Difference between revisions of "ESAPI Roadmap"

From OWASP
Jump to: navigation, search
m (Q4 2009)
m (Other Improvements)
Line 21: Line 21:
 
* File-based encryption
 
* File-based encryption
  
== Other Improvements ==
+
== Future Plans ==
  
 
* Internationalization
 
* Internationalization
* ESAPI Scala Edition
 
* ESAPI PHP Edition
 
* ESAPI .NET Edition
 
 
 
* Documentation
 
* Documentation
 
** Guide to fixing specific vulnerabilities with ESAPI
 
** Guide to fixing specific vulnerabilities with ESAPI
 
** How to integrate into existing app
 
** How to integrate into existing app
** Marketing pages to "sell" ESAPI
 
 
** Threat Model for each control (assumptions and coverage)
 
** Threat Model for each control (assumptions and coverage)
 
* Filter to do intrusion detection and/or virtual patching (WAF?)
 
* Real example Struts application showing before and after security problems
 
* Easy and efficient dev environment and install w/ clear documentation
 
* Framework layer integration features (bridges?)
 
* Threat Model - SRA of encryption implementation
 
* Separate "day-to-day" calls from "admin-like" calls
 
  
 
__NOTOC__
 
__NOTOC__

Revision as of 14:30, 23 November 2010

Priorities

Focus on project charter... Volunteers get to work on what they want...


ESAPI 2.1

  • Remove JavaEncryptor as singleton (required so we can use persistent asymmetric key pairs and create dsigs that persist across a JVM instance).
  • Add simpler means to use different cipher algorithms and/or key sizes. (Requires a major kludge today, which is not really thread-safe.
  • Support for persist asymmetric key pairs in either Java or PKCS#12 key stores.
  • Separate out crypto properties from rest of ESAPI.propertie. (i.e., Google Issue #48).


ESAPI 3.0

  • Add support for / integration with some key management system.

Future Plans

  • Provide tamper-evident logging using cryptographic primitives
  • File-based encryption

Future Plans

  • Internationalization
  • Documentation
    • Guide to fixing specific vulnerabilities with ESAPI
    • How to integrate into existing app
    • Threat Model for each control (assumptions and coverage)