[Owasp-board] [phpsec] confidentialString function uses hard-coded key (#108)

johanna curiel curiel johanna.curiel at owasp.org
Wed Nov 25 23:44:04 UTC 2015


@owaspjocur <https://github.com/owaspjocur> This project, in it's current
state, is not ready. It hasn't had a release, nor any planned release date.
However it is actively being recommended as being an authoritative source
of best practice.

There are 11 contributors listed by Github. Now compare this to the scope
of the project: It has logging (seldaek/monolog has 218 contributors),
database abstraction (the Propel ORM has 96 contributors), MVC (the Laravel
framework has 299 contributors), and plenty of more stuff.

The initial approach is wrong: Instead of asserting that every other
library has unfixable security bugs, so the best solution is to write a
completely new library and framework with everything in it, the correct
solution would be to fix security bugs where they occur, and instead try to
concentrate on the things that others don't offer.

There are more than enough libraries with at least good code quality for
almost everything duplicated here - and with the added bonus of being
maintained by an active community.

As I said before: There are aspects of security that I do not find covered
elsewhere. They should be isolated and made into a smaller library,
applying accepted coding guidelines like the PSR-FIG recommendations
(especially PSR-2 and PSR-4), and being offered as a Composer package with
a documented release process.

Fixing the code instead of deleting would mean that there are developers
available and willing to do this work. I see nobody.
@SvenRtbg

*I have passed this issue to the Board as they are the ones who decide that
kind of decisions such as take down *
*or not source code found in  **OWASP Github.*



On Wed, Nov 25, 2015 at 7:40 PM, SvenRtbg <notifications at github.com> wrote:

> @owaspjocur <https://github.com/owaspjocur> This project, in it's current
> state, is not ready. It hasn't had a release, nor any planned release date.
> However it is actively being recommended as being an authoritative source
> of best practice.
>
> There are 11 contributors listed by Github. Now compare this to the scope
> of the project: It has logging (seldaek/monolog has 218 contributors),
> database abstraction (the Propel ORM has 96 contributors), MVC (the Laravel
> framework has 299 contributors), and plenty of more stuff.
>
> The initial approach is wrong: Instead of asserting that every other
> library has unfixable security bugs, so the best solution is to write a
> completely new library and framework with everything in it, the correct
> solution would be to fix security bugs where they occur, and instead try to
> concentrate on the things that others don't offer.
>
> There are more than enough libraries with at least good code quality for
> almost everything duplicated here - and with the added bonus of being
> maintained by an active community.
>
> As I said before: There are aspects of security that I do not find covered
> elsewhere. They should be isolated and made into a smaller library,
> applying accepted coding guidelines like the PSR-FIG recommendations
> (especially PSR-2 and PSR-4), and being offered as a Composer package with
> a documented release process.
>
> Fixing the code instead of deleting would mean that there are developers
> available and willing to do this work. I see nobody.
>
>> Reply to this email directly or view it on GitHub
> <https://github.com/OWASP/phpsec/issues/108#issuecomment-159755887>.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151125/d878b795/attachment.html>


More information about the Owasp-board mailing list