[Owasp-board] ESAPI

Jim Manico jim.manico at owasp.org
Fri Jan 18 20:04:26 UTC 2013


> Who said anything about abandoning ESAPI? 

What I said was, as a long time software developer and user/participant in open source, I consider ESAPI to be abandoned. It's already there in my eyes. But it is such an awesome project with such great potential, I just want to be in a place of integrity.

So I say, please invest somehow in updating the project to a stable release with most of the public key bugs fixed, or "demote" it somehow.

I am not saying we "have" to pay for ESAPI. But I do think we may wish to be more clear to the community as to the projects real status.

- Jim


 The only suggestion that's been
> made is changing the payment structure from a lump sum payment to an
> individual to specific bug/feature targets (somethign I'd expect anyway)
> with portions of that payment associated with them.  If nobody else steps
> up and Kevin collects on all of them, then good for him.  But with a single
> payment to Kevin, you're basically just ensuring that he is the only
> developer on the project.  After all, why would anyone else work for free
> when Kevin is getting paid to do the work?  That seems like a pretty bad
> place to be for a "Flagship" project or whatever you want to call it.
> Personally, I think the bounty model is the way to move forward with all
> funded initiatives of the organization.  It creates specific attainable
> goals, does not favor any one individual, and has solid criteria for
> payment.  Sure, it creates a little additional overhead for the PM, but it
> also allows us to be entirely open with how we are spending money and who
> is benefiting from it.  Right now it just looks like someone really likes
> Kevin and wants to give him $5k without even considering others for the
> tasks.
> 
> ~josh
> 
> 
> On Fri, Jan 18, 2013 at 5:54 AM, Samantha Groves
> <samantha.groves at owasp.org>wrote:
> 
>> Not at all. We are simply using this forum to discuss your idea and
>> alternative solutions to the problem. I think overall, there are a few
>> concerns, but that doesn't mean we can't move forward. At the end of the
>> day, I believe this is a strategic decision which is why I felt it was a
>> good idea to bring it up to the board. If the community decides to go in
>> this direction, we will support the decision and move forward with
>> implementation from an operations perspective, of course.
>>
>> SG
>>
>> On Thu, Jan 17, 2013 at 7:53 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>>
>>>> That being said, I do agree with Jim that the quality of ESAPI must
>>>> certainly be worked on. However, I feel that spending money on a problem
>>>> that will only solve that problem in the short term is not a very
>>>> sustainable or scalable solution. I would much rather spend my time
>>> doing a
>>>> bit of extra work developing a creative solution that will benefit all
>>> of
>>>> our projects instead of putting our time, effort and resources into a
>>> quick
>>>> fix that will only benefit one project and one project leader.
>>>
>>>
>>> So the alternative is to leave ESAPI as is - a abandoned Flagship
>>> project. That leaves us in a place of very low integrity as an
>>> organization.
>>>
>>> - Jim
>>>
>>>
>>>
>>>>
>>>> SG
>>>>
>>>> On Wed, Jan 16, 2013 at 11:53 PM, Jason Li <jason.li at owasp.org> wrote:
>>>>
>>>>> One note - no project is currently "Flagship".
>>>>>
>>>>> We have projects that we think are strategically valuable enough that
>>> they
>>>>> we should try to push them to that status.
>>>>>
>>>>> To Jim's point, the project (and really any project that we would want
>>> to
>>>>> be a Flagship project) needs some polish, support and love to really
>>> be in
>>>>> that class.
>>>>>
>>>>> There are several "strategic" projects that I believe OWASP should
>>> look to
>>>>> push to Flagship status, but if the project is not of sufficient
>>> quality,
>>>>> it should not be referred to as Flagship regardless of how strategic or
>>>>> important the project is.
>>>>>
>>>>> -Jason
>>>>>
>>>>>
>>>>> On Wednesday, January 16, 2013, Samantha Groves wrote:
>>>>>
>>>>>> Hello Seba and Jim,
>>>>>>
>>>>>> I certainly do think that ESAPI needs a committed project leader and a
>>>>>> dedicated project support team to help take it to the next level of
>>>>>> development. As ESAPI is one of our Flagship projects, I see nothing
>>> wrong
>>>>>> with giving the initiative an extra amount of support from the
>>> foundation.
>>>>>> That being said, the amount of support we choose to give this project
>>> will
>>>>>> need to be reproduced for at least all 15 Flagship projects. I
>>> suggest we
>>>>>> keep this in mind when discussing how to provide support to ESAPI.
>>>>>>
>>>>>> SG
>>>>>>
>>>>>> On Wed, Jan 16, 2013 at 6:13 AM, Seba <seba at owasp.org> wrote:
>>>>>>
>>>>>>> Hi Jim
>>>>>>> sounds like a good suggestion for the short term
>>>>>>> on longer term, ESAPI needs a committed project manager and
>>>>>>> project/support team to evolve it in the de facto standard security
>>>>>>> framework example/implementation supported by a reliable community
>>>>>>>
>>>>>>> Samantha: what are your thoughts?
>>>>>>>
>>>>>>> --seba
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jan 15, 2013 at 9:25 PM, Jim Manico <jim.manico at owasp.org
>>>> wrote:
>>>>>>>
>>>>>>>> We have 5k in funding for ESAPI. ESAPI for Java is the main version
>>> of
>>>>>>>> ESAPI.
>>>>>>>>
>>>>>>>> Most everyone who was on the project dropped out, myself included.
>>>>>>>>
>>>>>>>> Kevin Wall is the "last man standing" working on the project. And
>>>>>>>> frankly, his code is the highest quality - by far - on the project.
>>>>>>>>
>>>>>>>> Can we spend some of the 5k in ESAPI funding to pay Kevin to finish
>>> the
>>>>>>>> next release?
>>>>>>>>
>>>>>>>> He did not ask for this, this is my suggestion to use funds to move
>>> a
>>>>>>>> key project along in support of our mission.
>>>>>>>>
>>>>>>>> - Jim
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> *Samantha Groves, MBA*****
>>>>>>
>>>>>> *OWASP Project Manager*
>>>>>>
>>>>>> *
>>>
>>>>>> *
>>>>>>
>>>>>> The OWASP Foundation
>>>>>>
>>>>>> London, United Kingdom
>>>>>>
>>>>>> Email: samantha.groves at owasp.org
>>>>>>
>>>>>> Skype: samanthahz
>>>>>>
>>>>>>
>>>>>> Book a Meeting with Me <http://goo.gl/mZXdZ>
>>>>>>
>>>>>> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>>>>>>
>>>>>> New Project Application Form<
>>> https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHZfWGhHZ0Z4UFFwZU42djBXcVVLSlE6MQ#gid=0
>>>>
>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>
>>>
>>
>>
>> --
>>
>> *Samantha Groves, MBA*****
>>
>> *OWASP Project Manager*
>>
>> *
>> *
>>
>> The OWASP Foundation
>>
>> London, United Kingdom
>>
>> Email: samantha.groves at owasp.org
>>
>> Skype: samanthahz
>>
>>
>> Book a Meeting with Me <http://goo.gl/mZXdZ>
>>
>> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>>
>> New Project Application Form<https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHZfWGhHZ0Z4UFFwZU42djBXcVVLSlE6MQ#gid=0>
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
> 



More information about the Owasp-board mailing list