Difference between revisions of "ESAPI Roadmap"
From OWASP
m (→Q3 2009) |
m (→Q4 2009) |
||
| Line 17: | Line 17: | ||
* Add support for / integration with some key management system. | * Add support for / integration with some key management system. | ||
| − | == | + | == Future Plans == |
| − | * | + | * Provide tamper-evident logging using cryptographic primitives |
| − | * | + | * File-based encryption |
| − | |||
| − | |||
| − | |||
| − | |||
== Other Improvements == | == Other Improvements == | ||
Revision as of 19:29, 23 November 2010
Priorities
Focus on project charter... Volunteers get to work on what they want...
ESAPI 2.1
- Remove JavaEncryptor as singleton (required so we can use persistent asymmetric key pairs and create dsigs that persist across a JVM instance).
- Add simpler means to use different cipher algorithms and/or key sizes. (Requires a major kludge today, which is not really thread-safe.
- Support for persist asymmetric key pairs in either Java or PKCS#12 key stores.
- Separate out crypto properties from rest of ESAPI.propertie. (i.e., Google Issue #48).
ESAPI 3.0
- Add support for / integration with some key management system.
Future Plans
- Provide tamper-evident logging using cryptographic primitives
- File-based encryption
Other Improvements
- Internationalization
- ESAPI Scala Edition
- ESAPI PHP Edition
- ESAPI .NET Edition
- Documentation
- Guide to fixing specific vulnerabilities with ESAPI
- How to integrate into existing app
- Marketing pages to "sell" ESAPI
- Threat Model for each control (assumptions and coverage)
- Filter to do intrusion detection and/or virtual patching (WAF?)
- Real example Struts application showing before and after security problems
- Easy and efficient dev environment and install w/ clear documentation
- Framework layer integration features (bridges?)
- Threat Model - SRA of encryption implementation
- Separate "day-to-day" calls from "admin-like" calls
