[Owasp-board] Flagship Code Products

Josh Sokol josh.sokol at owasp.org
Fri Mar 28 12:25:31 UTC 2014

I tried to use ESAPI PHP for a project I was working on one time and it was
so horribly difficult to use that I gave up.  I think that the concept is
awesome, but the implementation to date just sucks.  I also considered
using CSRFGuard for SimpleRisk, but ended up using a different tool as it
did inline page injection of nonces and was lightyears ahead of the OWASP
tool.  In general, I agree with you Jim.  We either need to put the time
and effort to make our products stand out, or we need to become a catalog
of where to go for best-in-breed open source alternatives.  Maybe putting
out a formal Call for Project Leaders for the abandoned flagship projects
would be a good start?


On Fri, Mar 28, 2014 at 4:46 AM, Jim Manico <jim.manico at owasp.org> wrote:

>  This makes me very sad.
> *Flagship Code Projects*
> * OWASP AntiSamy Project  <  Abandoned, had to pay someone to update the
> wiki, not project leads. Roadmap is from 2011, no updates, etc.
> * OWASP Enterprise Security API <  Abandoned, wiki out of date, old
> template, no code changes, we paid good money to have a codeathon in NYC
> and got... nothing.
> * WASP CSRFGuard Project <  Somewhat being maintained, abandoned by author
> but picked up by another leaders, but is a horrific design and only works
> on the most basic of websites. This is a bad bad design for complex web 2.0
> applications (since it uses JavaScript to inject tokes into the DOM which
> is fraught with error).
> * OWASP ModSecurity Core Rule Set Project <  Awesome updates, wiki updated
> by project owner,
> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
> I've been helping manage several production quality, highly scalable
> secure coding components (that were written by PhD level software
> engineers) and I'm sad to see them still stuck in incubator.  We also have
> projects like Dependency Check that are incredibly fantastic tools, still
> stuck in incubator.
> Samantha has been working hard on this, but every time I see our project
> list it really upsets me because when dev folks really try to use these
> components; it's so far from production quality that it makes us look
> really bad. No wonder we can't really get developers to be a part of our
> community or use our stuff.
> I am sure I will get flack for this, but I stand by my opinions that this
> is something that is critical to fix at OWASP. I was recently trying to get
> a software company to be the first top tier corporate sponsor, but as part
> of this, they looked at our flagship projects and wiki, saw how crusty they
> both were, and said "no way". Sad.
> - Jim
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140328/672d3da5/attachment.html>

More information about the Owasp-board mailing list