[Owasp-dotnet] RE: [Owasp-chapters] An Open Letter to Owasp

Tue Dec 28 08:16:58 EST 2004

Dinis,

Because I work with the Microsoft community and sometimes has to represent
them, you should really read their papers and security step by step
regarding ASP.NET. I understand that there is a danger with the ASP.NET Full
Trust (that's why they recommend to develop ASP.NET partially trusted), but
all that is configurable using the CAS tool. In fact, in .NET 2.0, the CAS
tool cannot be turn off.

You should contact them, why not, you can find them at weblogs.asp.net
(Scott Guthrie). Maybe they haven't heard of you so that's why they haven't
contact you.

>I also find fascinating the fact that the current Owasp-dotNet leader (i.e.
me) has not been contacted by nobody from >the Microsoft Asp.Net team
regarding the Owasp-DotNet tools currently published:
>
>    - Asp.Net Security Analyzer (ANSA)
>    - Security Analyzer for Microsoft's Shared Hosting Environment
(SAM'SHE)
>    - Asp.Net Reflector
>    - Online Metabase explorer
>
>The only logic explanation that I have for this situation (since these
tools DO actually work and have helped hundreds of >companies to improve
their Asp.Net hosting environments) is that Microsoft doesn't want to
'endorse' these tools >because all of them show how insecure and dangerous
the current Full Trust Asp.Net environment is.

And about the contribution, I offered sometime ago some ideas and a code
project. But the group never responded back, so I just posted in my web site
(http://www.ecyware.com/gbscripting.aspx?lnk=scripting). 

Regarding the future of OWASP, Mark made the best decision in my mind. The
open source idea is good, but there is a market idea in everything.

Best Regards,

Rogelio Morrell C.

Ecyware

  _____  

From: owasp-chapters-admin at lists.sourceforge.net
[mailto:owasp-chapters-admin at lists.sourceforge.net] On Behalf Of Dinis Cruz
Sent: Lunes, 27 de Diciembre de 2004 10:09 a.m.
To: owasp-leaders at lists.sourceforge.net
Cc: Mark Curphey; owasp-dotnet at lists.sourceforge.net;
owasp-guide at lists.sourceforge.net; owasp-testing at lists.sourceforge.net;
owasp-chapters at lists.sourceforge.net; owasp-advisors at lists.sourcforge.net;
owasp-metrics-request at lists.sourceforge.net; ingo at ingostruck.de;
alex at netwindows.org; dendler at tippingpoint.com; jermey at poteet.com;
admin at mokshafaced.com; david.raphael at ceterum.net; stanguzik at yahoo.com;
jeff.williams at owasp.org
Subject: [Owasp-chapters] An Open Letter to Owasp

Owasp is in a Crisis!

Mark's departure (who was one of the original Owasp members and one of the
most active and energetic participants) must make us all reflect hard on his
reasons for departure. Hopefully, this crisis will also create an
environment where the necessary changes are made to Owasp's world which:
    a) prevents the departure of other key players and 
    b) substantially change Owasp's behavior so that Mark (and others) will
want to (re)join, participate and collaborate.

As an Owasp member myself, and knowing (hoping?) that Owasp continues to be
a big part of my professional life, I would like to propose a series of
measures and suggestions for its future. These ideas are included at the end
of this 'Open Letter to Owasp, but firstly I would like to give my personal
opinion on several issues which I think are very relevant to the current
Owasp environment/situation.

A) My comments on .... "Owasp's vs Open Source"

Sorry If I am offending somebody, but I think that at the moment, in the
Owasp community, there are some expectations of what Open Source should
deliver which are not based on WHAT CAN happen but on what people WOULD LIKE
to happen.

I feel that several Owasp members (including Mark) are misinterpreting the
concepts of FREEDOM and FREE (as in beer, i.e. no cost).