[Owasp-board] Flagship Code Products

Jim Manico jim.manico at owasp.org
Fri Mar 28 13:01:10 UTC 2014

I see code flagship projects as being

Dependency Check
OWASP HTML Sanitizer
Maybe AntiSamy if they clean their bugs
OWASP Java Encoder
OWASP JSON Sanitizer

THREE of these projects I am project manager of, I applied to get them 
reviewed last year and they are all still stuck in incubator stage. I'm 
miffed at best. There is so little benefit to doing all of this at OWASP 
I am inclined to shift them all to Apache where they will get real 
visibility and support. Josh once said he was not going to bring his 
project to OWASP and it made me HULK LIKE ANGRY but I finally see his point.

- Jim

On 3/28/14, 6:20 PM, Eoin Keary wrote:
> +1
> Flagships are IMHO
> Zap
> Testing guide
> Ciso
> Education/training
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> On 28 Mar 2014, at 09:46, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>> This makes me very sad.
>> _Flagship Code Projects_
>> * OWASP AntiSamy Project  <  Abandoned, had to pay someone to update 
>> the wiki, not project leads. Roadmap is from 2011, no updates, etc.
>> * OWASP Enterprise Security API <  Abandoned, wiki out of date, old 
>> template, no code changes, we paid good money to have a codeathon in 
>> NYC and got... nothing.
>> * WASP CSRFGuard Project <  Somewhat being maintained, abandoned by 
>> author but picked up by another leaders, but is a horrific design and 
>> only works on the most basic of websites. This is a bad bad design 
>> for complex web 2.0 applications (since it uses JavaScript to inject 
>> tokes into the DOM which is fraught with error).
>> * OWASP ModSecurity Core Rule Set Project <  Awesome updates, wiki 
>> updated by project owner, 
>> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
>> I've been helping manage several production quality, highly scalable 
>> secure coding components (that were written by PhD level software 
>> engineers) and I'm sad to see them still stuck in incubator.  We also 
>> have projects like Dependency Check that are incredibly fantastic 
>> tools, still stuck in incubator.
>> Samantha has been working hard on this, but every time I see our 
>> project list it really upsets me because when dev folks really try to 
>> use these components; it's so far from production quality that it 
>> makes us look really bad. No wonder we can't really get developers to 
>> be a part of our community or use our stuff.
>> I am sure I will get flack for this, but I stand by my opinions that 
>> this is something that is critical to fix at OWASP. I was recently 
>> trying to get a software company to be the first top tier corporate 
>> sponsor, but as part of this, they looked at our flagship projects 
>> and wiki, saw how crusty they both were, and said "no way". Sad.
>> - Jim
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140328/12ad20bf/attachment.html>

More information about the Owasp-board mailing list