OWASP ESAPI.NET


Mar 12, 2008

Sent via OWASP ESAPI mailing list

The ESAPI.NET project is now available on Google code (http://code.google.com/p/owasp-esapi-dotnet/).

The ESAPI.NET project is an implementation of the original ESAPI code base (http://code.google.com/p/owasp-esapi-java/) in C#, using the .NET platform.

Some notes on the implementation:

1) The code uses nUnit for unit testing. Currently, all unit tests pass and there is >80% code coverage.

2) The code uses the built-in .NET documentation format. Sandcastle (http://blogs.msdn.com/sandcastle/) will be used to compile the documentation.

3) The code follows the .NET/C# coding conventions discussed here: http://www.irritatedvowel.com/Programming/Standards.aspx.

4) For unit testing purposes, the code uses the HTTP Interfaces and Duck Typing library described here: http://haacked.com/archive/2007/09/09/ihttpcontext-and-other-interfaces-for-your-duck-typing-benefit.aspx. Hopefully we can use Microsoft code in a future release, as I believe that the ASP.NET MVC framework will use similar constructs (the author of the blog above is the project manager for ASP.NET MVC).

5) In general, the code is more of a direct translation of the Java implementation than a re-write from scratch for the .NET framework. Future work may include more .NET specific security functionality as well as implementations leveraging existing .NET security mechanisms.

6) The code passes its unit tests, but probably has some kinks to work out based on actually applying the library to an ASP.NET application. The next step will be to build a sample ASP.NET application that uses the ESAPI features.

Please feel free to provide feedback. Thanks in advance!

Alex