ESAPI Roadmap

From OWASP
Revision as of 14:52, 23 November 2010 by Chris Schmidt (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

ESAPI 2.1

  • Remove JavaEncryptor as singleton (required so we can use persistent asymmetric key pairs and create dsigs that persist across a JVM instance).
  • Add simpler means to use different cipher algorithms and/or key sizes. (Requires a major kludge today, which is not really thread-safe.
  • Support for persist asymmetric key pairs in either Java or PKCS#12 key stores.
  • Separate out crypto properties from rest of ESAPI.propertie. (i.e., Google Issue #48).
  • Componentization
    • Create ESAPI-Core project
      • Deprecate the HttpUtilities interface and break up into logical utility classes
      • Break interfaces out from the rest of the RI code to be considered *core*
      • Redesign of the Locator to act more as a Service Registry and true Service Locator
      • Redesign of the ESAPI Configuration (Issue 93 and Issue 86)
      • Design and implement component registration into Service Registry
    • Break Reference Implementations into Components
      • ESAPI-Logger-Log4J, ESAPI-Logger-Apache, ESAPI-Crypto-JavaEncryptor, ESAPI-IDS-AppSensor, etc.

ESAPI 3.0

  • Add support for / integration with some key management system.

Future Plans

  • Crypto
    • Provide tamper-evident logging using cryptographic primitives
    • File-based encryption
  • Internationalization
  • Documentation
    • Guide to fixing specific vulnerabilities with ESAPI
    • How to integrate into existing app
    • Threat Model for each control (assumptions and coverage)