| layout | title | tags | project | level | type |
|---|---|---|---|---|---|
col-sidebar |
OWASP Enterprise Security API (ESAPI) |
esapi |
true |
3 |
code |
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.
Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:
- There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls.
- There is a reference implementation for each security control. The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation. (Note that some of the reference implementations are simply "toy" examples to illustrate how to implement a specific interface [e.g., ESAPI for Java's
org.owasp.esapi.reference.FileBasedAuthenticator] whereas others are full-fledged enterprise ready reference implementations [e.g.,org.owasp.esapi.reference.DefaultEncoderororg.owasp.esapi.reference.DefaultValidator].) - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.