[Esapi-dev] [OWASP-ESAPI] Vulnerability alerts ....
Rob Spremulli
rob.spremulli at gmail.com
Tue Jan 26 15:31:39 EST 2010
Not to make this more complicated, but as of a few short months ago, 1.4.0
was the most recent stable version of ESAPI. jump ahead to today, and 1.4.3
was just recently released.
Is a point release like this going to have functionality or fixes? i.e.,
would the release of 1.4.3 be a notification such thatI would need to
consume this point release, (Bernie, correct this part if I'm wrong) within
a specified timeframe, in order to maintain PA-DSS compliance? if the
timeframe part is correct, this means major changes breaking intergration
shouldn't be introduced in a point release.
On Mon, Jan 25, 2010 at 7:47 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Jim++, lets take this to the board. Nice, Kevin.
>
> - Jim
>
>
> Chris++
>
> On Mon, Jan 25, 2010 at 5:35 PM, Kevin W. Wall <kevin.w.wall at gmail.com>wrote:
>
>> Jim Manico wrote:
>> > Bernie,
>> >
>> > We are discussing this now - I do not have an ETA, but we are taking
>> > your request very seriously.
>> >
>> > I am tracking this critical task here:
>> > http://code.google.com/p/owasp-esapi-java/issues/detail?id=98
>> >
>> > It's my personal opinion that we would be irresponsible NOT to create a
>> > security-alert specific list - and soon.
>> >
>> > However, in the meantime, if we discover any critical issues we will
>> > email ESAPI-users immediately.
>>
>> Good thing OWASP doesn't have to report vulnerability alerts for
>> WebGoat. That would be like giving away all the answers. :)
>>
>> Seriously, hasn't something like this come up before, say with the
>> AntiSamy projects? Why reinvent the wheel each time? I'm thinking perhaps
>> just one OWASP-announcements or OWASP-secalerts for *all* the
>> OWASP projects. This is bound to come up in other OWASP projects that
>> involve code even if it hasn't already. I think even if this
>> were done OWASP-wide, it would be low enough volume list that people
>> wouldn't mind. And while I can't speak for others, I personally would much
>> rather monitor a *single* mailing list than a half dozen. That's one
>> reason
>> why sites such as Bugtraq and Secunia are successful.
>>
>> -kevin
>> --
>> Kevin W. Wall
>> "The most likely way for the world to be destroyed, most experts agree,
>> is by accident. That's where we come in; we're computer professionals.
>> We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
>> _______________________________________________
>> Esapi-dev mailing list
>> Esapi-dev at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>
>
>
>
> --
> -- Chris
>
> OWASP ESAPI Developer
> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>
> Check out OWASP ESAPI for Java
> http://code.google.com/p/owasp-esapi-java/
>
> Coming soon OWASP ESAPI for JavaScript
> http://code.google.com/p/owasp-esapi-js/
>
>
>
> --
> Jim Manico
> OWASP Podcast Host/Producer
> OWASP ESAPI Project Managerhttp://www.manico.net
>
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100126/ff6f2c0d/attachment.html
More information about the Esapi-dev
mailing list