ESAPI = Enterprise Security API
下面是OWASP里的说明,其实简单一点来说,ESAPI就是为编写出更加安全的代码设计出来的一些API,方便使用者调用,从而方便的编写安全的代码。它本身是开源的,同时提供JAVA版本和.NET版本。
代码下载地址:http://code.google.com/p/owasp-esapi-java/
ESAPI介绍的PPT:http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt
下图显示了提供的API与OWASP列出的10个安全问题的涵盖关系:
--------------------------------------------------------- 来自 owasp --------------------------------------------------------------------------
What is ESAPI?
The ESAPI is a free and open collection of all the security methods that a developer needs to build a secure web application. You can just use the interfaces and build your own implementation using your company's infrastructure. Or, you can use the reference implementation as a starting point. In concept, the API is language independent. However, the first deliverables from the project are a Java API and a Java reference implementation. Efforts to build ESAPI in .NET and PHP are already underway.
Why ESAPI?
Unfortunately, the available platforms, frameworks, and toolkits (Java EE, Struts, Spring, etc...) simply do not provide enough protection. This leaves developers with responsibility for designing and building security mechanisms. This reinventing the wheel for every application leads to wasted time and massive security holes.
The cost savings through reduced development time, and the increased security due to using heavily analyzed and carefully designed security methods provide developers with a massive advantage over organizations that are trying to deal with security using existing ad hoc secure coding techniques. This API is designed to automatically take care of many aspects of application security, making these issues invisible to the developers.
Where did ESAPI come from?
The OWASP ESAPI project is led by Jeff Williams, who serves as the volunteer chair of OWASP and is the CEO of Aspect Security. Jeff is a software developer who has specialized in application security since 1995. The ESAPI is the result of over a decade of code review and penetration testing of critical enterprise applications. If you'd like to volunteer to help on the project, you can contact him at jeff.williams@owasp.org.
More information about the ESAPI can be found in the ESAPI PowerPoint presentation
作者:CoderZh
公众号:hacker-thinking (一个程序员的思考)
独立博客:http://blog.coderzh.com
博客园博客将不再更新,请关注我的「微信公众号」或「独立博客」。
作为一个程序员,思考程序的每一行代码,思考生活的每一个细节,思考人生的每一种可能。
文章版权归本人所有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。
【推荐】还在用 ECharts 开发大屏?试试这款永久免费的开源 BI 工具!
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 继承的思维:从思维模式到架构设计的深度解析
· 如何在 .NET 中 使用 ANTLR4
· 后端思维之高并发处理方案
· 理解Rust引用及其生命周期标识(下)
· 从二进制到误差:逐行拆解C语言浮点运算中的4008175468544之谜
· 35岁程序员的中年求职记:四次碰壁后的深度反思
· 当职场成战场:降职、阴谋与一场硬碰硬的抗争
· 用99元买的服务器搭一套CI/CD系统
· Excel百万数据如何快速导入?
· ShadowSql之.net sql拼写神器