[Owasp-leaders] Solutions

Jerry Hoff jerry at jerryhoff.net
Wed Jan 19 11:30:17 EST 2011

Hi All,

I also had a few questions on this:

>>6) ESAPI, CSRFGuard, AntiSamy and other key "builder" projects get
full-time technical resources to drive the projects to production
quality (in terms of docs, too)

Documentation is definitely a good thing, but I think what's really holding
back most of these projects from more universal adoption is lack of paid
support.  I've suggested the use of all three of these libraries above to
clients - large clients have one question - can we get paid support?  They
would not even entertain the idea of using these tools on their critical
applications without someone they can call for a fix if the tools mess
things up down the road.

Of course, they use other open source tools as well (apache, log4j, etc...)
- but those projects usually have voluminous documentation and a large
community of developers and users.  We have dedicated developers working on
this (for Java ESAPI at least - some of the other ESAPIs seem a bit
abandoned...) , and we have a mailing list for ESAPI, but for many large
corporations, that's not going to be enough.   They want paid support, which
is not something owasp can offer, i believe.

If OWASP was going to invest in full timers, I think it would be more
beneficial to have technical writers buffing out articles (a noticeable
percentage of articles have quite a few TBDs, and the developer's guide 2.0
- a cornerstone project - apparently hasn't been updated since March 25,
2010 (according to the it's Google Code repository:
http://code.google.com/p/owasp-development-guide/wiki/Guide - apologies if
it's being updated offline).  That puppy should be updated weekly to reflect
the ever growing repository of collective appsec knowledge.

So more than tools - people come to OWASP for guidance - and the documented
guidance should be in better shape.   That's how you'll win more hearts and

Jerry Hoff

On Wed, Jan 19, 2011 at 11:51 PM, James McGovern <JMcGovern at virtusa.com>wrote:

> A few questions/thoughts
> 1. If OWASP increases the amount of full-time employees in order to
> support projects, how much more dollars would we have to take in on an
> annual basis?
> 2. Since OWASP is incorporated in the United States, would there be
> extra challenges in having employees who aren't US authorized workers?
> 3. Why would we limit our thinking to just technical staff? I am of the
> belief that it would be actually better to have dedicated PR in order to
> help spread the word as first course of action
> James McGovern
> http://twitter.com/McGovernTheory
> Virtusa Corporation
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
> Sent: Monday, January 17, 2011 9:45 PM
> To: owasp-leaders at lists.owasp.org
> Subject: [Owasp-leaders] Solutions
> I received a few off-list emails in support of some of my last few
> emails to the leaders list. However...
> I really need to stop my OWASP-attacking emails, especially when
> I'm not presenting clear solutions.
> So I would like to take a moment to share my future vision of OWASP with
> you. This is just one mans subjective opinion. I hope this is good
> "grist for the mill" in prep for the summit.
> 1) OWASP Board focuses primarily on fundraising
> 2) We hire new full time technical staff members working for OWASP
> 3) We have a smaller number of projects with a higher level of
> commitment to production quality (Focus, Daniel-san)
> 4) Quarterly updates of key standard-based projects (ASVS and other
> OWASP emerging standards)
> 5) New website with clear paths for Developers, Assessment Specialists,
> and Managers (Under way)
> 6) ESAPI, CSRFGuard, AntiSamy and other key "builder" projects get
> full-time technical resources to drive the projects to production
> quality (in terms of docs, too)
> 7) OWASP releases objective tool studies on a bi-yearly basis. I think
> we are well situated to provide advice and analysis (as well as real
> metrics) on the capabilities of different SAST/DAST products (if we had
> full time dedicated resources)
> Please note, I hope to achieve "eccentric millionaire" status in a few
> years so I can help fund all of this. I have the "eccentric" part down.
> I'm working on the other half now. :)
> Cheers all. Looking forward to seeing you at the summit in Portugal.
> - Jim
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast
> 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list
> and 2010 FinTech 100 among others.
> ---------------------------------------------------------------------------------------------
> This message, including any attachments, contains confidential information
> intended for a specific individual and purpose, and is intended for the
> addressee only. Any unauthorized disclosure, use, dissemination, copying, or
> distribution of this message or any of its attachments or the information
> contained in this e-mail, or the taking of any action based on it, is
> strictly prohibited. If you are not the intended recipient, please notify
> the sender immediately by return e-mail and delete this message.
> ---------------------------------------------------------------------------------------------
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110120/29f29ff3/attachment-0001.html 

More information about the OWASP-Leaders mailing list