This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Projects Reboot 2012 - OWASP ESAPI

Revision as of 18:31, 25 July 2012 by Chris Schmidt (talk | contribs)

Jump to: navigation, search

Reboot Type: Type 1

ESAPI:Redesign (October 2012 - Columbus, Oh) -- $3-5K

The ESAPI:Redesign initiative will focus on gathering key players in the Application Security / Development communities to create a new ESAPI vision. The current API is outdated and ineffective in several key areas and the project has suffered extreme bloat resulting in a large footprint and a lot of functionality that simply isn't ever used being required in an application's codebase. The key objectives for this meeting will be:

  • Evaluate the current threat landscape and propose alteration, removal, or addition of controls to the ESAPI core.
  • Evaluate the contracts of the API and establish a new API Specification
  • Create a threat model for each control including the threats the control mitigates, the assumptions made by the contract, and the desired output of the control
  • Establish a testing infrastructure for implementations of controls to ensure compatibility and conformance with the specification

The budget for this effort is as follows:

  • Travel/Lodging for key stakeholders -- $2.5k
    • Chris Schmidt (Denver, Co) -- Unconfirmed
    • Kevin Wall (Columbus, Oh) -- Unconfirmed
    • John Steven (Washington, DC) -- Uncomfirmed
    • Jeff Williams (Columbia, MD) -- Uncomfirmed
  • Catering (Breakfast/Lunch) -- $500

ESAPI:Rebooted Hackathon (December 2012 - Denver, Co) -- $5-8k

The ESAPI:Rebooted Hackathon will be a 2-day event held in the Denver area during early December. The primary goals of the hackathon are to foster new development and contributions from the development community and extend the reach of ESAPI into additional platforms. Developers attending the hackathon will compete to create ESAPI-Enabled components (leveraging the new API). The core team will be responsible for ensuring the API is ready before the hackathon and providing end users with the API. Judging for the hackathon will be done by industry specialists and the core ESAPI team. Categories for awards will be:

  • Best Mobile Component
  • Best Cloud Component
  • Best Application Component
  • Best Overall Component Package

Desired Outcomes of ESAPI:Rebooted

  • Ready-to-use control components for various platforms using the new ESAPI architecture
  • Recruitment for additional contributors to the ESAPI repository
  • Developer Community and Awareness around the Project
  • Travel and Lodging for core ESAPI Team (currently Kevin Wall, Jeff Williams, and Chris Schmidt) -- $2k
  • Marketing Material / Online Advertising Budget -- $2k
  • Catering -- $1k

It is anticipated that a portion of the budget will be covered by sponsors for the event. Additionally, prizes for the attendees of the Hackathon will be provided by event sponsors.

ESAPI:Tutorials Video Series -- ~$2k

The ESAPI Team identified a need for a set of easy to follow tutorials on implementing and using ESAPI controls in applications as a key item at the ESAPI Summit in MN last year. These tutorials should be created in the same format as the OWASP Tutorials video library.

The anticipated budget for this at this point is unknown. The required staff will include (1) Voice Actor, (1) Video Producer, (1) Audio Producer, (1) Graphic Designer

ESAPI:Documentation Sprint -- ~$2k

A need has been identified to produce a reference manual for ESAPI. This manual will cover everything from installation to writing custom controls and components for ESAPI.

The anticipated budget for this at this point is unknown. The required staff will be (1-3) Authors, (1) Graphic Designer, (1) Editor.