[Owasp-board] [Owasp-leaders] NIST, the NSA and fun with crypto reviews
johanna curiel curiel
johanna.curiel at owasp.org
Sun May 31 03:53:40 UTC 2015
The SWAMP is not a projects from the department of Homeland Security, this
initiative is funded by this organization. It is a project form the
University of Wisconsin
I'm using this to run assesmemts and builds to check the quality of our
projects, is free and it works very well for this purpose
I'm a volunteer and my major goal is to help maintain a healthy level of
quality and support to owasp projects. These kind of tools help us to
automate this, this is the reason for using them.
I just hope this clarifies your point of view regarding how I use swamp
for quality assurance and testing
On Saturday, May 30, 2015, Christian Heinrich <christian.heinrich at cmlh.id.au>
> I would like to call you out on this too
> https://www.owasp.org/index.php/SWAMP_OWASP since this OWASP
> supporting the Department of Homeland Security :)
> I would OWASP like to reconsider the recent offer from RSA Conference
> in view of my recent correspondence i.e.
> Otherwise, this is unfair and completely bias for OWASP to support one
> but not the other who has been proven beyond a reasonable doubt to be
> On Sun, Sep 15, 2013 at 10:28 AM, Wong Onn Chee <ocwong at usa.net
> > FYI, folks.
> > Best Regards
> > Onn Chee
> > "I say all security vulnerabilities are software-based. Prove me wrong
> if you dare"
> > -------- Original Message --------
> > Subject: [Owasp-leaders] NIST, the NSA and fun with crypto reviews
> > Date: Sat, 14 Sep 2013 19:28:01 -0400
> > From: Jim Manico
> > I am personally aborting NIST standards when I can.
> > From AES -> Serpent and Twofish
> http://en.wikipedia.org/wiki/Serpent_(cipher) and
> > From SHA -> Whirlpool
> > And as for the NSA subverting crypto standards, take a look at our own
> experience at the ESAPI for Java project.
> > Back in June 2010 the NSA graciously agreed to review the crypto of the
> ESAPI for Java project:
> >> [Esapi-dev] NSA to perform ESAPI review
> >> http://lists.owasp.org/pipermail/esapi-dev/2010-June/000816.html
> > The made a few suggestions to make it "stronger" but otherwise validated
> our implementation.
> > Now flash forward to this month.
> >> [Esapi-dev] ESAPI Java and Authenticated encryption implementation
> >> http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html
> > They did not add anything that was malicious, but Ooops! they missed
> something important.
> > The has been fixed, however.
> >> [Esapi-dev] Crypto and the "ESAPI for Java" release 2.1.0
> >> http://lists.owasp.org/pipermail/esapi-dev/2013-September/002291.html
> > We live in interesting times.
> > Aloha,
> > Jim
> >> FYI: From NY Times <http://j.mp/1degxpA>:
> >>> Cryptographers have long suspected that the [NSA] planted
> >>> in a standard adopted in 2006 by the National Institute of Standards
> >>> Technology and later by the International Organization for
> >>> which has 163 countries as members.
> >> Note that I am explicitly not stating an opinion, just forwarding
> >> potentially related information.
> >> On Fri, Sep 13, 2013 at 3:02 PM, Bev Corwin wrote:
> >>> NIST seeks early adopters of draft cybersecurity framework
> >>> Bev
> > _______________________________________________
> > Owasp-singapore mailing list
> > https://lists.owasp.org/mailman/listinfo/owasp-singapore
> Christian Heinrich
> Governance mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board