ESAPI Roadmap

Priorities
Focus on project charter... Volunteers get to work on what they want...

ESAPI 2.1

 * Remove JavaEncryptor as singleton (required so we can use persistent asymmetric key pairs and create dsigs that persist across a JVM instance).
 * Add simpler means to use different cipher algorithms and/or key sizes. (Requires a major kludge today, which is not really thread-safe.
 * Support for persist asymmetric key pairs in either Java or PKCS#12 key stores.
 * Separate out crypto properties from rest of ESAPI.propertie. (i.e., Google Issue #48).

Q1 2009

 * Stabilize the API
 * Access control 2.0
 * Validation 2.0
 * Logging 2.0
 * Crypto 2.0


 * Documentation
 * Getting started guide
 * How ESAPI makes you secure
 * Executive overview

Q2 2009

 * CSRF protection
 * Pilot

Q3 2009

 * Update ESAPI 2.0 to take advantage of Java 5
 * Improve Unit Test Coverage

Q4 2009

 * Documentation - Installation Guide
 * Reference Implementation - Encryption Refactor
 * Ensure Thread-Safety
 * Resolve Fortify and FindBugs issues
 * Release ESAPI 2.0

Q1 2010
Fix bug with escaped characters in .properties file

Other Improvements

 * Internationalization
 * ESAPI Scala Edition
 * ESAPI PHP Edition
 * ESAPI .NET Edition


 * Documentation
 * Guide to fixing specific vulnerabilities with ESAPI
 * How to integrate into existing app
 * Marketing pages to "sell" ESAPI
 * Threat Model for each control (assumptions and coverage)


 * Filter to do intrusion detection and/or virtual patching (WAF?)
 * Real example Struts application showing before and after security problems
 * Easy and efficient dev environment and install w/ clear documentation
 * Framework layer integration features (bridges?)
 * Threat Model - SRA of encryption implementation
 * Separate "day-to-day" calls from "admin-like" calls