Over the last several years many analysts, including Gartner, have identified application security as the area presenting the most significant risk to companies with internet facing applications. As a result a number of best practices have emerged, ranging from secure coding practices and developer training from organizations such as Microsoft to change management driven black-box testing. However, one area where I see developers and security teams consistently struggle (and often introduce significant vulnerabilities) in terms of application security is with development of their own security controls.
Even with extensive security training, security controls are very difficult to get right. It requires extensive understanding of potential attacks, as well as implementation skill. Furthermore, a lot of things can go wrong – failure to perform output encoding, weak hashes and lack of access control, just to name a few areas.
As shown in the diagram above these libraries cover a wide range of security issues. They are a standard, high quality and well tested set of security controls that developers should take advantage of. ESAPI is available for a wide range of development environments including Microsoft .NET, J2EE and PHP. This can be an important foundation for an application security program.