Difference between revisions of "GPC Project Details/OWASP Enterprise Security API"

Purpose: Don’t write your own security controls! Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes. OWASP Enterprise Security API (ESAPI) Toolkits help software developers guard against security‐related design and implementation flaws. ESAPI is designed to make it easy to retrofit security into existing applications, as well as providing a solid foundation for new development. Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

• There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls.

• There is a reference implementation for each security control. The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

• There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

License: BSD license

Project Maintainer: Mike Boberski @

Project Contributor(s): N/A

3x slide Project Presentation: View

Mailing list: Subscribe or read the archives

Project Roadmap: N/A

Main links:

• General ESAPI information
• ESAPI for Java EE
• ESAPI for .NET
• ESAPI for Classic ASP
• ESAPI for PHP
• ESAPI for ColdFusion/CFML
• ESAPI for Python
• ESAPI for JavaScript
• ESAPI for Haskell

Project Health: Not Reviewed (Provisional)
To be reviewed under Assessment Criteria v2.0

• Contact Jeff Williams @ to contribute, review or sponsor this project
• Contact the GPC to report a problem or concern about this project or to update information.