[GPC] REQUEST FOR COMMENTS/[Owasp-classic-asp-security-project PAYMENT

Paulo Coimbra paulo.coimbra at owasp.org
Mon Mar 23 07:56:07 EDT 2009 

Hello Committee,

 

Please see the thread below. Given Juan explanation, I am prepared to request the project’s payment as soon as we have both Esteban’s and Andres’ positives reviews. Do you agree? 

 

Thanks,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Juan C Calderon [mailto:johnccr at yahoo.com] 
Sent: sábado, 21 de Março de 2009 17:52
To: paulo.coimbra at owasp.org
Cc: Global Projects Committee; Esteban Ribicic; andres at neurofuzz.com
Subject: Re: [Owasp-classic-asp-security-project] I COULD finish

 

I have a couple for me, but not sure how strong or valid they are

1. Notice that Beta requirements were met for 4 out of the 5 goals of the project the only missing was the " Common Object Repository for ASP applications based on OWASP ESAPI Project" which is alpha

2. Maybe the fact that we proposed common object repository, but instead of just gathering objects already available on the net, I made an extra effort and implemented the whole ESAPI .NET project for Classic ASP. But I will doubt on this one.

3. At the same time of Classic ASP project I was investing effort on other OWASP projects not related to SoC, for example we will deliver the just released OWASP testing guide version 3 translation on early April and the translation started 1 month ago.

Those are the ones I can remember hope they help

Regards,
Juan Carlos

 

  _____  

From: Paulo Coimbra <paulo.coimbra at owasp.org>
To: Juan C Calderon <johnccr at yahoo.com>
Cc: Global Projects Committee <global-projects-committee at lists.owasp.org>; Esteban Ribicic <kisero at gmail.com>; andres at neurofuzz.com
Sent: Friday, March 20, 2009 10:36:26 AM
Subject: RE: [Owasp-classic-asp-security-project] I COULD finish

Hi Juan,

 

I thank your update which brought about the following – as you have stated the Classic-asp-security-project has not reached Beta quality but this had been the agreed SoC quality target, how do you see the payment question?

 

https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers

 

Given the level of commitment that you have previously shown regarding OWASP contributions, I am ready to defend your project should be paid but I would appreciate if you could send me off a couple of arguments to sustain my position. I thank you in advance.

 

Best regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Juan C Calderon [mailto:johnccr at yahoo.com] 
Sent: sexta-feira, 20 de Março de 2009 00:44
To: paulo.coimbra at owasp.org; Esteban Ribicic; andres at neurofuzz.com
Cc: global_tools_and_project_committee at lists.owasp.org
Subject: Re: [Owasp-classic-asp-security-project] I COULD finish

 

oops sorry about that, I have updated it

 

  _____  

From: Paulo Coimbra <paulo.coimbra at owasp.org>
To: Juan C Calderon <johnccr at yahoo.com>; Esteban Ribicic <kisero at gmail.com>; andres at neurofuzz.com
Cc: global_tools_and_project_committee at lists.owasp.org
Sent: Thursday, March 19, 2009 11:42:37 AM
Subject: RE: [Owasp-classic-asp-security-project] I COULD finish

Hello Juan,

 

Hope you are well. I’ve seen you have kindly answered to my previous requests – thank you. Would you mind also updating this https://www.owasp.org/index.php/OWASP_Classic_ASP_Security_Project_-_Assessment_Frame link by saying whether the SoC approved deliveries were reached and stating which Quality Status has been reached? I thank you in advance.

 

Hello Esteban and Andres,

 

Could you please perform your reviews ASAP as the deadline to complete all SoC projects has been reached at 16th March? Thank you.

 

Regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Paulo Coimbra [mailto:paulo.coimbra at owasp.org] 
Sent: terça-feira, 17 de Março de 2009 17:26
To: 'Juan C Calderon'; 'Esteban Ribicic'; 'andres at neurofuzz.com'
Cc: 'global_tools_and_project_committee at lists.owasp.org'; 'jeff.williams at owasp.org'
Subject: RE: [Owasp-classic-asp-security-project] I COULD finish
Importance: High

 

Hello Juan,

 

I thank your efforts to complete this project. Well done!

 

So as to push the Classic ASP Security Project up the ladder, would you mind uploading here https://www.owasp.org/index.php/Project_Information:template_Classic_ASP_Security_Project the set of files that you have sent off?  Would you also mind filling in here https://www.owasp.org/index.php/Project_Information:template_Classic_ASP_Security_Project_-_Final_Review_-_Self_Evaluation_-_B your self-assessment? Thank you.

 

Hello Esteban and Andres,

 

Could you please perform your reviews ASAP as the deadline to complete all SoC projects has been reached yesterday? I thank you in advance.

 

 <https://www.owasp.org/index.php/Project_Information:template_Classic_ASP_Security_Project_-_Final_Review_-_First_Reviewer_-_D> https://www.owasp.org/index.php/Project_Information:template_Classic_ASP_Security_Project_-_Final_Review_-_First_Reviewer_-_D – Esteban,

https://www.owasp.org/index.php/Project_Information:template_Classic_ASP_Security_Project_-_Final_Review_-_Second_Reviewer_-_F – Andres.

 

Regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Juan C Calderon [mailto:johnccr at yahoo.com] 
Sent: terça-feira, 17 de Março de 2009 06:58
To: Juan C Calderon; Classic ASP Security OWASP
Cc: Jeff Williams; Paulo Coimbra; Dinis Cruz
Subject: Re: [Owasp-classic-asp-security-project] I COULD finish

 

Hello I did my best effort and I think I got it

 

ESAPI Classic ASP is fully funcional and tested (as much as implementable and as much test as I could). All the classes are instantiable and working, there is still a few methods that cannot be called as they are very very .NET specific, but there are replacement for them using other methods in the same class. Also Authenticator class is not implemented (yet instantiable) as most of the funcions are related to .NET Request object which is never created with called from Classic ASP pages. That is why I consider this is a complete version we can release to the public.

 

 

Esteban and Andres please review the implementation and provide your feedback, I am sorry the ASP page is a little bit messy, but this time I was more focused on functionality than presentation.

 

The installation steps are as follow:

1. You need visual studio 2005 or above and .NET framework 2.0 or above to compile the .NET DLL project in the Zip File 2. Provide the passsword in a text file under the project folder when required 3. Save the app.config file as w3wp.exe.config under C:\Windows\System32\inetsrv folder  (for vista) or under your IIS working process depending on your OS 4. Setup an IIS application and deploy the Default.asp page attached 5. Go to the default.asp page using your browser.

 

There you go you should be able to see all the magic happening by making a classic ASP call all the objects and dozens of methods of ESAPI

 

I am glad this finally happen, I will be pushing for it to be implemented and to get feedback on it. Also I will upload it to google code as soon as I got confirmation that everything is fine.

 

Regards.

Juan Carlos

 

 

----- Original Message ----

From: Juan C Calderon <johnccr at yahoo.com>

To: Classic ASP Security OWASP <OWASP-Classic-ASP-Security-Project at lists.owasp.org>

Cc: Jeff Williams <jeff.williams at aspectsecurity.com>; Paulo Coimbra <paulo.coimbra at owasp.org>

Sent: Monday, March 16, 2009 2:02:59 AM

Subject: [Owasp-classic-asp-security-project] I could not finish

 

Hello List/Paulo

 

Due to a sticky and annoying error related to .NET/COM interoperability and IIS I slipped and was not able to finish as planned. However the progress so far is very good

 

Here is the current status (notice I am also attaching the source code and  Classic ASP page implementing most of the classess in ESAPI).

 

AccessController - 100%

AcessReferenceMap - 0% (Not working)

Authenticator - 50% (some parameters are very .NET specific and are hard to marshall) Encoder - 100% EncryptedProperties - 100% Encryptor - 100% Executor - 50% (some parameters are very .NET specific and are hard to marshall) HttpUtilities - 30% (This class is specially difficult due to its tight integration with .NET specific HTTPRequest objects) IntrusionDetector - 100% Logger - 50% (Some functions missing due to integration with native .NET objects) Randomizer - 100% SafeFile - 0% SecurityConfiguration - 100% Validator 65%

 

AccessReferenceMap, Executor and SafeFile are small components and I think I can have them running by tomorrow night. But we will still miss parts of Authenticator, HTTPUtilities and Validator.

 

Anyway, it was great advance since Portugal as there 3 classes were working partially and the others wer not working at all. Now All are working but 3 will be working partially :)

 

PS. I am also copying Jeff as I think he might be interested in the advance of the project.

 

Regards,

Juan Carlos

 

 

      

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20090323/b514b9f6/attachment-0001.html

More information about the Global-projects-committee mailing list