Java Security vs. ESAPI

8k views Asked by At

I'm a Java developer heading down the road that leads to App Security, and I've stumbled across the OWASP organization and its companion Java API, ESAPI.

In another question I asked on this site months ago, it was pointed out to me that ESAPI is a major player in the open source app sec industry.

What I'm wondering now is, I'm sure ESAPI overlaps with the built-in Java security model (rooted at javax.security.auth) in the areas of authentication/authorization, and perhaps in other areas. But are there areas of app sec that ESAPI clearly addresses that cannot be achieved if one strictly sticks with the Java security API?

Basically, I'm asking if it makes sense for me to learn ESAPI if all of its benefits/features are already covered in some existing Java API. Thanks in advance!

3

There are 3 answers

2
kosa On BEST ANSWER

AFAIK, ESAPI also using java API and adds wrapper specific to real world threats. For example WAF (web application firewall), to achieve this using Java API, you will end of writing lot of code, which was done by ESAPI and nicely wrapped in as API, so, now if you want to do WAF checks, you can just implement it with-in couple of method calls.

In simple words, ESAPI is something like wrapper library (built-in java API), which reduces re-inventing the wheel again and helps in counteracting real world security threats.

If you see this ESAPI API URL, you can easily identiyfy how ESAPI developed API to counteract each possible threat.

2
David On

I have only a passing familiarity with Java and the ESAPI, being a .NET developer. However, as a rabidly paranoid developer with an intense focus on writing secure code (because I've written some truly awful stuff) it is something I've looked at.

In my opinion, it is absolutely worthwhile to learn this. It is absolutely possible to write good code without these packages, but using these packages makes writing good code easier.

On the .NET side, we have something similar that I use - the Microsoft Patterns and Practices library. From what I understand the Java ESAPI serves a similar purpose, which is this:

It provides a set of easy-to-use methods that already use best practices under the hood, so that you don't have to worry so much about it.

For example (and this is just one tiny portion of what it takes to write secure applications), using ADO.NET and Java it's very easy to write SQL Statements by contencating user input into strings (bad) and it's also just as easy to use parameterized queries (good). Using the APIs, methods are exposed that use the good patterns under the hood. it's easier to get a new developer up to speed, and ensure that you don't get "sloppy" while enabling you to write less code.

0
Mark Gee On

One key benefit/strength of ESAPI is it's input validation and output sanitization capabilities, which, AFAIK, the Java security classes do not currently address. ESAPI is specifically targeting the web application security domain, and this is where it excels.