[Owasp-leaders] New OWASP project

Lucas Ferreira lucas.ferreira at owasp.org
Tue Nov 1 07:58:44 EDT 2011


Sorry to come back again, but I have to correct that Google safe
browsing database IS available for download. Kudos to them.

Regards,

Lucas

On Tue, Nov 1, 2011 at 09:37, Lucas Ferreira <lucas.ferreira at owasp.org> wrote:
> Hello all,
>
> I'll hijack Michael's email to answer all previous emails in this
> thread. If I left anything out, please remind me and I'll do my best
> to provide a suitable answer.
>
> First, I also had doubts if this project would fit in OWASP. I then
> talked to some OWASPers and the conclusion was that it should be given
> a try. I then submitted the project proposal to the Global Projects
> Committee and it was approved.
>
> Second, I understand that this project is not directly linked to web
> or application security, but I think it could be used in web or
> application security tasks. As Dinis pointed out, there is the
> possibility of using the database to validate scripts or libraries in
> a convergence-inspired way. A web crawler could be used to check web
> pages and downloads, as pointed by Christian.
>
> In any case, if the OWASP community thinks this project does not
> belong here, I can withdraw it. No problems with that at all. So far,
> opinions are divided, so I'd ask the Projects Committee to take care
> of this and warn me if the project needs to be taken off OWASP.
>
> Answering more specific concerns:
>
> Christian, the list of data sources for the projects database is not
> closed. If you know a good source of hash data of web-related files,
> please let me know and I'll manage to include them. Regarding
> including tripwire-like functionality, it can be done. We need to
> finish writing some code to allow users to upload data to the database
> and also  a web crawler. I will post a roadmap soon. Regarding Google
> safe browsing, their approach is to work with URLs. We work with file
> contents. I think the approaches are complementary. The problem I see
> with Google is that their database is not open, as far as I know. Our
> database should be available to anyone to copy or query.
>
> Mark, I am aware of the MD5 collision attacks. That's why the project
> includes SHA-1 hashes too. Also, the use of both hashes combined seems
> beyond current attacks. Please note that the hashes are not stored
> with the files. Our database only includes the hashes. The process
> would be for someone to get the file, calculate the hashes and then
> check the hashes against the database.
>
> Well, thanks everyone for the attention and please excuse me if I
> caused any trouble.
>
> Regards,
>
> Lucas
>
> On Tue, Nov 1, 2011 at 02:48, Michael Coates <michael.coates at owasp.org> wrote:
>> This has been an interesting discussion and its a good sign that the
>> community is weighing in with various view points.
>>
>> I'd like to present a few thoughts for people to consider.
>> OWASP is built on top of a community of volunteers that are experts in their
>> respective fields. Our guides, tools, resources, outreach, conferences (and
>> more) are excellent because talented people have dedicated their time and
>> skills.
>> One of the great things that OWASP works towards is making OWASP a platform
>> that is easy for anyone to contribute their time and effort.  A model that
>> requires approval from a centralized body before a project could be started
>> would be a very different model than what we have now and one that I think
>> would diminish the successes of our community.
>> In the end, good ideas will flourish and attract more participation and also
>> more support from OWASP overall.  However, its very hard to know what the
>> next great idea is unless we experiment with bright minds in a variety of
>> areas.
>> With that, I say best of luck to this new project and any others that are
>> inline with the principles of OWASP.
>>
>>
>>
>> --
>> Michael Coates
>> OWASP
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
>
> --
> Homo sapiens non urinat in ventum.
>



-- 
Homo sapiens non urinat in ventum.


More information about the OWASP-Leaders mailing list