[Owasp-board] Flagship Code Products

Josh Sokol josh.sokol at owasp.org
Fri Mar 28 14:07:06 UTC 2014

I'm imagining you "hulk like angry" like the old skool game of Rampage and
it's pretty awesome.

To be fair, there are several other, bigger picture, reasons why I've
decided not to make SimpleRisk an OWASP project.  As a Board member I'm
held (and hold myself) to extra scrutiny and I don't feel comfortable
donating some of my code while withholding the other parts that I've deemed
"Enterprise functionality" for my paid-for SimpleRisk Extras.  And basing a
SaaS model off of an OWASP project feels kinda shady to me as well.  Maybe
this is a model that OWASP should consider supporting as it would
incentivize developers to bring their work to OWASP knowing that the extra
visibility can drive interest in their paid-for offerings, but I'm not
willing to let my name and reputation be the guinea pig for that trial.

Is there some way to focus the Google Summer of Code efforts on fixing the
bugs in the flagship projects to make them seaworthy again?  Could we maybe
figure out a way to assign point values and create a reward system to
incentivize independent developers to bring them up to snuff?  We need to
be realistic in that idealism and volunteerism will only get us so far in
fixing this problem and money is the thing that ultimately makes many
people get off their asses and do work.  I believe the OWASP Austin Chapter
is going to donate $10k of our chapter funds back to the OWASP Foundation.
Would it make sense to use that unexpected money toward this effort?


On Fri, Mar 28, 2014 at 8:01 AM, Jim Manico <jim.manico at owasp.org> wrote:

>  I see code flagship projects as being
> Dependency Check
> OWASP HTML Sanitizer
> Maybe AntiSamy if they clean their bugs
> OWASP Java Encoder
> OWASP JSON Sanitizer
> THREE of these projects I am project manager of, I applied to get them
> reviewed last year and they are all still stuck in incubator stage. I'm
> miffed at best. There is so little benefit to doing all of this at OWASP I
> am inclined to shift them all to Apache where they will get real visibility
> and support. Josh once said he was not going to bring his project to OWASP
> and it made me HULK LIKE ANGRY but I finally see his point.
> - Jim
> On 3/28/14, 6:20 PM, Eoin Keary wrote:
> +1
> Flagships are IMHO
> Zap
> Testing guide
> Ciso
> Education/training
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> On 28 Mar 2014, at 09:46, Jim Manico <jim.manico at owasp.org> wrote:
>   This makes me very sad.
> *Flagship Code Projects*
> * OWASP AntiSamy Project  <  Abandoned, had to pay someone to update the
> wiki, not project leads. Roadmap is from 2011, no updates, etc.
> * OWASP Enterprise Security API <  Abandoned, wiki out of date, old
> template, no code changes, we paid good money to have a codeathon in NYC
> and got... nothing.
> * WASP CSRFGuard Project <  Somewhat being maintained, abandoned by author
> but picked up by another leaders, but is a horrific design and only works
> on the most basic of websites. This is a bad bad design for complex web 2.0
> applications (since it uses JavaScript to inject tokes into the DOM which
> is fraught with error).
> * OWASP ModSecurity Core Rule Set Project <  Awesome updates, wiki updated
> by project owner,
> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
> I've been helping manage several production quality, highly scalable
> secure coding components (that were written by PhD level software
> engineers) and I'm sad to see them still stuck in incubator.  We also have
> projects like Dependency Check that are incredibly fantastic tools, still
> stuck in incubator.
> Samantha has been working hard on this, but every time I see our project
> list it really upsets me because when dev folks really try to use these
> components; it's so far from production quality that it makes us look
> really bad. No wonder we can't really get developers to be a part of our
> community or use our stuff.
> I am sure I will get flack for this, but I stand by my opinions that this
> is something that is critical to fix at OWASP. I was recently trying to get
> a software company to be the first top tier corporate sponsor, but as part
> of this, they looked at our flagship projects and wiki, saw how crusty they
> both were, and said "no way". Sad.
> - Jim
>  _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140328/f9afc62d/attachment.html>

More information about the Owasp-board mailing list