[Owasp-board] Higher standards for accepting OWASP projects especially defender library projects

johanna curiel curiel johanna.curiel at owasp.org
Fri Nov 20 18:09:57 UTC 2015


Hi Leaders,

There was a very interesting discussion regarding the OWASP PHPSEC library.

The issues brought by some users of the library (Andrew Carter, James
Titcumb, Katy Ereira and Sven Rautenberg (a former contributor)on the
github repository mailing list is that the library contains many security
issues ,
It has not being maintained for more than a year and it should be taken
down from  OWASP Github repository.

https://github.com/OWASP/phpsec/issues/108#issuecomment-158447768
https://github.com/OWASP/phpsec/issues/108#issuecomment-158436572
https://github.com/OWASP/phpsec/issues/108#issuecomment-158428769
https://github.com/OWASP/phpsec/issues/108#issuecomment-158418384

They all presented quite strong arguments with code references that
the library,
 even though  it is an incubator project, they mentioned it can mislead
potential users of the project to use it (which happened to them)
They feel OWASP has a responsibility to not allow these projects to be
under OWASP Github and delete them

While I argument that a lot of effort was put by volunteers, which might
not obtained the expected results , Andrew Carter argument back:

*Could you confirm to me that you consider the feelings of your volunteers
and contributors more important than the security of the applications
developed by people trusting the OWASP namespace?*

He presented a list of issues and also Sven the former contributor agreed
that sadly, the library should be taken down from Github,but also the OWASP
inventory (to be set as inactive)

I cc Claudia so this could be taken internally with the staff as PHPSEC is
not the only inactive library under OWASP Github and it definitely needs a
clean up

The point I want to bring up is that higher standards are definitely needed
to allow projects, but especially when these projects are 'security
libraries'.

Unfortunately, even though volunteers are setting big efforts, I do agree
this is definitely not an excuse (as Andrew mentioned) to allow them when
people are trusting the OWASP name for security . Even if it is an
incubator project.



Regards

Johanna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151120/2691fa53/attachment.html>


More information about the Owasp-board mailing list