[Esapi-user] Call for review of crypto code

Boberski, Michael [USA] boberski_michael at bah.com
Fri Apr 30 12:07:02 EDT 2010

Here, hold on, before you put out another call, I had an idea on how to further scope/direct a review, hold on sec.


Mike B.

-----Original Message-----
From: Jim Manico [mailto:jim.manico at owasp.org] 
Sent: Friday, April 30, 2010 11:49 AM
To: Boberski, Michael [USA]
Cc: ESAPI-Developers; ESAPI-Users; owasp-leaders at lists.owasp.org
Subject: Re: [Esapi-user] Call for review of crypto code

Mike - you might be right. I'm worried that your suggestions will  
require an entire re-write of the current ESAPI encryptor and push out  
a 2.0 production release for many months or more. But I could live  
with that if it's the best path for our user community.

This is also why I am willing to pay for 3rd party review of our  
encryptor reference implementation out of my own pocket. The project  
is stalled and ESAPI is way too important to let money get in the way  
of helping the world. We also need to be willing to hear that this  
solution is the wrong direction.

PS: To all you large corporations who are using ESAPI quiety but are  
not willing to chip in to pay for 3rd party professional guidance/ 
review of our crypto code? You cheap bastards... •grin• Seriously.  
OWASP is a not-for-profit charitable organization which runs on a shoe- 
string budget. If you want proof I'll send you our financial records  
from 2009. At this point we need financial help for ESAPI in the  
ballpark of 15k-20k - at least - to bring in the right kind of  
objective crypto-master security reviewer to verify our Java encryptor  
implementation and provide guidance on a future roadmap. This cost is  
a trickle compared to the cost of building ESAPI from scratch - by a  
long shot.

•• Please contact me if you are one of the noble organizations or  
individuals who believes in this mission enough to put your money were  
your download of code is. I'm collecting a fund to assist in paying  
for this review effort.

Kevin: If I had a dime for every minute I read your emails we would  
have the budget we need. ;) So Kevin, can you post a request-for-quote  
proposal of some kind (to both the dev and user list) so we can start  
getting real bids on this review project?  Thank you.

Jim Manico

On Apr 30, 2010, at 5:29 AM, "Boberski, Michael [USA]" <boberski_michael at bah.com 
 > wrote:

> I do have one general comment that's basically just a reiteration of  
> previous proposals to basically further wrap the crypto, it occurred  
> to me again yesterday as I was reviewing existing documentation and  
> working on consolidating and extending it in http://code.google.com/p/owasp-esapi-java/wiki/Welcome 
>  , if you look inside the ESAPI for Java distribution in "  
> \ESAPI-2.0-rc6\documentation", the amount of documentation for  
> Encryptor is much more than for any other control. (1)Other ESAPI  
> controls aren't as hard to use, (except maybe the WAF which is a  
> separate thread), and (2)none create proprietary (non-standards- 
> based) outputs, for Encoders for example we code to e.g. MySQL  
> specs, why don't we do something similar, like use PKCS#7 or CMS  
> here. Also, why does ESAPI care how a crypto algorithm is  
> implemented, I really don't think we want to try to stand behind  
> algorithms, we're not the open crypto project, we're just a wrapper  
> that uses things according to best practices, FIPS 140 or no for  
> example. It's our use of algorithms and key management that we  
> should solicit reviews of.
> Best,
> Mike B.

More information about the Esapi-user mailing list