[Owasp-board] AJAX, JS and OWASP

Paulo Coimbra paulo.coimbra at owasp.org
Thu May 13 17:14:34 UTC 2010

Hello Abraham,

First of all, thank you for volunteering to lead an OWASP Project.  It is
with volunteers like yourself that OWASP continues to succeed in making
application security visible.

Second, regarding your new leadership of this project, I'd like to request
that you send a project roadmap - basically the high level details of where
you'd like to take the project.  The OWASP Global Projects Committee (GPC)
will look at the roadmap and provide feedback on your project:  suggesting
projects which are closely related, resources and contacts which may assist
your efforts and any other suggestions to increase your project's success.


To get your project started, here are a couple of references for your

 - The Guidelines for OWASP Projects provide a quick overview of items key
to a projects success -

 - OWASP's Assessment Criteria is the metric by which projects are
evaluated.  There are three categories for projects: Alpha, Beta, and
Release.  The Assessment Criteria allows project leaders to know what
aspects of projects OWASP values -


 - OWASP's GPC blog - http://globalprojectscommittee.wordpress.com/,

Your project will have an OWASP wiki page to inform and promote your project
to the OWASP community.  To setup your project's page, please provide the
details below so that the GPC can establish your initial project page.  The
details provided will be used to complete OWASP's project template.  Feel
free to add any additional information to wiki page or request assistance
about how to add to your projects wiki page.

Details to create your project page:
(0) Project Name,

(1) Project purpose / overview,
(2) Project Roadmap (as mentioned above),
(3) Project links (if any) to external sites,
(4) Project License
(5) Project Leader name, 

(6) Project Leader email address,
(7) Project Leader wiki account - the username (you'll need this to edit the
(8) Project Maintainer (if any)  - name, email and wiki account (if any),
(9) Project Contributor(s) (if any) - name email and wiki account (if any),

As your project reaches a point that you'd like OWASP to assist in its
promotion, the GPC will need the following to help spread the word about
your project:

 * Conference style presentation describing the project in at least 3 slides

 * Project Flyer/Pamphlet (PDF file) -

As work on your project progresses and you are ready to create a release,
please let the GPC know of the change in status.  The GPC can work with you
to get your project assessed and moved up the OWASP quality ladder from
Alpha to Beta to Stable.  Every release does not require an assessment -
feel free to email the GPC if you are unsure about your project's
requirements.  For examples of projects at various quality levels, please
see the OWASP Project page -

That is all for now - I wish you and your project great success.  Thank you
for supporting OWASP's mission.

Should you have any questions or require any further information, please do
not hesitate to contact me. 

Many thanks, best regards,


Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager


From: Jim Manico [mailto:jim.manico at owasp.org] 
Sent: quinta-feira, 13 de Maio de 2010 17:30
To: Abraham Kang
Cc: paulo.coimbra at owasp.org; Jeff Williams; chrisisbeef at gmail.com;
gazheyes at gmail.com
Subject: Re: AJAX, JS and OWASP


This is outstanding, welcome!


Abraham - I'm on the run for a few days but will respond in detail more.

Jim Manico

On May 11, 2010, at 11:16 PM, Abraham Kang <abraham_kang at yahoo.com> wrote:

I got he go ahead.

I was told not to reference my employer or anything that I developed at work
(which I didn't).

I also have a set of Flash/ActionScript guidelines that I developed as well.
Just working on tidying it up but I don't know if should be included in the
Web 2.0/AJAX stuff as well.

I am a little behind on the Output Encoding Chapter for the OWASP Guide but
I have it organized in my mind.

I need to think of a psuedo (Doing Business As) name for a independent
security company that I am working under to not bring attention to my
current employer.  

I wouldn't mind leading the Web 2.0/AJAX project if one is created.  


--- On Mon, 5/10/10, Jeff Williams <jeff.williams at owasp.org> wrote:

From: Jeff Williams <jeff.williams at owasp.org>
Subject: RE: AJAX, JS and OWASP
To: "'Jim Manico'" <jim.manico at owasp.org>, abraham_kang at yahoo.com,
paulo.coimbra at owasp.org
Cc: chrisisbeef at gmail.com, gazheyes at gmail.com
Date: Monday, May 10, 2010, 7:26 PM

Hi Abraham,

Really appreciate the effort and your contribution. We're ready to support
you in getting this information out there. I think this topic is certainly
important enough to deserve a full project, mailing list, etc...  Paulo can
help get that set up when you're ready.  Please let us know how we can help.



Jeff Williams, Chair
The OWASP Foundation
work: 410-707-1487
main: 301-604-4882

-----Original Message-----
From: Jim Manico [mailto:jim.manico at owasp.org] 
Sent: Friday, May 07, 2010 12:17 PM
To: abraham_kang at yahoo.com
Cc: jeff.williams at owasp.org; chrisisbeef at gmail.com; gazheyes at gmail.com
Subject: Re: AJAX, JS and OWASP

Email thread moved to ....

abraham_kang at yahoo.com

... and Wellsfargo address removed.

- Jim
> Hi Everyone,
> It was great meeting Jim last night at the OWASP meet up.
> My name is Abraham Kang.
> I have been working with Application Security for over 8 years primarily
in web based technologies.
> I noticed that the AJAX Security Guidelines on the OWASP site is a bit
lacking and does not cover important aspects of AJAX/Web 2.0 applications
including client side issues (XSS [all three varieties], exposed
auto-generated methods, reverse encoding, temporary data holders,
requirement for client side JS encoding), the XHRHttpRequest, and deployed
server side components.
> I have been working on an AJAX security guide on my own time and would
like to share it OWASP.
> This work is in no way related to, affiliated with, or condoned by Wells
> I would appreciate if further correspondence could take place on my
personal email of abraham_kang at yahoo.com.
> Regards,
> Abe
> -----Original Message-----
> From: Jim Manico [mailto:jim.manico at owasp.org]
> Sent: Thursday, May 06, 2010 10:59 PM
> To: Jeff Williams; Chris Schmidt; gaz Heyes; Kang, Abraham
> Subject: AJAX, JS and OWASP
> Abraham,
> I'd like to introduce you to Jeff Williams the Chair of OWASP, Chris
> Beef the author of OWASP ESAPI for JavaScript, as well as GAZ - a
> great JavaScript-centric OWASP contributor.
> Abraham has rightfully noted that OWASP wiki knowledge around AJAX
> security is dated and he would like to contribute some of his work to
> OWASP. This is fantastic!
> Abe - would you be so kind as to tell us more about your ideas and
> introduce yourself to this group? And would you kindly hit OWASP.org
> and create and account?
> Thanks all,
> Jim Manico

Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100513/49baa2dc/attachment-0002.html>

More information about the Owasp-board mailing list