Category:OWASP Enterprise Security API

OWASP Enterprise Security API (ESAPI) Project
Many organizations share similar security concerns and require a similar set of security controls to address these concerns. Many platforms, frameworks, and toolkits contain security mechanisms, but they are frequently complex and require security expertise to use correctly. The purpose of the ESAPI is to provide a simple interface that provides all the ordinary security functions a developer is likely to need in a clear, consistent, and easy to use way.

The ESAPI architecture is very simple, just a collection of classes that encapsulate the key security operations most applications need:

Hi everyone,

I’ve really been getting a lot from the discussion on the list (and some side discussions). Based on the feedback I’ve made a number of enhancements to the ESAPI and it’s time for another release. Below are the changes in this version. Also, the code is now in the SVN repository at googlecode. I’ll be posting updated zip and jar files soon.


 * Javadoc online: http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/index.html
 * Code repository (subversion): http://code.google.com/p/owasp-esapi-java/
 * Report issues: http://code.google.com/p/owasp-esapi-java/issues/list

Architecture
http://www.owasp.org/images/d/de/OWASP_ESAPI_Architecture.png

The ESAPI covers most of the key security challenges facing application developers. ESAPI provides the capability for developers to create applications that are protected against almost all of the risks described in the OWASP Top Ten. Compare this coverage with automated scanning and static analysis tools, and then consider how your time is best spent.

http://www.owasp.org/images/e/e6/OWASP_ESAPI_Top_Ten.png

There are two key parts to the ESAPI:
 * A set of interfaces
 * A reference implementation

By using the ESAPI, applications across an organization will be easier to develop, more consistent, and easier to update in a single place. The use of the ESAPI will make it much easier for static analysis tools to verify an application, as the ESAPI calls can be built into the ruleset.

Join the OWASP ESAPI mailing list and help make ESAPI better!

Download Now
This release is the first public release and will undoubtably undergo significant revision over the coming months. We are seeking organizations willing to pilot this ESAPI and work with us to make this library better. Please contact jeff.williams@owasp.org for more information.


 * Full software baseline


 * Just the jar file


 * Simple test app and user admin interface

Documentation
Lots more information in the PowerPoint presentation contained in the documentation folder in the full release zip file.

There is also quite a bit of information in the javadoc documentation for the project, and the installation and build guide.