jim.manico at owasp.org
Sun Jan 20 20:19:54 UTC 2013
Easy killer. Rename "flagship" to "release status" and the story is the
On Jan 20, 2013, at 4:47 AM, Jason Li <jason.li at owasp.org> wrote:
What did I just say earlier in the thread about no OWASP project (including
ESAPI) being a flagship project?
On Wednesday, January 16, 2013, Jim Manico wrote:
> ESAPI may be flagship from a OWASP point of view, but as a software
> engineer of almost 20 years, and as someone who has seen dozens of
> organizations try to use ESAPI for Java...
> ...ESAPI is not even close to production quality. It's a great research
> project, and has a lot of excellent code, and is very usable. But as a
> project that is drop in ready to use for secure coding at a level of
> professionalism as say, Apache projects? No way, and that is ok.
> I feel we should either:
> 1) Demote ESAPI away from Flagship until it can be cleaned up and updated.
> 2) Spend some $ to pay an engineer to update it.
> But leaving ESAPI as Flagship without updating it while it is largely
> inactive is 100% unacceptable in my mind. It makes us look like a
> laughingstock in the developer community even it it makes us look good in
> the security community.
> - Jim
> > Hello Seba and Jim,
> > I certainly do think that ESAPI needs a committed project leader and a
> > dedicated project support team to help take it to the next level of
> > development. As ESAPI is one of our Flagship projects, I see nothing
> > with giving the initiative an extra amount of support from the
> > That being said, the amount of support we choose to give this project
> > need to be reproduced for at least all 15 Flagship projects. I suggest we
> > keep this in mind when discussing how to provide support to ESAPI.
> > SG
> >> Hi Jim
> >> sounds like a good suggestion for the short term
> >> on longer term, ESAPI needs a committed project manager and
> >> project/support team to evolve it in the de facto standard security
> >> framework example/implementation supported by a reliable community
> >> Samantha: what are your thoughts?
> >> --seba
> >>> We have 5k in funding for ESAPI. ESAPI for Java is the main version of
> >>> ESAPI.
> >>> Most everyone who was on the project dropped out, myself included.
> >>> Kevin Wall is the "last man standing" working on the project. And
> >>> frankly, his code is the highest quality - by far - on the project.
> >>> Can we spend some of the 5k in ESAPI funding to pay Kevin to finish the
> >>> next release?
> >>> He did not ask for this, this is my suggestion to use funds to move a
> >>> project along in support of our mission.
> >>> - Jim
> >>> _______________________________________________
> >>> Owasp-board mailing list
> >>> https://lists.owasp.org/mailman/listinfo/owasp-board
> Owasp-board mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board