开发者

Is ESAPI.NET a dead project?

I've been recently tasked with leading an effort to improve our input (and output) validation with OWAS开发者_高级运维P recommendations and PCI compliance in mind. In the process, I'm trying to assess the value of the ESAPI.NET project which does not appear to have seen any activity since the spring of '09 and as it stands is incomplete.

Does anyone have experience using or extending ESAPI.NET v0.2? Is it a good starting place today for building out an infrastructure to address the targeted vulnerabilities?

FYI: I am looking at MS AntiXSS which, of course, only addresses a portion of ESAPI's scope. We already do a good job with SQL injection though there are improvements we need to make.

(If someone wants to create an ESAPI tag, feel free. I don't have the mojo.)


Looks like there were a couple updates last week: http://code.google.com/p/owasp-esapi-dotnet/source/list

You might contact one of the project leads on that list to ask what's going on.


NOTE: 05/26/2012: the last update on that project was dec 4, 2010. Yes, it is dead.


It looks like ESAPI is dead period. There's nobody using it, there are no questions, no forums, no information, nothing. The listservs (what is this, 1996?) are barren too. The documentation is terrible and the samples in the swingset don't work (server that installs is HTTP not HTTPS, and no transactions can be made in HTTP mode).

Seems to be a dead end project.


The project itself seems dead there are however some people who maintain a github copy with several (minor?) additions...

https://github.com/haldiggs/owasp-esapi-dotnet

https://github.com/jstemerdink/owasp-esapi-dotnet

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜