[Owasp-board] Flagship Code Products

Eoin Keary eoin.keary at owasp.org
Fri Mar 28 14:25:08 UTC 2014


Very generous of your chapter Josh.

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 28 Mar 2014, at 14:07, Josh Sokol <josh.sokol at owasp.org> wrote:

> I'm imagining you "hulk like angry" like the old skool game of Rampage and it's pretty awesome.
> 
> To be fair, there are several other, bigger picture, reasons why I've decided not to make SimpleRisk an OWASP project.  As a Board member I'm held (and hold myself) to extra scrutiny and I don't feel comfortable donating some of my code while withholding the other parts that I've deemed "Enterprise functionality" for my paid-for SimpleRisk Extras.  And basing a SaaS model off of an OWASP project feels kinda shady to me as well.  Maybe this is a model that OWASP should consider supporting as it would incentivize developers to bring their work to OWASP knowing that the extra visibility can drive interest in their paid-for offerings, but I'm not willing to let my name and reputation be the guinea pig for that trial.
> 
> Is there some way to focus the Google Summer of Code efforts on fixing the bugs in the flagship projects to make them seaworthy again?  Could we maybe figure out a way to assign point values and create a reward system to incentivize independent developers to bring them up to snuff?  We need to be realistic in that idealism and volunteerism will only get us so far in fixing this problem and money is the thing that ultimately makes many people get off their asses and do work.  I believe the OWASP Austin Chapter is going to donate $10k of our chapter funds back to the OWASP Foundation.  Would it make sense to use that unexpected money toward this effort?
> 
> ~josh
> 
> 
> On Fri, Mar 28, 2014 at 8:01 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> I see code flagship projects as being
>> 
>> Dependency Check
>> OWASP HTML Sanitizer
>> Maybe AntiSamy if they clean their bugs
>> OWASP Java Encoder 
>> OWASP JSON Sanitizer
>> 
>> THREE of these projects I am project manager of, I applied to get them reviewed last year and they are all still stuck in incubator stage. I'm miffed at best. There is so little benefit to doing all of this at OWASP I am inclined to shift them all to Apache where they will get real visibility and support. Josh once said he was not going to bring his project to OWASP and it made me HULK LIKE ANGRY but I finally see his point.
>> 
>> - Jim
>> 
>> 
>> On 3/28/14, 6:20 PM, Eoin Keary wrote:
>>> +1
>>> Flagships are IMHO
>>> Zap
>>> Testing guide
>>> Ciso
>>> SAMM
>>> Education/training
>>> 
>>> 
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>> 
>>> 
>>> On 28 Mar 2014, at 09:46, Jim Manico <jim.manico at owasp.org>         wrote:
>>> 
>>>> This makes me very sad.
>>>> 
>>>> Flagship Code Projects
>>>> 
>>>> * OWASP AntiSamy Project  <  Abandoned, had to pay someone           to update the wiki, not project leads. Roadmap is from 2011, no updates, etc.
>>>> 
>>>> * OWASP Enterprise Security API <  Abandoned, wiki out of date, old template, no code changes, we paid good money to           have a codeathon in NYC and got... nothing.
>>>> 
>>>> * WASP CSRFGuard Project <  Somewhat being maintained, abandoned by author but picked up by another leaders, but is a horrific design and only works on the most basic of websites. This is a bad bad design for complex web 2.0 applications (since it uses JavaScript to inject tokes into the DOM which is fraught with error). 
>>>> 
>>>> * OWASP ModSecurity Core Rule Set Project <  Awesome updates, wiki updated by project owner, https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
>>>> 
>>>> I've been helping manage several production quality, highly scalable secure coding components (that were written by PhD level software engineers) and I'm sad to see them still stuck in incubator.  We also have projects like Dependency Check that are incredibly fantastic tools, still stuck in incubator.
>>>> 
>>>> Samantha has been working hard on this, but every time I see           our project list it really upsets me because when dev folks really try to use these components; it's so far from production quality that it makes us look really bad. No wonder we can't really get developers to be a part of our community or use our stuff.
>>>> 
>>>> I am sure I will get flack for this, but I stand by my opinions that this is something that is critical to fix at OWASP. I was recently trying to get a software company to be the first top tier corporate sponsor, but as part of this, they looked at our flagship projects and wiki, saw how crusty they both were, and said "no way". Sad.
>>>> 
>>>> - Jim
>>>> _______________________________________________
>>>> 
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> 
>> 
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140328/76ad906e/attachment-0001.html>


More information about the Owasp-board mailing list