Difference between revisions of "ESAPI Roadmap"

From OWASP
Jump to: navigation, search
 
(16 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== Priorities ==  
+
== ESAPI 2.1 ==
  
Focus on project charter...
+
* Remove JavaEncryptor as singleton (required so we can use persistent asymmetric key pairs and create dsigs that persist across a JVM instance).
 +
* Add simpler means to use different cipher algorithms and/or key sizes. (Requires a major kludge today, which is not really thread-safe.
 +
* Support for persist asymmetric key pairs in either Java or PKCS#12 key stores.
 +
* Separate out crypto properties from rest of ESAPI.propertie. (i.e., Google Issue #48).
 +
* Componentization
 +
** Create ESAPI-Core project
 +
*** Deprecate the HttpUtilities interface and break up into logical utility classes
 +
*** Break interfaces out from the rest of the RI code to be considered *core*
 +
*** Redesign of the Locator to act more as a Service Registry and true Service Locator
 +
*** Redesign of the ESAPI Configuration ([https://code.google.com/p/owasp-esapi-java/issues/detail?id=93 Issue 93] and [https://code.google.com/p/owasp-esapi-java/issues/detail?id=86 Issue 86])
 +
*** Design and implement component registration into Service Registry
 +
** Break Reference Implementations into Components
 +
*** ESAPI-Logger-Log4J, ESAPI-Logger-Apache, ESAPI-Crypto-JavaEncryptor, ESAPI-IDS-AppSensor, etc.
 +
 +
== ESAPI 3.0 ==
  
* Rewrite to allow for arbitrary validators
+
* Add support for / integration with some key management system.
* Fix Javascript encoding
+
 
 +
== Future Plans ==
 +
 
 +
* Crypto
 +
** Provide tamper-evident logging using cryptographic primitives
 +
** File-based encryption
 
* Internationalization
 
* Internationalization
* ESAPI Scala Edition
 
* ESAPI PHP Edition
 
* ESAPI .NET Edition
 
 
 
* Documentation
 
* Documentation
** Easy application remediation Guide
+
** Guide to fixing specific vulnerabilities with ESAPI
 
** How to integrate into existing app
 
** How to integrate into existing app
** Marketing pages to "sell" ESAPI
+
** Threat Model for each control (assumptions and coverage)
 
+
* Intrusion detection
+
* Filters
+
* Real example Struts application showing before and after security problems
+
* Easy and efficient dev environment and install w/ clear documentation
+
* PILOT
+
* Framework layer integration features (bridges?)
+
* Threat Model - SRA of encryption implementation
+
* Threat Model for each control (assumptions and coverage)
+
* Separate "day-to-day" calls from "admin-like" calls
+
 
+
 
+
== Q4 2008 ==
+
 
+
*
+
 
+
* Documentation
+
** Get Javadoc back online
+
 
+
== Q1 2009 ==
+
 
+
* Stabilize the API
+
** Access control 2.0
+
** Validation 2.0
+
** Logging 2.0
+
** Crypto 2.0
+
 
+
* Documentation
+
** Getting started guide
+
** How ESAPI makes you secure
+
** Executive overview
+
 
+
== Q2 2009 ==
+
 
+
* CSRF protection
+
 
+
 
+
== Q3 2009 ==
+
  
== Q4 2009 ==
+
__NOTOC__

Latest revision as of 14:52, 23 November 2010

ESAPI 2.1

  • Remove JavaEncryptor as singleton (required so we can use persistent asymmetric key pairs and create dsigs that persist across a JVM instance).
  • Add simpler means to use different cipher algorithms and/or key sizes. (Requires a major kludge today, which is not really thread-safe.
  • Support for persist asymmetric key pairs in either Java or PKCS#12 key stores.
  • Separate out crypto properties from rest of ESAPI.propertie. (i.e., Google Issue #48).
  • Componentization
    • Create ESAPI-Core project
      • Deprecate the HttpUtilities interface and break up into logical utility classes
      • Break interfaces out from the rest of the RI code to be considered *core*
      • Redesign of the Locator to act more as a Service Registry and true Service Locator
      • Redesign of the ESAPI Configuration (Issue 93 and Issue 86)
      • Design and implement component registration into Service Registry
    • Break Reference Implementations into Components
      • ESAPI-Logger-Log4J, ESAPI-Logger-Apache, ESAPI-Crypto-JavaEncryptor, ESAPI-IDS-AppSensor, etc.

ESAPI 3.0

  • Add support for / integration with some key management system.

Future Plans

  • Crypto
    • Provide tamper-evident logging using cryptographic primitives
    • File-based encryption
  • Internationalization
  • Documentation
    • Guide to fixing specific vulnerabilities with ESAPI
    • How to integrate into existing app
    • Threat Model for each control (assumptions and coverage)