tag:blogger.com,1999:blog-8976089095047007543.post161445959427168705..comments2023-04-02T06:52:05.507-04:00Comments on Off-the-Wall Security: ESAPI No Longer an OWASP Flagship ProjectKevin W. Wallhttp://www.blogger.com/profile/07020090691046917645noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-8976089095047007543.post-52136286060042047702014-04-07T00:38:20.351-04:002014-04-07T00:38:20.351-04:00Let us hope that Force.com and ColdFusion versions...Let us hope that Force.com and ColdFusion versions of ESAPI do not use the badly broken ESAPI 1.4 interfaces and configuration for their crypto. (Assuming they even support crypto; I've honestly never looked at those implementations so I can't say.) Is so, they they might be worse off in some manner.Kevin W. Wallhttps://www.blogger.com/profile/07020090691046917645noreply@blogger.comtag:blogger.com,1999:blog-8976089095047007543.post-54552630026854479362014-04-07T00:36:00.020-04:002014-04-07T00:36:00.020-04:00IMO, CVE-2013-5960 is not has bad as NIST made it ...IMO, CVE-2013-5960 is not has bad as NIST made it sound. I tried to tell them that this is only an issue if someone is using some non-default, seriously weakened properties as to what cipher modes are allowed. If you are using the defaults, this should not be a problem unless someone is able to get you to change them by some social engineering. OTOH, I'm not saying that is an issue, but rather IMO NIST way over estimated the CVSSv2 score. IIRC, the one that I originally submitted them came out to something like 4.7 or so. They changed it without telling me and then never responded when I tried to explain why it should be lower. Whatever!<br /><br />As far as SecureRandom as a singleton, and/or not being reseeded, yes that is potentially an issue, but not nearly as major as it is made to sound. If you are calling SecureRandom a few quintillion times or so, perhaps, but I suspect that most applications get restarted long before that becomes an issue.Kevin W. Wallhttps://www.blogger.com/profile/07020090691046917645noreply@blogger.comtag:blogger.com,1999:blog-8976089095047007543.post-27206293230222139942014-04-06T18:37:16.636-04:002014-04-06T18:37:16.636-04:00Luckily, Force.com and ColdFusion do not use the E...Luckily, Force.com and ColdFusion do not use the ESAPI for Java *default implementation* they just use the interface. If they used the java implementation, ESAPI would cause mass insecurity as described above across all of those ecosystems.Jim Manicohttps://www.blogger.com/profile/14447468633342290543noreply@blogger.comtag:blogger.com,1999:blog-8976089095047007543.post-64512392912856829202014-04-06T18:35:19.536-04:002014-04-06T18:35:19.536-04:00I agree, the concept and much of the implementatio...I agree, the concept and much of the implementation of ESAPI is excellent. But there are critical security bugs within. The crypto still has a major outstanding issue CVE-2013-5960 and the random number generation is broken since it uses the same instance of SecureRandom as a singleton. So for the 5000 companies using ESAPI-Java for crypto, random number generation or CSRF protection, you are not getting the protection you think you are getting. Ouch!Jim Manicohttps://www.blogger.com/profile/14447468633342290543noreply@blogger.comtag:blogger.com,1999:blog-8976089095047007543.post-45143387945140522332014-03-29T23:02:21.565-04:002014-03-29T23:02:21.565-04:00Kevin, thanks for writing up the facts so clearly ...Kevin, thanks for writing up the facts so clearly and accurately. I deeply appreciate all the hard work that you have put into the project over the past years. With over 5000 companies currently using ESAPI, and getting it included in Adobe ColdFusion and Force.com, ESAPI has influenced a lot of developers and has done a lot of good.jwilliamshttps://www.blogger.com/profile/16837701522866491602noreply@blogger.comtag:blogger.com,1999:blog-8976089095047007543.post-18250404250506536342014-03-29T08:41:13.297-04:002014-03-29T08:41:13.297-04:00I completely agree, and kudos to you Kevin for tak...I completely agree, and kudos to you Kevin for taking this positionAnonymoushttps://www.blogger.com/profile/14671839233301583205noreply@blogger.com