4

I've been recently tasked with leading an effort to improve our input (and output) validation with OWASP recommendations and PCI compliance in mind. In the process, I'm trying to assess the value of the ESAPI.NET project which does not appear to have seen any activity since the spring of '09 and as it stands is incomplete.

Does anyone have experience using or extending ESAPI.NET v0.2? Is it a good starting place today for building out an infrastructure to address the targeted vulnerabilities?

FYI: I am looking at MS AntiXSS which, of course, only addresses a portion of ESAPI's scope. We already do a good job with SQL injection though there are improvements we need to make.

(If someone wants to create an ESAPI tag, feel free. I don't have the mojo.)

Armance
  • 5,350
  • 14
  • 57
  • 80
Rick Putnam
  • 546
  • 1
  • 6
  • 20
  • Yes we need more energy on that project, are you able to help? If so, why don't you join the leadership of the ESAPI .Net project and make it happen? :) – Dinis Cruz Dec 06 '11 at 18:02

3 Answers3

4

Looks like there were a couple updates last week: http://code.google.com/p/owasp-esapi-dotnet/source/list

You might contact one of the project leads on that list to ask what's going on.

NOTE: 05/26/2012: the last update on that project was dec 4, 2010. Yes, it is dead.

NotMe
  • 87,343
  • 27
  • 171
  • 245
  • Thanks, Chris. I was only looking at the releases. I'll dig deeper. – Rick Putnam Dec 01 '10 at 16:12
  • NOTE for future readers. The LAST update to that project occurred on December 4 of 2010 (a week after my answer was posted here). So, yes, it appears to be completely dead now. – NotMe May 27 '12 at 00:21
1

The project itself seems dead there are however some people who maintain a github copy with several (minor?) additions...

https://github.com/haldiggs/owasp-esapi-dotnet

https://github.com/jstemerdink/owasp-esapi-dotnet

Lonzak
  • 9,334
  • 5
  • 57
  • 88
1

It looks like ESAPI is dead period. There's nobody using it, there are no questions, no forums, no information, nothing. The listservs (what is this, 1996?) are barren too. The documentation is terrible and the samples in the swingset don't work (server that installs is HTTP not HTTPS, and no transactions can be made in HTTP mode).

Seems to be a dead end project.

PengOne
  • 48,188
  • 17
  • 130
  • 149
ChopperCharles
  • 747
  • 2
  • 9
  • 19
  • 2
    Dead for .NET perhaps. Alive and kicking for Java. (I've implemented it in two corporations, one fortune-500 and one fortune 1000) ESAPI is also used as the de-facto training tool for security remediation by SANS and Veracode alike. – avgvstvs Mar 20 '14 at 15:22