[Owasp-board] FW: NEW PROJECT HAS BEEN SET UP/Security Analysis of Core J2EE Design Patterns

Paulo Coimbra paulo.coimbra at owasp.org
Thu Jul 2 17:55:22 UTC 2009


Board,

 

FYI - thanks,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Paulo Coimbra [mailto:paulo.coimbra at owasp.org] 
Sent: quarta-feira, 1 de Julho de 2009 17:45
To: 'Sethi, Rohit'; 'Jim Manico'
Cc: 'Global Projects Committee'
Subject: RE: NEW PROJECT HAS BEEN SET UP/Security Analysis of Core J2EE
Design Patterns

 

Hello Rohit and Jim,

 

I recommend we use instead this link
http://www.owasp.org/index.php/Category:OWASP_Security_Analysis_of_Core_J2EE
_Design_Patterns_Project which is consistent with our current practice.

 

Since now, you can begin using the wiki page as you find best but please
keep the integrity of the "Project Identification" tab. It will be used to
keep all the information required by OWASP's Assessment Criteria -
https://www.owasp.org/index.php/Category:OWASP_Project_Assessment.

 

I've also created an OWASP mailing list for your project -
https://lists.owasp.org/mailman/listinfo/owasp_security_analysis_j2ee - and,
by now, the admin password must have been sent automatically to you. 

 

If you need/wish an OWASP email account, please let me know and I will
create it for you. 

 

In addition, your email addresses have been added at OWASP Leaders mailing
list.  As a result, you are now able to use this email list
owasp-leaders at lists.owasp.org to contact all of the most active OWASP
project and chapter leaders. I suggest contacting them to discuss your
project and to find hypothetical contributors and/or the needed reviewer. 

 

To conclude the project's setting up phase we still need you provide the
following information:

 

As for the project:

 

1.       Project Leader's and Contributors' wiki accounts (please see not
Note),

2.       Project Flyer/Pamphlet,

3.       Project main links (if any),

As for your first release:

 

4.       Release Name,

5.       Release main features,

6.       Release License,

7.       Release Leader,

8.       Release Contributor(s),

9.       Release Reviewer,

10.   Release Mentor (if any),

11.   Release Sponsor(s) (if any),

12.   Release Flyer/Pamphlet,

13.   Release Roadmap,

14.   Release Main Links,

As for now it's all - I wish you good work and thank you for supporting
OWASP.

 

Should you have any queries or require any further information please do not
hesitate to contact me. 

 

Best regards,

 

Note: For Project Leader and Contributors please create a wiki account
<https://www.owasp.org/index.php/Special:Userlogin> s and please send me off
the links. See here <https://www.owasp.org/index.php/Tutorial>  and here
<http://www.owasp.org/index.php/User:Mtesauro>  how to do it and here
<http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project#tab=Project_I
dentification>  an example of how it will be used.

 

Paulo Coimbra,

OWASP Project Manager <https://www.owasp.org/index.php/Main_Page> 

 

From: Sethi, Rohit [mailto:rohit at securitycompass.com] 
Sent: quarta-feira, 1 de Julho de 2009 14:27
To: Jim Manico; paulo.coimbra at owasp.org
Subject: RE: Security Analysis of Core J2EE Design Patterns

 

Looks good to me

 

Cheers,

 

Rohit Sethi

Director, Professional Services

Security Compass

http://www.securitycompass.com <http://www.securitycompass.com/> 

Direct : 888-777-2211 ext. 102

Mobile: 732.546.4473

 

**************************************************************************

The information in this email is confidential and may be legally privileged.
Access to this email by  anyone other than the intended addressee is
unauthorized.  If you are not the intended recipient of this message, any
review, disclosure, copying, distribution, retention, or any action taken or
omitted to be taken in reliance on it is prohibited and may be unlawful. If
you are not the intended recipient, please reply to or forward a copy of
this message to the sender and delete the message, any attachments, and any
copies thereof from your system.

*************************************************************************

 

From: Jim Manico [mailto:jim.manico at owasp.org] 
Sent: June-30-09 6:49 PM
To: Sethi, Rohit; paulo.coimbra at owasp.org
Subject: Re: Security Analysis of Core J2EE Design Patterns

 

Hello Gentlemen,

 

I was thinking of Wikifying this article here:

 

http://www.owasp.org/index.php/Security_Analysis_of_Core_J2EE_Design_Pattern
s

 

(it's empty now, just a placeholder).

 

Is this an appropriate place to place this article in OWASP.org?

 

Thanks!

- Jim

----- Original Message ----- 

From: Sethi, <mailto:rohit at securitycompass.com>  Rohit 

To: paulo.coimbra at owasp.org 

Cc: Labs <mailto:labs at securitycompass.com>  ; 'Jim Manico'
<mailto:jim.manico at owasp.org>  ; 'Paolo <mailto:thesp0nge at owasp.org>
Perego' ; 'Seba' <mailto:seba at owasp.org>  ; 'Global Projects Committee'
<mailto:global-projects-committee at lists.owasp.org>  

Sent: Monday, June 29, 2009 9:53 AM

Subject: RE: Security Analysis of Core J2EE Design Patterns

 

Hi Paulo, 

 

Here is the project info that I think I can include now:

 

Project Info:

 

What: OWASP Pattern Analysis

Purpose: To analyze popular design and architectural patterns for potential
security issues, including advice on common pitfalls to avoid and where in a
pattern to implement common security controls. Note that we are not creating
new "security patterns" but rather analyzing existing non-security-specific
patterns.

 

Who: 

Project leader: Rohit Sethi

Project Maintainer: Rohit Sethi & Jim Manico (Jim, I'm assuming you're okay
with this since you're creating the wiki version?)

Project Contributors:

.         Sahba Kazerooni

.         Krish Raja

.         Subu Ramanathan

.         Oliver Lavery

.         Frank Kim

 

Roadmap:

 

The project's overall goal is to...

 

Be a design-time security reference for developers implementing common
patterns independent of specific platforms and frameworks. Pattern usage is
ubiquitous in software development, and the best patterns transcend specific
languages and/or frameworks; analyzing the most pivotal frameworks in web
applications allows us to build security advice that developers will use far
in the future. At the same time, analyzing common patterns helps manual
penetration testers and source code reviewers understand where to look for
vulnerabilities within an application.

 

In the near term, we are focused on the following tactical goals...

 

1.       Convert existing Core J2EE Patterns analysis word document into
wiki format

2.       Solicit feedback and add additional advice to each pattern

3.       Determine next steps in group:

a.       Add source code examples

b.      Start reviewing other patterns, such as Patterns of Enterprise
Application Architecture, Enterprise Integration Patterns, or .Net Patterns

 

 

 

Rohit Sethi

Director, Professional Services

Security Compass

http://www.securitycompass.com <http://www.securitycompass.com/> 

Direct : 888-777-2211 ext. 102

Mobile: 732.546.4473

 

**************************************************************************

The information in this email is confidential and may be legally privileged.
Access to this email by  anyone other than the intended addressee is
unauthorized.  If you are not the intended recipient of this message, any
review, disclosure, copying, distribution, retention, or any action taken or
omitted to be taken in reliance on it is prohibited and may be unlawful. If
you are not the intended recipient, please reply to or forward a copy of
this message to the sender and delete the message, any attachments, and any
copies thereof from your system.

*************************************************************************

 

From: Paulo Coimbra [mailto:paulo.coimbra at owasp.org] 
Sent: June-24-09 10:27 AM
To: Sethi, Rohit
Cc: Labs; 'Jim Manico'; 'Paolo Perego'; 'Seba'; 'Global Projects Committee'
Subject: RE: Security Analysis of Core J2EE Design Patterns

 

Hello Rohit,

 

I am glad to hear you want to lead an OWASP Project and I thank you for
supporting OWASP.

 

Regarding the process of setting up the Pattern Analysis project, would you
be kind enough to send us out a detailed roadmap?  As a first step to create
a new project page, this piece is usually required to allow the feedback of
our Global Projects Committee
http://www.owasp.org/index.php/Global_Projects_Committee.

 

In addition, after the above referred first phase has been concluded, we
will need a couple more of details about your project. We have just recently
established a new project identification frame to be included in all OWASP
Projects and so I ask you to glance at it
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project#tab=Project_Id
entification and to send us off as much similar information as you can.

 

Should you require any further assistance please do not hesitate and get
back to me.  

 

Many thanks, best regards, 

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Paolo Perego [mailto:thesp0nge at owasp.org] 
Sent: quarta-feira, 24 de Junho de 2009 08:27
To: Seba
Cc: Sethi, Rohit; Labs; Jim Manico; Paulo Coimbra
Subject: Re: Security Analysis of Core J2EE Design Patterns

 

Guys, I also thinks this can be a very interesting project.

But I think there was a mistake about Paulo (with the 'u', Coimbra) and
Paolo (with the 'o', Perego that's me).

So I cc'ed our Project Manager to help you in setting up project pages :-)

 

Ciao ciao

Paolo

 

On Wed, Jun 24, 2009 at 6:03 AM, Seba<seba at owasp.org> wrote:

> Hi Rohit,

> That is excellent news.

> One of the first steps you can take is make the content available to 

> the education project in 

> http://www.owasp.org/index.php/Category:OWASP_Education_Project#Donate

> d_Material restating the copyright to creative commons license & OWASP 

> introduction & logo (mentioning Security Compass as sponsor) Paulo 

> will help you to set up the OWASP Pattern Analysis project pages.

> thx!

> Seba

> 

> On Tue, Jun 23, 2009 at 7:03 PM, Jim Manico <jim.manico at owasp.org> wrote:

>> 

>> Seba + Paolo,

>> 

>> The esteemed authors of

>> http://labs.securitycompass.com/papers/Security%20Analysis%20of%20Cor

>> e%20JEE%20Design%20Patterns%20v0%2020.pdf would like to donate this 

>> article to OWASP and use this material as the base of a new "Pattern
Analysis" project.

>> 

>> Security Compass would like to be listed as project sponsors with 

>> Rohit as the project lead.

>> 

>> Can we get them oriented and set up?

>> 

>> Thanks kindly!

>> - Jim

>> 

>> ----- Original Message -----

>> From: Sethi, Rohit

>> To: jeffl.williams at owasp.org ; 'Jim Manico' ; Labs

>> Sent: Tuesday, June 23, 2009 4:13 AM

>> Subject: RE: Security Analysis of Core J2EE Design Patterns

>> 

>> Thanks guys.

>> 

>> 

>> 

>> Jim, what are the next steps for making this into a project? I was 

>> thinking of a more generic project name like "Pattern Analysis" and 

>> having the Core J2EE Patterns be the first component

>> 

>> 

>> 

>> Cheers,

>> 

>> 

>> 

>> Rohit Sethi

>> 

>> Director, Professional Services

>> 

>> Security Compass

>> 

>> http://www.securitycompass.com

>> 

>> Direct : 888-777-2211 ext. 102

>> 

>> Mobile: 732.546.4473

>> 

>> 

>> 

>> *********************************************************************

>> *****

>> 

>> The information in this email is confidential and may be legally 

>> privileged. Access to this email by  anyone other than the intended 

>> addressee is unauthorized.  If you are not the intended recipient of 

>> this message, any review, disclosure, copying, distribution, 

>> retention, or any action taken or omitted to be taken in reliance on 

>> it is prohibited and may be unlawful. If you are not the intended 

>> recipient, please reply to or forward a copy of this message to the 

>> sender and delete the message, any attachments, and any copies thereof
from your system.

>> 

>> *********************************************************************

>> ****

>> 

>> 

>> 

>> From: Jeff Williams [mailto:jeff.williams at owasp.org]

>> Sent: June-23-09 10:13 AM

>> To: 'Jim Manico'; Sethi, Rohit; Labs

>> Subject: RE: Security Analysis of Core J2EE Design Patterns

>> 

>> 

>> 

>> Excellent news!  Thank you all very much.  Let me know once the 

>> project starts up and we'll promote it even more.  Thanks!

>> 

>> 

>> 

>> --Jeff

>> 

>> 

>> 

>> Jeff Williams, Chair

>> 

>> The OWASP Foundation

>> 

>> Work: 410-707-1487

>> 

>> Main: 301-604-4882

>> 

>> 

>> 

>> From: Jim Manico [mailto:jim.manico at owasp.org]

>> Sent: Monday, June 22, 2009 10:44 PM

>> To: Sethi, Rohit; Labs; Jeff Williams

>> Subject: Re: Security Analysis of Core J2EE Design Patterns

>> 

>> 

>> 

>> I'm thrilled to hear this, thank you Sahba, Krish AND Rohit! :)

>> 

>> 

>> 

>> Jeff - it seems that the authors of this wonderful paper are willing 

>> to start a OWASP project around this material.

>> 

>> 

>> 

>> 

>> http://labs.securitycompass.com/papers/Security%20Analysis%20of%20Cor

>> e%20JEE%20Design%20Patterns%20v0%2020.pdf

>> 

>> 

>> 

>> > The caveat would be that Security Compass be listed as project 

>> > sponsors and that I'll be listed as a project lead.

>> 

>> 

>> 

>> I don't think this is a problem at all - any thoughts, Jeff?

>> 

>> 

>> 

>> - Jim

>> 

>> ----- Original Message -----

>> 

>> From: Sethi, Rohit

>> 

>> To: Jim Manico ; Labs

>> 

>> Sent: Monday, June 22, 2009 2:49 PM

>> 

>> Subject: RE: Security Analysis of Core J2EE Design Patterns

>> 

>> 

>> 

>> Hi Jim,

>> 

>> 

>> 

>> Sorry for not getting back to you sooner. I think we are ready to go 

>> ahead and make this an official OWASP project. The caveat would be 

>> that Security Compass be listed as project sponsors and that I'll be 

>> listed as a project lead.

>> 

>> 

>> 

>> I wanted to thank you for bringing up the paper in the OWASP Podcast 

>> and talking to it at length. I would like to point out that I was not 

>> the only author of the paper; Sahba Kazerooni and Krish Raja were 

>> both involved with writing it as well.

>> 

>> 

>> 

>> Cheers,

>> 

>> 

>> 

>> Rohit Sethi

>> 

>> Director, Professional Services

>> 

>> Security Compass

>> 

>> http://www.securitycompass.com

>> 

>> Direct : 888-777-2211 ext. 102

>> 

>> Mobile: 732.546.4473

>> 

>> 

>> 

>> *********************************************************************

>> *****

>> 

>> The information in this email is confidential and may be legally 

>> privileged. Access to this email by  anyone other than the intended 

>> addressee is unauthorized.  If you are not the intended recipient of 

>> this message, any review, disclosure, copying, distribution, 

>> retention, or any action taken or omitted to be taken in reliance on 

>> it is prohibited and may be unlawful. If you are not the intended 

>> recipient, please reply to or forward a copy of this message to the 

>> sender and delete the message, any attachments, and any copies thereof
from your system.

>> 

>> *********************************************************************

>> ****

>> 

>> 

>> 

>> From: Jim Manico [mailto:jim.manico at owasp.org]

>> Sent: June-22-09 3:38 PM

>> To: Labs

>> Subject: Security Analysis of Core J2EE Design Patterns

>> 

>> 

>> 

>> I'm a HUGE fan of the work done here :

>> http://labs.securitycompass.com/papers/Security%20Analysis%20of%20Cor

>> e%20JEE%20Design%20Patterns%20v0%2020.pdf

>> 

>> 

>> 

>> The only trouble is, myself and several other Java folks at OWASP 

>> would love to collaborate on this.

>> 

>> 

>> 

>> May I please make a copy of this guide and post it on OWASP (with 

>> proper

>> attribution) so we can collaborate?

>> 

>> 

>> 

>> - Jim

> 

 

 

 

--

"stay hungry, stay foolish"

 

OWASP Orizon project, http://orizon.sourceforge.net "enjoy your code review
experience"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20090702/e8678a19/attachment-0002.html>


More information about the Owasp-board mailing list