Where is the ESAPI documentation located?
I'm interested in ESAPI to use in a production environment.
Is there any official documentation on how to setup properly a web application, and if so, where?
Answer
ESAPI has good intentions, it is referenced de facto in OWASP Top 10 issues.
However its main development is not really active. The library is provided as is.
There are two Java libraries depending on the versions:
- OWASP Enterprise Security API for Java: version >= 3.x
- Maintained by one contributor (Chris Schmidt), last code commit (as of today) was on Nov 20, 2013.
- Enterprise Security API for Java (Legacy): version <= 2.x
- Maintained by at least 3 contributors, last code commit (as of today) was on May 30, 2015.
There is a wish to have documentation (https://www.owasp.org/index.php/ESAPI_Documentation), especially: How to Use ESAPI in a New Application.
But currently, it is really light...
As of March 2014 the project was downgraded away from flagship status (http://off-the-wall-security.blogspot.fr/2014/03/esapi-no-longer-owasp-flagship-project.html). (credits to avgvstvs)
If you still want to learn ESAPI, the best you can have currently:
- The ESAPI swing set, a "web application which demonstrates the many uses of the ESAPI" (https://www.owasp.org/index.php/ESAPI_Swingset)
- The tests of the legacy version (https://github.com/ESAPI/esapi-java-legacy/tree/master/src/test/java/org/owasp/esapi).
- The wiki of the legacy version (https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API)
- The mailing list archives (http://lists.owasp.org/pipermail/esapi-dev/)
The README on the new version annonce new stuff to come:
2 Sept 2014 - We are gearing up to get some great stuff done at AppSecUSA in Denver this month. We'll be announcing our schedule and where we'll be at the conference soon! Stay tuned!
Maybe the doc will arrive one day...