8.02.2009

What is ESAPI?

I have recently gotten involved in the OWASP ESAPI Project. I am on the team of developers working on v2.0 of the API which will include updating the API to take advantage of all the features that Java5 brought to the table, increasing performance of the reference implementation and improving thread-safety throughout the entire codebase. It has thus far been a great experience and there are some very smart people behind the entire project.

So what exactly is the OWASP ESAPI?

Well, let's start with, what exactly is OWASP?

OWASP is the Open Web Application Security Project. It is a NPO made up of people from all over the world with the single goal to provide a single repository of information and tools for writing secure and reliable web applications.

The ESAPI is a small part of the overall goal of OWASP, but is a great example of what OWASP stands for and has set out to do.

ESAPI stands for Enterprise Security API - and it is just that, an API. There is a reference implementation included in the distribution that can be dropped into an startup or existing application and configured to use, but the real power of the ESAPI is that it defines a standard interface for providing secure implementations of standard API methods that are not secure.

That is a pretty broad statement but it is probably the best way to explain it. See, the ESAPI is not an application by itself, it is not even really a framework - it is a toolkit. It provides you with an API that is self documenting and provides a central set of methods for developers to access information, log data, authenticate users, and much more.

The ESAPI is distributed for Java, .Net, and there are more implementations in the works for PHP, Python, and others I am sure.

So let's have a quick overview of what the ESAPI provides to developers:

1. Authentication - Provides a good reference implementation and a well documented authentication mechanism that can be used on top of the standard J2EE Security Model (Standard User/Role mechanism)

2. Logging - Provides a central repository for logging in your application. The Java API uses either the standard Java Logging or Log4J by default, but you could implement your own logging by implementing the Logger interface.

3. Validation - Provides a powerful set of input validation classes that not only validate but also filter user input to remove the responsibility of input filtering from the hands of your application developers.

4. Encoding/Decoding - A full toolset of Encoders and Decoders including UTF-8, Base64, and much more.

5. Web Application Fireall - WAF's are easily one of the most argued about issues in the Realm of AppSec, but there are several of them out there and the ESAPI makes it easy to implement your own WAF where it makes the most sense to me, at the Application Layer. The WAF works off the same principles of most where a set of rules and reactions are defined but by keeping it in the Application Layer, this will allow your Enterprise Security Architects, or even your regular old Developers to create complex WAF rules based on logic that can be determined by the state of your application itself. This is a very powerful tool for large web applications.

These are the 5 "main" parts of the ESAPI. Now let's get to the REAL power of the ESAPI.

In a normal web application, your security constraints and controls are defined across your entire codebase, where they are used. This creates a couple of problems. The larger your application becomes, the more difficult this becomes to maintain. Developers will start coding their own solutions to security concerns as opposed to using the one that is used everyplace else simply because they may not know that the problem they are trying to solve has already been solved. So now you have 2 different ways to solve the same problem. Sound like a maintenance nightmare waiting to happen?

The biggest feature in my mind of the ESAPI is that it allows your developers to focus on writing the code that they are good at. Not everyone is a security expert, and even if they aren't they are probably really good at their job, that is why you hired them. Your security (whether it be the guy that used to hack websites for fun, or a genuine Enterprise Security Architect) can define the rules and requirements of your applications security, implement it once and your developers will know that if I want to authenticate a user I just use:


ESAPI.authenticator().login(HTTPServletRequest, HTTPServletResponse);


Sounds pretty easy right? It is!

I strongly recommend that anyone starting a new application look into the ESAPI for their application. There is a ton of information in general on Web Application Security on the OWASP site.

ESAPI Links:
ESAPI Homepage
ESAPI on Google Code
ESAPI .Net

4 comments:

  1. Hi Chris,

    I found you're article a good introduction to ESAPI ? Could I take it and translate it in French and publishing on my blog ?

    ReplyDelete
  2. Wow - I really thought google would e-mail me when someone commented on my blogs. I have been so busy with work and school lately that I haven't had a chance to get caught up and go through my blogs until today. That being said, absolutely, please, and thank you. Anything I post is absolutely welcome to be republished and/or translated as long as you credit me with the original post. Thanks for reading and I have some more good stuff coming up soon.

    ReplyDelete
  3. How to validate double byte characters using ESAPI ?

    ReplyDelete
  4. Hi , Why ESAPI is in inactive state ? Should i use it for my own new project ?

    ReplyDelete