[Owasp-board] ESAPI

Jason Li jason.li at owasp.org
Sun Jan 20 14:47:07 UTC 2013


What did I just say earlier in the thread about no OWASP project (including
ESAPI) being a flagship project?

-Jason

On Wednesday, January 16, 2013, Jim Manico wrote:

> ESAPI may be flagship from a OWASP point of view, but as a software
> engineer of almost 20 years, and as someone who has seen dozens of
> organizations try to use ESAPI for Java...
>
> ...ESAPI is not even close to production quality. It's a great research
> project, and has a lot of excellent code, and is very usable. But as a
> project that is drop in ready to use for secure coding at a level of
> professionalism as say, Apache projects? No way, and that is ok.
>
>
> I feel we should either:
>
> 1) Demote ESAPI away from Flagship until it can be cleaned up and updated.
> 2) Spend some $ to pay an engineer to update it.
>
> But leaving ESAPI as Flagship without updating it while it is largely
> inactive is 100% unacceptable in my mind. It makes us look like a
> laughingstock in the developer community even it it makes us look good in
> the security community.
>
> - Jim
>
>
>
> > Hello Seba and Jim,
> >
> > I certainly do think that ESAPI needs a committed project leader and a
> > dedicated project support team to help take it to the next level of
> > development. As ESAPI is one of our Flagship projects, I see nothing
> wrong
> > with giving the initiative an extra amount of support from the
> foundation.
> > That being said, the amount of support we choose to give this project
> will
> > need to be reproduced for at least all 15 Flagship projects. I suggest we
> > keep this in mind when discussing how to provide support to ESAPI.
> >
> > SG
> >
> > On Wed, Jan 16, 2013 at 6:13 AM, Seba <seba at owasp.org <javascript:;>>
> wrote:
> >
> >> Hi Jim
> >> sounds like a good suggestion for the short term
> >> on longer term, ESAPI needs a committed project manager and
> >> project/support team to evolve it in the de facto standard security
> >> framework example/implementation supported by a reliable community
> >>
> >> Samantha: what are your thoughts?
> >>
> >> --seba
> >>
> >>
> >> On Tue, Jan 15, 2013 at 9:25 PM, Jim Manico <jim.manico at owasp.org<javascript:;>>
> wrote:
> >>
> >>> We have 5k in funding for ESAPI. ESAPI for Java is the main version of
> >>> ESAPI.
> >>>
> >>> Most everyone who was on the project dropped out, myself included.
> >>>
> >>> Kevin Wall is the "last man standing" working on the project. And
> >>> frankly, his code is the highest quality - by far - on the project.
> >>>
> >>> Can we spend some of the 5k in ESAPI funding to pay Kevin to finish the
> >>> next release?
> >>>
> >>> He did not ask for this, this is my suggestion to use funds to move a
> key
> >>> project along in support of our mission.
> >>>
> >>> - Jim
> >>>
> >>> _______________________________________________
> >>> Owasp-board mailing list
> >>> Owasp-board at lists.owasp.org <javascript:;>
> >>> https://lists.owasp.org/mailman/listinfo/owasp-board
> >>>
> >>
> >>
> >
> >
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org <javascript:;>
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130120/518d78f7/attachment.html>


More information about the Owasp-board mailing list