[Owasp-board] Crapping on projects

dinis cruz dinis.cruz at owasp.org
Tue Oct 13 15:51:10 UTC 2009


Cool, thx
One thing, I would like to write a post about this issue and don't really
want to rewrite the whole thing :)

So, Jeff are you ok If I just post a formated version of this thread as a
blog post? (If you want I can remove your name and just mention you as  'a
worried OWASP fellow' )

Dinis

2009/10/6 Jeff Williams <jeff.williams at owasp.org>

>  Thanks Dinis,
>
>
>
> Thanks for the insight into your thoughts.  Maybe that’s the real problem –
> you just can’t convey all that in 140 characters.  The tone of the tweet
> came off very negative to me when I read it.  When you say “I have one word
> for you” generally the next word is not a complement J  Now I get the
> plastics reference, but I missed it.  Also when you say they are “miles
> ahead” it’s like you’re calling his efforts pathetic.  Which actually I
> think you are.  But I think a much better message would be to say “Hey, have
> you considered taking advantage of the data flow capabilities in WALA?”  I’m
> glad Paolo is cool with it.  I wasn’t really worried about him – it’s all
> the other readers without context.
>
>
>
> Anyway, thanks for explaining.  I guess I overreacted.
>
>
>
> --Jeff
>
>
>
>
>
> *From:* dinis cruz [mailto:dinis.cruz at owasp.org]
> *Sent:* Monday, October 05, 2009 10:15 AM
> *To:* jeff.williams at owasp.org
> *Cc:* OWASP Foundation Board List
> *Subject:* Re: [Owasp-board] Crapping on projects
>
>
>
> Hey Jeff
>
>
>
> First of all, thanks for raising the alert and please, please always do so
> whenever you think I've crossed the like.
>
>
>
> Like you said, appearances are very important, and while I do make a very
> big conscious effort to keep my independence, sometimes one is too close to
> the action to notice the implications of its own actions.
>
>
>
> That said, on this case, I don't really fully understanding why my tweet
> was inappropriate, so Jeff (and others) please see my answers below and
> point me to where I am being wrong.
>
>
>
> 2009/10/1 Jeff Williams <jeff.williams at owasp.org>
>
> Dinis,
>
> I hate to call you out,
>
> no worries, like I mentioned before, always speak your mind when you think
> I have not acted in an appropriate way
>
>  but I think your tweet to Paolo Parego (theSp0nge) was inappropriate in
> several ways.  If I misunderstood, I apologize and please help me
> understand.
>
>
>
>        > I have one word for you @thesp0nge : #WALA (from #IBM) It's open
> source and is miles ahead of where you are now #owasp #owasporizon
>
>  Just for reference I posted this tweet in response to this Paolo's tweet
> http://twitter.com/thesp0nge/status/4493366601:
>
>
>
> *> **I'm a bit scared about the competitiveness lag between Orizon and
> other opensource SASTs. I need to refine the strategy #owasp #owasporizon*
> * *
>
>
>
> My reading of that tweet from Paolo was that he was asking for
> help/comments on where he should be going next
>
>  First, as a board member, I think we need to be encouraging to the folks
> that dedicate their free time to helping OWASP’s mission.  If we think that
> a project is not likely to succeed because it isn’t as good as some other
> library, then we should try to constructively steer that project towards
> something useful.  I think your message to Paolo would be discouraging to
> other project leads as it sends the message that the OWASP Board does not
> have their back!
>
>  OK, from what I understand from the above paragraph, there are 3 issues
> here:
>
>
>
> 1) Board members should be encouraging Projects leaders
>
> 2) When Board members provide comments they should do it in a constructive
> way (and steer the project on the right direction)
>
> 3) Board members have to be careful when 'criticizing' Project leaders
> since that 'criticism' could make that project leader fell that they don't
> have the support from the OWASP Board
>
>
>
> Before I comment, it might be good to explain why I was trying to point
> Paolo and Orizon to WALA.
>
>
>
> Orizon is a great project and Paolo has good ideas about it, but lets be
> honest, the tool doesn't even come close to being able to perform static
> analysis of code! (I've tried to use it several times and at the moment is
> just a glorified GREP) . The problem is that Paolo is trying to create
> everything (almost) from scratch, and creating an engine that is able to
> follow tainted data is VERY hard (as we can see by the amount of time that
> is (still) taking Ounce, Fortify & IBM to get it right). Paolo has great
> ideas and there are a lot of great concepts in Orizon, BUT until Orizon is
> able to follow tainted data, that tool will never be a credible/valid
> alternative to the current commercial tools (and next-gen Open Source
> tools).
>
>
>
> As you know, I've spent a LOT of time over this past year on researching
> Static-Code-Analysis techniques, and have always been quite frustrated
> because I couldn't help Paolo. And the reason was because Orizon
> didn't/doesn't have a taint-analysis engine. And this is where WALA (for
> Java) and maybe Microsoft's Phenix/Cat.NET (for .NET and C++) come into the
> equation, since they could provide Orizon the missing piece of the puzzle.
> Note that the IBM developed source-code analysis engine (which was not
> working as expected and was one of the reasons why IBM bought Ounce) was
> built on top of WALA (same for the IBM RSAr product (IBM Software Analyzer))
>
>
>
> Maybe twitter was not be best medium and maybe my 'play on words' with 'The
> Graduate'  was not the most fortunate, but what I was trying to say to Paolo
> was: "...Hey man, don't re-invent the wheel and use WALA as one of Orizon's
> engines..."  (note that I have asked Paolo what he thought of that Tweet
> (the one Jeff mentions above) and he replied to me that he was OK with it.
>
>
>
> So, going back to Jeff's paragraph above:
>
>
>
> *1) Board members should be encouraging Projects leaders*
>
>
>
> I felt I was doing this since I was providing what was (in my mind at least
> :)  ) constructive comments
>
>
>
> *2) When Board members provide comments they should do it in a
> constructive way (and steer the project on the right direction)*
>
>
>
> This is exactly what I was trying to do (steer the project on the right
> track)
>
>
>
> *3) Board members have to be careful when 'criticizing' Project leaders
> since that 'criticism' could make that project leader fell that they don't
> have the support from the OWASP Board*
>
>
>
> This is a tough one. Since I do believe that what our project leaders what from us (and other owasp leaders & GPC) is feedback. I.e. they receive
> SO LITTLE feedback, that ANYTHING (good or bad) is better than silence.
>
>
>
> We also can't put us (Board Members) in a position where we can't say
> anything bad or 'non-positive' to project leaders! We all have complex
> commercial interdependencies and 'possible conflict of interest' so maybe in
> the medium term we need to create a way for us to officially 'speak as board
> members'   (making everything else 'non-board-member-talk')
>
>
>
> A final point I would like to make, is that I would argue that OWASP
> projects should (from a quality point of view) be 'as good if not better'
> than the current commercial equivalents, and more and more, we need to put
> more pressure on our leaders to deliver better tools (in some way this is
> what we are doing at the GPC and new project assessment criteria)
>
>
>
> We also should not be afraid to point our OWASP leaders to other Open
> Source projects that can help their tools (this way they don't have to
> reinvent a lot of wheels)
>
>
>
> Second, you have a commercial relationship with IBM (of some sort) which
> makes your thoughts about open-source static analysis projects seem biased.
> (I say **seem** because I know that you are not – but I’m talking about
> appearances here).  I know WALA is open source too, but I believe it comes
> across wrong.  We just need to be careful here.
>
>  My view on this is that as long as the recommendations I make, are for
> other (OWASP or not) Open Source projects, then It is OK to make those
> recommendations.
>
>
>
> I would agree with if I had said *"..Hey man, just use IBM's RSAr engine,
> it is non Open Source but it is well priced ... ", *that would had been a
> conflict of interest since I would be pushing Orizon to use a Commercial
> Engine on top of its Open Source code (note that I only moved O2 to OWASP
> once it had enough 100% Open Source functionality that It would be useful
> even without an Ounce's Engine license)
>
>
>
> Because of my currently relationship with IBM (contract still to be signed
> :)  ) I do (or will) have a better insight of what they are doing over
> there. BUT I don't seen any harm (and please correct me if I am wrong) on
> trying to build some bridges and connect OWASP with existing IBM (or other)
> Open Source projects.
>
>
>
> Let say for example that an OWASP project was implementing their own
> database, shouldn't we have the duty/right to say to them *"..Hey , why
> don't you use MySQL or HSQLDB instead?...."   *(regardless if the person
> doing the recommendation was working for Sun/Oracle)* *
>
>
>
>  Third, Orizon is security-focused and supports many languages.  WALA
> appears to be for Java only and is not security focused.  Were you
> suggesting that Orizon look to WALA as an engine to help with security
> analysis?
>
>  Yes, that is exactly what I am proposing: *"... Orizon look to WALA as an
> engine to help with security analysis..." *:)
>
>
>
> Note that It is going to takes years for Paolo to get Orizon to do (for
> Java) what WALA can do today, and WALA can be extended to support other
> languages.
>
>
>
> I know this is always going to be a challenge for us, as we all have
> commercial relationships, but I’m hoping to keep on top of it so that we
> protect non-commercial nature of OWASP.
>
>
>
> Sure, but I still fail to see the problem in pointing on OWASP project to
> another Open Source project (regardless of who paid for the original
> research)
>
>
>
> Any I missing something here? Am I not supposed to make comments on IBM
> open source tools?
>
>
>
> If my explanations above still fail to convince you, please help me to understand the issue (btw, once we cleared this out amongst us,
> I will write a blog post about my 'WALA comment to Paolo')
>
>
>
> Dinis Cruz
>
>
>
> --Jeff
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20091013/670713c0/attachment-0002.html>


More information about the Owasp-board mailing list