I don’t think that the ESAPI example should be considered to detract from the overall benefits which OWASP brings to the community but I think that people do not necessarily understand the relatively narrow base on which OWASP rests and the reliance on certain key people.
The first step to understanding RASP technologies, how they operate, and what they provide to enterprise users is to define exactly what it is they are protecting. The term “application” turns out to be a gray area when discussing RASP deployments. Exactly where does an application itself begin and end? It obviously includes the code that the developer writes, but what about the Java or .NET runtime, or the web server instance itself, or the underlying infrastructure that supports the overall application stack? In a modern application architecture, everyone has a different opinion as to where the infrastructure ends and the application begins.