[Owasp-leaders] [Esapi-user] Call for review of crypto code
jim.manico at owasp.org
Fri Apr 30 11:48:45 EDT 2010
Mike - you might be right. I'm worried that your suggestions will
require an entire re-write of the current ESAPI encryptor and push out
a 2.0 production release for many months or more. But I could live
with that if it's the best path for our user community.
This is also why I am willing to pay for 3rd party review of our
encryptor reference implementation out of my own pocket. The project
is stalled and ESAPI is way too important to let money get in the way
of helping the world. We also need to be willing to hear that this
solution is the wrong direction.
PS: To all you large corporations who are using ESAPI quiety but are
not willing to chip in to pay for 3rd party professional guidance/
review of our crypto code? You cheap bastards... •grin• Seriously.
OWASP is a not-for-profit charitable organization which runs on a shoe-
string budget. If you want proof I'll send you our financial records
from 2009. At this point we need financial help for ESAPI in the
ballpark of 15k-20k - at least - to bring in the right kind of
objective crypto-master security reviewer to verify our Java encryptor
implementation and provide guidance on a future roadmap. This cost is
a trickle compared to the cost of building ESAPI from scratch - by a
•• Please contact me if you are one of the noble organizations or
individuals who believes in this mission enough to put your money were
your download of code is. I'm collecting a fund to assist in paying
for this review effort.
Kevin: If I had a dime for every minute I read your emails we would
have the budget we need. ;) So Kevin, can you post a request-for-quote
proposal of some kind (to both the dev and user list) so we can start
getting real bids on this review project? Thank you.
On Apr 30, 2010, at 5:29 AM, "Boberski, Michael [USA]" <boberski_michael at bah.com
> I do have one general comment that's basically just a reiteration of
> previous proposals to basically further wrap the crypto, it occurred
> to me again yesterday as I was reviewing existing documentation and
> working on consolidating and extending it in http://code.google.com/p/owasp-esapi-java/wiki/Welcome
> , if you look inside the ESAPI for Java distribution in "
> \ESAPI-2.0-rc6\documentation", the amount of documentation for
> Encryptor is much more than for any other control. (1)Other ESAPI
> controls aren't as hard to use, (except maybe the WAF which is a
> separate thread), and (2)none create proprietary (non-standards-
> based) outputs, for Encoders for example we code to e.g. MySQL
> specs, why don't we do something similar, like use PKCS#7 or CMS
> here. Also, why does ESAPI care how a crypto algorithm is
> implemented, I really don't think we want to try to stand behind
> algorithms, we're not the open crypto project, we're just a wrapper
> that uses things according to best practices, FIPS 140 or no for
> example. It's our use of algorithms and key management that we
> should solicit reviews of.
> Mike B.
More information about the OWASP-Leaders