This document discusses the OWASP ESAPI project, a security API that aims to simplify application security for developers. It provides an overview of ESAPI, including that it contains over 120 security methods and interfaces and was first released in 2010. The document also notes that developers should customize ESAPI to match their own organization and that canonicalization and encoding features are mature, while data validation could be improved.

1. ESAPI

2.  Jeff Williams, Project Mgr - OWASP ESAPI
 Founder and CEO of Aspect Security
 25 years experience
 Top 10, Webgoat proj
About the author

3.  Issues! when security implementation is in
developers hand.
 Reinventing the wheel
 Complexity of Application Security for
developers
 Simplify application security for developers.
Why ESAPI ?

4.  Security API
 Exhaustive list of security controls
 Web application or web service
project
 120 methods and interfaces
 First J2ee version realised Aug 2010
What is ESAPI ?

5. Footprints

6. J2ee ESAPI
Libraries

7. Libraries barrowed !!

9. Packages

10. Create a security API that matches YOUR enterprise
Create a custom ESAPI for your organization.
It works best when ..

11. Canonicalization feature is handy
Encoding module is very mature.
Data validation response can be improved by spring validation framework
HTTP header and cookie validations are good
Client side JavaScript ESAPI is not part of this module.
Not sure if Owasp CSRFguard and CSRF module in ESAPI is same or not
My observation..

12. 1. Add esapi.jar file to lib
2. Create a custom ESAPI for your organization.
2 Step Setup..

13. Data-validation..
Review.jsp
Review.jsp
Validation.properties

14. Encoding..
Review.jsp
Review.jsp

15. Gap between suggestion and execution
Learning .. ..

16. eND..