[Esapi-user] Call for review of crypto code
jim.manico at owasp.org
Fri Apr 30 01:27:50 EDT 2010
Please get some quotes to me. I'll pay for the review myself for fucks
On Apr 29, 2010, at 7:39 PM, "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Jeff Williams wrote:
>> I think creating some competition to make ESAPI better is a good
>> idea. I'm
>> not sure how to do this exactly without making it seem like a "Bug
>> program. We can give honorary OWASP memberships. We could
>> recognize people
>> and fly them to OWASP AppSec conferences to receive their award.
>> We could
>> open the competition and create a judges panel that will decide the
>> 3 "best"
>> vulnerabilities discovered in ESAPI, and give out prizes at AppSec.
>> Any of this appeal to you? I can work it with the board.
> I think all of those you mentioned are some good incentives. (Hey,
> if it
> were up to me, I'd do it for a case of Guiness or a crate of chocolate
> chip cookies, but I'm easily persuaded. ;-)
> Only thing is you have to be careful of how you phrase it if what you
> really want is to focus on the crypto code. (Which is what I want, but
> of course, I'm a bit biased there.)
> Most of all, I want to have the implementation of the design
> see if I did it correctly or not based on Wagner's and Grigg's
> Personally, I think someone with good security skills can catch
> things like
> just coding mistakes. What almost all of us are lacking--myself
> are good cryptanalytic skills. You have to know how to *break*
> crypto and
> cryptographic protocols. I can generally pick up on things pretty
> if a lucid explanation is given, but I don't have experience
> ciphers to know what to look for in terms of weakness of design. I am
> only smart enough to know to ask for help--first in the design, and
> in the review of the code. In other words, I know that I don't know.
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents." -- Nathaniel Borenstein, co-creator of
More information about the Esapi-user