Is OWASP ESAPI still the recommended way to secure JSP pages

The OWASP ESAPI is no longer considered a flagship or even an active project. Kevin Wall, the project owner for the Java implementation, himself back in 2014 conceded that the project is dying and said:

I’m not, because I can’t. I, for one, can see the writing on the wall. (Pun intended.) All of the allegations that are being made against ESAPI are spot-on:

· Only one minor point release in since July 2011.

· 164 open issues, including 4 marked Critical and 11 marked as High.

· Far too many dependencies, something that has never been addressed despite being promised for almost 3 years.

· Wiki page still in the old OWASP format.

· Minimal signs of life of for ESAPI 3.0 in GitHub and ESAPI 2.x for Java on Google Code. Zero signs of life for implementations in other programming languages. [Note: Discounting the SalesForce one as I’ve not kept track of it.]

· For ESAPI for Java, a boogered up architecture where everything is a singleton making some things such as mock-testing all but impossible. Less than 80% test code coverage, in part, because of that.

· Lack of any significant user documentation outside of the Javadoc and the ESAPI crypto documentation.

· Disappointing participation at the ESAPI Hackathon.