion</td>
 +
</tr>
 +
 
 +
<tr align="center">
 +
  <td>Authentication</td>
 +
  <td>&copy;</td>
 +
  <td>&copy;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
</tr>
 +
 
 +
 
 +
<tr align="center">
 +
  <td>Session Management</td>
 +
  <td>&copy;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
</tr>
 +
 
 +
 
 +
<tr align="center">
 +
  <td>Access Control</td>
 +
  <td>&copy;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
</tr>
 +
 
 +
 
 +
<tr align="center">
 +
  <td>Input Validation</td>
 +
  <td>&copy;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
</tr>
 +
 
 +
 
 +
<tr align="center">
 +
  <td>Canonicalization</td>
 +
  <td>&copy;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
</tr>
 +
 
 +
 
 +
<tr align="center">
 +
  <td>Output Encoding</td>
 +
  <td>&copy;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
</tr>
 +
 
 +
 
 +
<tr align="center">
 +
  <td>Security Exceptions</td>
 +
  <td>&copy;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
</tr>
 +
 
 +
 
 +
<tr align="center">
 +
  <td>Security Logging</td>
 +
  <td>&copy;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
</tr>
 +
 
 +
 
 +
<tr align="center">
 +
  <td>Intrusion Detection</td>
 +
  <td>&copy;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
</tr>
 +
 
 +
 
 +
<tr align="center">
 +
  <td>Encryption</td>
 +
  <td>&copy;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
</tr>
 +
 
 +
 
 +
<tr align="center">
 +
  <td>Randomness</td>
 +
  <td>&copy;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
</tr>
 +
 
 +
 
 +
<tr align="center">
 +
  <td>HTTP Protections</td>
 +
  <td>&copy;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
  <td>&nbsp;</td>
 +
</tr>
 +
 
 +
</table>

Latest revision as of 03:51, 28 December 2008

ESAPI Charter

The goal of the OWASP ESAPI Project is to ensure:

  strong simple security controls are available
  to every developer in every environment
Strong
Strong controls do not contain vulnerabilities and provide complete protection against the threats they were designed for.
Simple
Controls that are not easy to use will most likely be misused by developers and create vulnerability
Available
Controls are available if they are present in the developer's environment in a way that makes them easy and obvious to use. The goal of the ESAPI project is not to replace good security controls that are already available in programming environments. Nor is it our goal to make developers access security controls directly. It's even better if the controls are already present or are integrated into a framework in a way that is invisible or automatic to developers.
Every Developer
It is difficult to imagine a developer that does not need a set of basic security controls in their environment, from students to senior architects.
Every Environment
Our initial target is server-side web environments, then we plan to extend to both web service environments and client side frameworks, and eventually other non-web programming environments.


Coverage

Obviously we cannot provide security controls in every environment all at once. Therefore, we've decided to focus on several key software environments that are widely used and we will expand the list over time. Here is our current scorecard:

Security Area Java EE .NET PHP Classic ASP Haskell Cold Fusion
Authentication © ©        
Session Management ©          
Access Control ©          
Input Validation ©          
Canonicalization ©          
Output Encoding ©          
Security Exceptions ©          
Security Logging ©          
Intrusion Detection ©          
Encryption ©          
Randomness ©          
HTTP Protections ©