From a712640835294849abe3f9cd4eb93dfef06ca819 Mon Sep 17 00:00:00 2001 From: cschmidt Date: Fri, 25 Mar 2016 08:38:48 -0600 Subject: [PATCH 1/4] Added roadmap --- ESAPI-3.0.0-ROADMAP.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 ESAPI-3.0.0-ROADMAP.md diff --git a/ESAPI-3.0.0-ROADMAP.md b/ESAPI-3.0.0-ROADMAP.md new file mode 100644 index 0000000..1152fb9 --- /dev/null +++ b/ESAPI-3.0.0-ROADMAP.md @@ -0,0 +1,32 @@ +# Roadmap for ESAPI 3.0.0 + +## Google-SoC Tasks + +### Provide implementations of the interfaces (in a seperate project, as a standalone component) that implements the following interfaces + +* Encoder +* Validator +* Authenticator +* AccessController + +These implementations can be wrappers around existing tools, the primary purpose of this exercise is to evaluate the provided APIs to ensure that the interfaces are usable to developers. + +### Test Suite + +ESAPI 3.0.0 will provide an additional component (ESTAPI - thanks to Dinis Cruz for the name) which will allow implementors to run tests against their implementations of a given control to ensure that it is in fact implemented securely. For GSoC I would like to focus this effort on a set of concrete tests for the Validator and Encoder interfaces as well as a fuzz test against both of those interfaces as well. Propose a design for how the tests will function and be run, then create a new repository (and link back to ESAPI/esapi-java) with your implementation. + +### Centralized Security Policy Manager + +One of the things that ESAPI aimed to provide was a means to enforce a centrally managed enterprise security policy in a provable way. Propose an idea and implement a proof-of-concept using the following design concepts: + +* The enterprise security policy should be published in a parseable format - it can be XML, JSON, or any other schema based language. +* The enterprise security policy should allow downstream configuration overrides, but provide a audit event indicating a policy item has been overridden by a child policy +* The enterprise security policy should have a simple interface for configuration of the policy parameters, and should provide sane defaults for all controls + +## Release Goals + +1. *Design Verification* - Interfaces should be fairly locked down at the first release. The interfaces should be tested thoroughly by implementing a baseline set of components *and* testing inclusion of those components in real-world applications. +1. *Solid interface documentation* - All interfaces should be fully documented in Javadoc +1. *Component Community Library* - An Apple Store'esque implementation of a community containing reviewed and approved controls that implementors can pull into their projects +1. *Discovery* - The ESAPI should provide a discovery module that discovers, registers, and configures controls (according to the enterprise security policy) - this can function similar to OSGi +1. *ESTAPI* - A full suite of tests that can provide assurance that controls are implemented correctly. ESTAPI testing will be a pre-requisite to inclusion in the Component Community Library. From 4f6f2e7f2263c5974809c8d9a87e6175f3d08cf1 Mon Sep 17 00:00:00 2001 From: kwwall Date: Fri, 17 Jul 2020 21:50:54 -0400 Subject: [PATCH 2/4] Rewrite this as it hadn't been touched for 6+ years. --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 97d49e9..3ad453b 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,8 @@ Welcome to the Home of ESAPI 3.x News ========== -2 Sept 2014 - We are gearing up to get some great stuff done at AppSecUSA in Denver this month. We'll be announcing our schedule and where we'll be at the conference soon! Stay tuned! +The development of ESAPI 3 is still within the _very early_ planning stages. The code that is currently in this GitHub repo (as of 2020-07-17) is likely to be completely rewritten, possibly several times. If you wish to participate, please sign up for the Google Group "[esapi-project-dev](mailto:esapi-project-dev@owasp.org)", and feel free to start a new discussion thread. Note you MUST subscribe to the Google Group list before you may POST to it. [Subscribe to ESAPI Developers list](https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-dev/join). - -For more information on ESAPI or information on ESAPI 2.x please visit our wiki page at https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API +Notes +========== +For more information on ESAPI or information on ESAPI 2.x please visit our wiki page at https://owasp.org/www-project-enterprise-security-api/ and before you start using ESAPI, do yourself a favor and be sure to read the "[Should I use ESAPI?](https://owasp.org/www-project-enterprise-security-api/#div-shouldiuseesapi)" tab there. From c0fe4b917109c6167e9b096ca60be689b913d7f2 Mon Sep 17 00:00:00 2001 From: "Kevin W. Wall" Date: Thu, 27 Jan 2022 09:43:14 -0500 Subject: [PATCH 3/4] Update README.md Try to clarify that they are probably really looking for ESAPI 2.x at https://github.com/ESAPI/esapi-java-legacy. --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3ad453b..fde322a 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,10 @@ Welcome to the Home of ESAPI 3.x News ========== -The development of ESAPI 3 is still within the _very early_ planning stages. The code that is currently in this GitHub repo (as of 2020-07-17) is likely to be completely rewritten, possibly several times. If you wish to participate, please sign up for the Google Group "[esapi-project-dev](mailto:esapi-project-dev@owasp.org)", and feel free to start a new discussion thread. Note you MUST subscribe to the Google Group list before you may POST to it. [Subscribe to ESAPI Developers list](https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-dev/join). +First off, if you are looking for a version of ESAPI to use with your JVM-based project, this is not the one you are looking for. Instead, you want the latest ESAPI 2.x version from [esapi-java-legacy](https://github.com/ESAPI/esapi-java-legacy). This ESAPI repo is for the development of ESAPI 3 which +is still in the _very early_ planning stages. The code that is currently in this GitHub repo (as of 2020-07-17) is likely to be completely rewritten, possibly several times, therefore please do not bother to submit PRs or GitHub issues relating to outdated or vulnerable dependencies. ESAPI 3 has not been released, even as a Release Candidate and we will make sure all the dependencies are updated when we do get around to making RC versions available. + +If you wish to participate, please sign up for the Google Group "[esapi-project-dev](mailto:esapi-project-dev@owasp.org)", and feel free to start a new discussion thread. Note you MUST subscribe to the Google Group list before you may POST to it. [Subscribe to ESAPI Developers list](https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-dev/join). Notes ========== From 61e4693355bf1b90a29d27149c0ab6436056ab90 Mon Sep 17 00:00:00 2001 From: kwwall Date: Tue, 20 Dec 2022 22:39:57 -0500 Subject: [PATCH 4/4] Update to testng 7.7.0 so dependabot stops complaing about vulnerabilities. (See https://github.com/ESAPI/esapi-java/security/dependabot/1.) Note I think this version of testng requires Java 11 or later. Also note that this really wasn't an issue because: * The vulnerability is only with a dependency of scope 'test'. * We currently have no tests anyway. --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 0655b75..3b87637 100644 --- a/pom.xml +++ b/pom.xml @@ -147,7 +147,7 @@ org.testng testng - 6.8.5 + 7.7.0 test @@ -158,4 +158,4 @@ - \ No newline at end of file +