First order of business, after a great 5 years at ServiceMagic as a Software Engineer, I have decided to take the next step in my career and accepted an offer from Aspect Security. This actually occured over a month ago, but as I said - things have been a little crazy. My new official job title is Application Security Engineer, and I will be working on a lot of really cool things at Aspect Security. I am excited to see where my new path takes me and looking forward to becoming more and more involved in Application Security.
Next order of business, OWASP and specifically ESAPI. I was recently (along with Kevin Wall) promoted to be a Project Manager of the ESAPI projects - and I have set some pretty high goals for myself with the project. Some of these goals have already been realized, however, there is still a great deal to be done. Here is a high-level overview of some of the things that I am working on right now with the ESAPI project and some things that are done -
1. ESAPI distribution in Maven Central.
You may have seen my tweets regarding ESAPI now being available from Maven Central. This was a huge step for the team and something that was desperately needed. There are a lot of large projects out there using Maven for dependency management, and with the somewhat complicated footprint of ESAPI - it was a fairly painful process to get it integrated into large projects that were using Maven (or anything else that using Maven repositories)
Now, you can integrate ESAPI into your Maven project painlessly and without having to worry about manually managing the dependencies and deploying them into your local repository.
<dependency> <groupId>org.owasp.esapi</groupId> <artifactId>esapi</artifactId> <version>2.0_RC10</version> </dependency>
Repository management has been graciously shared by Sonatype OSS.
2. Continuous Integration
I am currently working with the guys over Coveros on getting a public instance of SecureCI setup to handle our continuous integration needs. The instance will be hosted on Amazon EC2.
The idea behind this is that having continuous integration will solve 2 distinct problems with ESAPI:
- Regular Releases
Both of these topics are, IMHO, integral to the success of any open source software project of ESAPI's size. By using continuous integration we will be regularly running our full test suite against the ESAPI codebase (nightly) and making the results of those tests publicly available - thus addressing the concern of transparency. To address the concern of regular releases, the CI process will push a nightly snapshot of the ESAPI build to the Snapshot Repository on Sonatype.
3. Alignment of the API's
One other large undertaking is to get all of the various language implementations in-line as far as the API itself. The concept here is that I should be able to define a set of language agnostic tests that verify that an implementation of ESAPI conforms to the specification (which also needs to be defined in a cross-language format)
In the past, each language has implemented the ESAPI in whatever way they saw fit to do so - which worked well when ESAPI was still in it's infancy - however, as the project grows it is imperative that the interface be well defined and tests can be run against an implementation of a specific control to validate the control performs as expected. This will become increasingly important as the codebase continues to grow and users integrate the API with other frameworks and tools (Spring Security, Struts Validators, Siteminder Authentication, etc.)
4. Splitting at the seams
Another sensitive issue in the Java implementation is the footprint of the ESAPI. A great deal of implementers are using pieces and parts of ESAPI to solve specific problems, and as such there are a large amount of dependencies that are quite simply taking up space. I aim to split the ESAPI into it's core functionality that will consist of the interfaces designed to specification and what is considered to be the core functionality of the existing reference implementation - ie. Encoders, Validators, Logging, HttpUtilities.
As you can probably guess, none of these goals are small and quick to be realized and there are a lot of issues yet to be resolved in getting them implemented. I will be posting updates here as things come to fruition.
Last order of business - I was given the opportunity to present my talk on Solving Real World Problems with an ESAPI at AppSecDC last week and the reception of the talk was fantastic. I got some great feedback from people looking to use ESAPI for their clients and in their code and had some great conversations with people regarding where ESAPI is today and where it is going in the future. If you would like to see the slides (and video coming soon) of the talk - they are available from the AppSecDC Schedule Page.
That is all for now, but watch my Twitter Feed and blog for additional updates over the next several months!