ESAPI Roadmap

Priorities
Focus on project charter... Volunteers get to work on what they want...

Q4 2008

 * Fix Javascript encoding


 * Documentation
 * Get Javadoc back online

Q1 2009

 * Stabilize the API
 * Access control 2.0
 * Validation 2.0
 * Logging 2.0
 * Crypto 2.0


 * Documentation
 * Getting started guide
 * How ESAPI makes you secure
 * Executive overview

Q2 2009

 * CSRF protection
 * Pilot

Q3 2009

 * Update ESAPI 2.0 to take advantage of Java 5
 * Improve Unit Test Coverage

Q4 2009

 * Documentation - Installation Guide
 * Reference Implementation - Encryption Refactor
 * Ensure Thread-Safety
 * Resolve Fortify and FindBugs issues
 * Release ESAPI 2.0

Other Improvements

 * Internationalization
 * ESAPI Scala Edition
 * ESAPI PHP Edition
 * ESAPI .NET Edition


 * Documentation
 * Guide to fixing specific vulnerabilities with ESAPI
 * How to integrate into existing app
 * Marketing pages to "sell" ESAPI
 * Threat Model for each control (assumptions and coverage)


 * Filter to do intrusion detection and/or virtual patching (WAF?)
 * Real example Struts application showing before and after security problems
 * Easy and efficient dev environment and install w/ clear documentation
 * Framework layer integration features (bridges?)
 * Threat Model - SRA of encryption implementation
 * Separate "day-to-day" calls from "admin-like" calls