Hi folks, I was just taking a look at the ESAPI for Java. Documentation seems to be a bit sparse, so I am wondering what exactly do I get for free out-of-the-box with the package? How can this package enhance my security straight away?
All I can see that is gives me out-of-the-box is the ability to (a) do canonicalization and (b) encode and decode values - which is available in from Encoder interface. So this will allow me to do this like:
But the rest of the API just seems to be a framework for white-list validation that doesn't provide me anything out-of-the-box. So for example you can validate parameter values from a request using something like this:But this requires that you have set up the validation rule in a properties file like follows:So it doesn't give me anything out-of-the-box from the perspective of just being able to plug this API in and it will do something to protect me straight away.
Any ideas or throughts on whether my understanding of what I get out-of-the-box is correct? At the moment, from the perspective of introducing a third-party API into my Application, I am struggling to see the major benefits.
ESAPI provides other functionality such as secure encryption, logging, and much more.
ESAPI is a library not a product, so you have to implement it and plug it as part of your application, that is, you have to call the appropriate classes and methods to secure your app, it does nothing by itself.
Maybe one benefit out of the box could be the ESAPI WAF, included in ESAPI. You only have to add the WAF filter to your web.config and do some changes to waf-policy file, it has some predefined rules to add httponly attributes to cookies and that stuff.
Anyway, the real benefit is you have a library with proven secure components that you can use to secure your application right away, no need for further coding and testing. You can see how to implement ESAPI with ESAPI Swingset, this is an application that have examples of both unprotected and protected implementation of the different controls on ESAPI, which serves as a self documentation for ESAPI