Difference between revisions of "ESAPI Roadmap"

Jump to: navigation, search
m (Q2 2009)
m (Q3 2009)
Line 16: Line 16:
*  Add support for / integration with some key management system.
*  Add support for / integration with some key management system.
== Q3 2009 ==
* Update ESAPI 2.0 to take advantage of Java 5
* Improve Unit Test Coverage
== Q4 2009 ==
== Q4 2009 ==

Revision as of 14:29, 23 November 2010


Focus on project charter... Volunteers get to work on what they want...


  • Remove JavaEncryptor as singleton (required so we can use persistent asymmetric key pairs and create dsigs that persist across a JVM instance).
  • Add simpler means to use different cipher algorithms and/or key sizes. (Requires a major kludge today, which is not really thread-safe.
  • Support for persist asymmetric key pairs in either Java or PKCS#12 key stores.
  • Separate out crypto properties from rest of ESAPI.propertie. (i.e., Google Issue #48).


  • Add support for / integration with some key management system.

Q4 2009

  • Documentation - Installation Guide
  • Reference Implementation - Encryption Refactor
  • Ensure Thread-Safety
  • Resolve Fortify and FindBugs issues
  • Release ESAPI 2.0

Other Improvements

  • Internationalization
  • ESAPI Scala Edition
  • ESAPI PHP Edition
  • ESAPI .NET Edition
  • Documentation
    • Guide to fixing specific vulnerabilities with ESAPI
    • How to integrate into existing app
    • Marketing pages to "sell" ESAPI
    • Threat Model for each control (assumptions and coverage)
  • Filter to do intrusion detection and/or virtual patching (WAF?)
  • Real example Struts application showing before and after security problems
  • Easy and efficient dev environment and install w/ clear documentation
  • Framework layer integration features (bridges?)
  • Threat Model - SRA of encryption implementation
  • Separate "day-to-day" calls from "admin-like" calls