[Owasp-board] Flagship Code Products

Jim Manico jim.manico at owasp.org
Fri Mar 28 12:44:35 UTC 2014

I feel these three code flagships should be immediately demoted and need 
to re-earn their flagship status. They do not help application security 
or the OWASP foundation, they hurt it terribly.

Take ESAPI for Java:

0) 164 reported open bugs! Whoa!
1) Insecure random number generation
2) Fundamental design flaws including singleton pattern which causes 
massive thread safely issues and inability to have multiple providers
3) Tons of critical bugs not addressed, innactive
4) Even the leads say "its not about the implementation, its about the 
interface" which is, ahem, BS.
5) Weak weak weak password storage reported back in 2011, unfixed
6) The AntiXSS encoder is dated and missing several contexts, and many 
(like the LDAP ones) and flat out wrong.

When I bring this up to Samantha, she says "but so many people use it" 
which is fair, but Samantha is not qualified to judge how technically 
useful the project is. *And I am*, and it's very bad.

I've made these complaints a year ago, but nothing has changed. So I 
supported other projects that solve the same problems in more production 
quality ways.

Now I think ESAPI is an important concept, I recommend it for research 
and for the interface, but for the love of god, this is not production 
or flagship quality.

Take AntiSamy:

55 reported bugs and no one has touched the project for 7 months.


As a long time developer, this is what I see when I peer behind the 
looking glass of OWASP's "flagship" code projects.

- Jim

On 3/28/14, 5:55 PM, Josh Sokol wrote:
> I tried to use ESAPI PHP for a project I was working on one time and 
> it was so horribly difficult to use that I gave up. I think that the 
> concept is awesome, but the implementation to date just sucks.  I also 
> considered using CSRFGuard for SimpleRisk, but ended up using a 
> different tool as it did inline page injection of nonces and was 
> lightyears ahead of the OWASP tool.  In general, I agree with you 
> Jim.  We either need to put the time and effort to make our products 
> stand out, or we need to become a catalog of where to go for 
> best-in-breed open source alternatives.  Maybe putting out a formal 
> Call for Project Leaders for the abandoned flagship projects would be 
> a good start?
> ~josh
> On Fri, Mar 28, 2014 at 4:46 AM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>     This makes me very sad.
>     _Flagship Code Projects_
>     * OWASP AntiSamy Project  <  Abandoned, had to pay someone to
>     update the wiki, not project leads. Roadmap is from 2011, no
>     updates, etc.
>     * OWASP Enterprise Security API <  Abandoned, wiki out of date,
>     old template, no code changes, we paid good money to have a
>     codeathon in NYC and got... nothing.
>     * WASP CSRFGuard Project <  Somewhat being maintained, abandoned
>     by author but picked up by another leaders, but is a horrific
>     design and only works on the most basic of websites. This is a bad
>     bad design for complex web 2.0 applications (since it uses
>     JavaScript to inject tokes into the DOM which is fraught with error).
>     * OWASP ModSecurity Core Rule Set Project <  Awesome updates, wiki
>     updated by project owner,
>     https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
>     I've been helping manage several production quality, highly
>     scalable secure coding components (that were written by PhD level
>     software engineers) and I'm sad to see them still stuck in
>     incubator.  We also have projects like Dependency Check that are
>     incredibly fantastic tools, still stuck in incubator.
>     Samantha has been working hard on this, but every time I see our
>     project list it really upsets me because when dev folks really try
>     to use these components; it's so far from production quality that
>     it makes us look really bad. No wonder we can't really get
>     developers to be a part of our community or use our stuff.
>     I am sure I will get flack for this, but I stand by my opinions
>     that this is something that is critical to fix at OWASP. I was
>     recently trying to get a software company to be the first top tier
>     corporate sponsor, but as part of this, they looked at our
>     flagship projects and wiki, saw how crusty they both were, and
>     said "no way". Sad.
>     - Jim
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140328/954e2148/attachment.html>

More information about the Owasp-board mailing list