[Owasp-board] Flagship Code Products
josh.sokol at owasp.org
Fri Mar 28 12:25:31 UTC 2014
I tried to use ESAPI PHP for a project I was working on one time and it was
so horribly difficult to use that I gave up. I think that the concept is
awesome, but the implementation to date just sucks. I also considered
using CSRFGuard for SimpleRisk, but ended up using a different tool as it
did inline page injection of nonces and was lightyears ahead of the OWASP
tool. In general, I agree with you Jim. We either need to put the time
and effort to make our products stand out, or we need to become a catalog
of where to go for best-in-breed open source alternatives. Maybe putting
out a formal Call for Project Leaders for the abandoned flagship projects
would be a good start?
On Fri, Mar 28, 2014 at 4:46 AM, Jim Manico <jim.manico at owasp.org> wrote:
> This makes me very sad.
> *Flagship Code Projects*
> * OWASP AntiSamy Project < Abandoned, had to pay someone to update the
> wiki, not project leads. Roadmap is from 2011, no updates, etc.
> * OWASP Enterprise Security API < Abandoned, wiki out of date, old
> template, no code changes, we paid good money to have a codeathon in NYC
> and got... nothing.
> * WASP CSRFGuard Project < Somewhat being maintained, abandoned by author
> but picked up by another leaders, but is a horrific design and only works
> on the most basic of websites. This is a bad bad design for complex web 2.0
> is fraught with error).
> * OWASP ModSecurity Core Rule Set Project < Awesome updates, wiki updated
> by project owner,
> I've been helping manage several production quality, highly scalable
> secure coding components (that were written by PhD level software
> engineers) and I'm sad to see them still stuck in incubator. We also have
> projects like Dependency Check that are incredibly fantastic tools, still
> stuck in incubator.
> Samantha has been working hard on this, but every time I see our project
> list it really upsets me because when dev folks really try to use these
> components; it's so far from production quality that it makes us look
> really bad. No wonder we can't really get developers to be a part of our
> community or use our stuff.
> I am sure I will get flack for this, but I stand by my opinions that this
> is something that is critical to fix at OWASP. I was recently trying to get
> a software company to be the first top tier corporate sponsor, but as part
> of this, they looked at our flagship projects and wiki, saw how crusty they
> both were, and said "no way". Sad.
> - Jim
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board