[Owasp-leaders] New OWASP project

Lucas Ferreira lucas.ferreira at owasp.org
Tue Nov 1 07:37:16 EDT 2011

Hello all,

I'll hijack Michael's email to answer all previous emails in this
thread. If I left anything out, please remind me and I'll do my best
to provide a suitable answer.

First, I also had doubts if this project would fit in OWASP. I then
talked to some OWASPers and the conclusion was that it should be given
a try. I then submitted the project proposal to the Global Projects
Committee and it was approved.

Second, I understand that this project is not directly linked to web
or application security, but I think it could be used in web or
application security tasks. As Dinis pointed out, there is the
possibility of using the database to validate scripts or libraries in
a convergence-inspired way. A web crawler could be used to check web
pages and downloads, as pointed by Christian.

In any case, if the OWASP community thinks this project does not
belong here, I can withdraw it. No problems with that at all. So far,
opinions are divided, so I'd ask the Projects Committee to take care
of this and warn me if the project needs to be taken off OWASP.

Answering more specific concerns:

Christian, the list of data sources for the projects database is not
closed. If you know a good source of hash data of web-related files,
please let me know and I'll manage to include them. Regarding
including tripwire-like functionality, it can be done. We need to
finish writing some code to allow users to upload data to the database
and also  a web crawler. I will post a roadmap soon. Regarding Google
safe browsing, their approach is to work with URLs. We work with file
contents. I think the approaches are complementary. The problem I see
with Google is that their database is not open, as far as I know. Our
database should be available to anyone to copy or query.

Mark, I am aware of the MD5 collision attacks. That's why the project
includes SHA-1 hashes too. Also, the use of both hashes combined seems
beyond current attacks. Please note that the hashes are not stored
with the files. Our database only includes the hashes. The process
would be for someone to get the file, calculate the hashes and then
check the hashes against the database.

Well, thanks everyone for the attention and please excuse me if I
caused any trouble.



On Tue, Nov 1, 2011 at 02:48, Michael Coates <michael.coates at owasp.org> wrote:
> This has been an interesting discussion and its a good sign that the
> community is weighing in with various view points.
> I'd like to present a few thoughts for people to consider.
> OWASP is built on top of a community of volunteers that are experts in their
> respective fields. Our guides, tools, resources, outreach, conferences (and
> more) are excellent because talented people have dedicated their time and
> skills.
> One of the great things that OWASP works towards is making OWASP a platform
> that is easy for anyone to contribute their time and effort.  A model that
> requires approval from a centralized body before a project could be started
> would be a very different model than what we have now and one that I think
> would diminish the successes of our community.
> In the end, good ideas will flourish and attract more participation and also
> more support from OWASP overall.  However, its very hard to know what the
> next great idea is unless we experiment with bright minds in a variety of
> areas.
> With that, I say best of luck to this new project and any others that are
> inline with the principles of OWASP.
> --
> Michael Coates
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Homo sapiens non urinat in ventum.

More information about the OWASP-Leaders mailing list