This page documents our current thoughts on the various documents we need to produce for the ESAPI project, and the audience, purpose, and high level outline of each document.
- ESAPI Executive Overview
Purpose: To provide executives with an understanding of:
- What ESAPI is? Goals.
- Why an ESAPI is necessary. (App Sec is important/why/standardization)
- The benefits of using an ESAPI? (Cost, ROI)
- The current status of ESAPI? (Maturity, Stability, Licensing, Support)
- Who created it, where it came from, credibility, who is using it?
- How to adopt an ESAPI?
Outline: (See Purpose)
- FAQ (For non-users)
Audience: Potential users of ESAPI
Purpose: To provide 'quick' hit, information about ESAPI
Topics: Summary of main points in the Executive Overview
- FAQ (For people using ESAPI)
Audience (Technical people using ESAPI)
Purpose: To provide 'quick' hit, information about how to use ESAPI, and how to add ESAPI to or integrate ESAPI with your existing security controls. Outline:
- How to use it the first time
- Common usage issues
- Common extension questions
Getting Started Guide
Audience: Developers new to ESAPI
Purpose: Explain to these developers how to start immediately using ESAPI
- Overview of ESAPI
- How to download, install, get dependencies
- Where is all the documentation/javadoc
- Where/what is Swingset - where are the coding examples
- List of the top 5 quick hits you can achieve with ESAPI
- Concrete examples of how to accomplish each of these 5 things, with problem descriptions, example problem code, and example code that addresses the problem
How to Secure an Existing Application with ESAPI
Purpose: Explain to developers how to address most of the common security problems in an existing application using ESAPI
- Similar to previous, except it goes through all major areas where ESAPI provides controls, not just the top 5.
How to Use ESAPI in a New Application
Audience: Developers Purpose: Provide application architecture guidance on how to build your applications in a manner that facilitates the use of ESAPI. This should help make it easier to use ESAPI, make your application more secure, easier to analyze, and easier to maintain. Assumption: This assumes that an ESAPI that works in the developers' environment is already available (either the reference implementation or a customized version).
- Architectural guidance for each control, if any, on how to take most facilitate the use of ESAPI in your application
- e.g., use of DAOs, application organizational considerations wrt Access Control, etc.
How to Create a Custom ESAPI for Your Organization
Audience: Organizations and developers that want to use ESAPI Purpose: How to extend or customize ESAPI for your organization or project
- Overview of related controls, how dependent/independent they are on the rest of the API
- For each control:
- Expectations for 'as is' use, extension, replacement of this control
- How to extend this control
- How to replace this control
- Revamp the ESAPI Website
- How will the ESAPI be updated and released.
- CWE_ESAPI CWEs addressed by ESAPI - Assigned to Steve Christey
- Features List
- ESAPI Architecture/Design Guideline
- Assurance Argument ESAPI_Assurance