[Owasp-leaders] Fwd: Getting in touch with the leader ?

Chris Schmidt chris.schmidt at owasp.org
Thu Mar 28 19:19:27 UTC 2013


I feel a more constructive approach to most of these issues is to propose
them in a way that is non-confrontational and proposes solutions.

1) The singleton pattern, while a valid approach to solve some problems is
overused in the ESAPI project - perhaps adding an option, as Spring
Framework does, to enable the singleton pattern over a default Flyweight
or Factory pattern would be a better approach to object distribution in
ESAPI.

2) There are quite a few open bugs in the ESAPI project that *I* feel are
important - so I have up voted and commented on them with potential ideas
that could help resolve the problems.

3) I noticed that there hasn't been a lot of commit activity on the
project since last July - I feel this is an important project so I have
leveraged my voice as a prominent member of the OWASP community to see if
I can get some additional volunteers to help you guys address the issues
that I mentioned above.

We are an open organization of volunteers and there are a lot of projects
under the OWASP umbrella, there are a select few of us who champion the
OWASP projects cause and we are all busy individuals. Calling anyones baby
ugly and not providing constructive feedback for a project within our own
organization only hurts our common mission and as such I think it is
important that we all self-moderate our comments with regards to any OWASP
project. Healthy debate is healthy and I (and most others within the
organization that I have had the pleasure of meeting and/or working with)
openly and warmly accept any and all feedback, but when it is constructive
and meaningful it helps all of us.

Further, there is an appropriate channel for this conversation and I don't
feel that channel is the leaders list. Sebastian asked a valid question
after not getting a response on the ESAPI dev list, and answering his
question then taking this conversation to the dev list would have been the
appropriate move.

I currently wear the mantle of ESAPI leadership and one of my
responsibilities as the leader for one of the most visible OWASP projects
is to be aware of how I am performing my own job. I will happily
relinquish my leadership role if anyone feels that I am not adequately
filling the role and will continue to contribute to the project because I
believe in the mission of ESAPI. Remember just because you may not see the
work going on doesn't mean that work isn't happening. As I said in other
messages - ESAPI is a large and very visible project and making rash
decisions that introduce incompatibilities will not help anyone -
compounded with the fact that we (Kevin and I) are both working on this
while very busy with other responsibilities means that change may not be
happening as quickly as anyone may like it too - but it is happening.

I will happily continue this conversation in the appropriate channel if
you would like to further discuss it and anyone is welcome to join in to
the conversation on the ESAPI-Dev mailing list if they have ideas,
opinions, or comments in general. Let's keep conversation on the leaders
list on topic for the leaders list.

</soapbox>



On 3/28/13 12:32 PM, "Jim Manico" <jim.manico at owasp.org> wrote:

>Chris,
>
>I agree that ESAPI is not dead, and I'm eager to see you and others
>return to actively working on the project.
>
>But I do objectively feel that it's not a release quality project and I
>no longer recommend that organizations use it. I think it's a great
>research project, but other projects trump ESAPI in terms of quality and
>activity like I mentioned earlier.
>
>1) The singleton is a fundamental design flaw and needs to be removed
>2) The project has a large number of active bugs, many of these are VERY
>significant https://code.google.com/p/owasp-esapi-java/issues/list
>3) There has not been major coding activity on ESAPI for Java since July
>2012.
>
>When these things change, I'll change my tune.
>
>- Jim
>
>> Sebastian and all -
>> 
>> While we try to monitor what is happening on the list all the time,
>>understandably we all get busy from time to time. That being said, the
>>ESAPI project is far from dead. Sebastian, feel free to contact Jeff and
>>Myself off-list and we would be more than happy to address any questions
>>that you have! Thanks!
>> 
>> ~Chris
>> 
>> From: Samantha Groves
>><samantha.groves at owasp.org<mailto:samantha.groves at owasp.org>>
>> Date: Thursday, March 28, 2013 11:10 AM
>> To: Konstantinos Papapanagiotou
>><Konstantinos at owasp.org<mailto:Konstantinos at owasp.org>>
>> Cc: "spyrosgaster at gmail.com<mailto:spyrosgaster at gmail.com>"
>><spyrosgaster at gmail.com<mailto:spyrosgaster at gmail.com>>, Leaders
>><owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>>
>> Subject: Re: [Owasp-leaders] Fwd: Getting in touch with the leader ?
>> 
>> Agreed.
>> 
>> Can I get a list of names of the individuals actively contributing to
>>this project. I need to update our records.
>> 
>> Additionally, I need someone to volunteer to manage requests and
>>questions that come into the ESAPI mailing list. Please message me if
>>you are interested. This person will be responsible for answering
>>questions, and liaising between contributors and the community.
>> 
>> Thank you, Leaders.
>> 
>> Sam G.
>> 
>> On Thu, Mar 28, 2013 at 4:47 PM, Konstantinos Papapanagiotou
>><Konstantinos at owasp.org<mailto:Konstantinos at owasp.org>> wrote:
>> All,
>> 
>> Spyros (cc-ed as he's not on the leaders list) is also already working
>>on an ESAPI for PHP rewrite and actually a few days ago also tried to
>>get in touch with someone on the ESAPI mailing lists.
>> Since apparently people are working on it we should have some kind of
>>co-ordination.
>> 
>> Kostas
>> 
>> 
>> On Thursday, March 28, 2013, Abbas Naderi wrote:
>> Hello
>> We're doing some PHP security project, which would hopefully result in
>>a rewrite of ESAPI. the current ESAPI PHP is 100% against PHP
>>programming values.
>> Thanks
>> -Abbas
>> On ۸ فروردین ۱۳۹۲, at ۱۷:۴۷, Samantha Groves
>><samantha.groves at owasp.org> wrote:
>> 
>> Hello All,
>> 
>> Chris Schmidt & Kevin Wall are both co-leading this project at the
>>moment. A few months ago, we put together a proposal for funding from
>>the DHS that included a management and technical management roadmap that
>>we submitted for funding. We have been waiting for a decision.
>> 
>> I have just gotten word from DHS that funding for their programs has
>>now been approved for 2013. The last I heard is that our ESAPI Project
>>proposal was in round two of reviews. In answer to your questions, ESAPI
>>is not dead, we were just placed at a halt after our proposal was
>>submitted to DHS.
>> 
>> I hope this clears thing up. Let me know if you have questions,
>>concerns, etc.
>> 
>> Cheers now, All.
>> 
>> SG
>> 
>> On Thu, Mar 28, 2013 at 11:27 AM, vanderaj vanderaj
>><vanderaj at owasp.org> wrote:
>> I thought that Chris Schmidt had taken over the helm of ESAPI?
>> 
>> thanks,
>> Andrew
>> 
>> 
>> On Thu, Mar 28, 2013 at 9:11 PM, Sebastien Gioria
>><sebastien.gioria at owasp.org> wrote:
>> No news from anyone ? Is ESAPI dev definitively dead ?
>> 
>> I'm in touch with a new potential big corporate member who has
>> integrate ESAPI in his product and have problem. Any value for them
>> before making they membership could be the OWASP capacity to be in
>> touch with the leader of the ESAPI Java.
>> 
>> We (France) are in touch with them to Host the First OWASP France Day
>> and many more other opportunity.
>> 
>> It's really a big reference for OWASP if we have it.
>> 
>> Thanks.
>> 
>> 
>> ---------- Forwarded message ----------
>> From: Sebastien Gioria <sebastien.gioria at owasp.org>
>> Date: 2013/3/26
>> Subject: Getting in touch with the leader ?
>> To: owasp-esapi-dev <owasp-esapi-dev at owasp.org>
>> Cc : Jeff Williams <jeff.williams at owasp.org>
>> 
>> 
>> Hi guys,
>> 
>> I'm not sure Jeff is always the leader of the JavaEE ESAPI project,
>> and I need to be in touch with the leader of the project for some
>> related presentations and experiences exchange with a big french
>> company.
>> 
>> Thanks in advance
>> 
>> 
>> --
>> OWASP French Chapter Leader
>> GSM: +33 6 70 59 11 44
>> 
>> 
>> --
>> OWASP French Chapter Leader
>> GSM: +33 6 70 59 11 44
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> 
>> 
>> --
>> Samantha Groves, MBA
>> OWASP Project Manager
>> 
>> The OWASP Foundation
>> 
>> 
>> 
>> --
>> 
>> Samantha Groves, MBA
>> 
>> OWASP Project Manager
>> 
>> 
>> The OWASP Foundation
>> 
>> Lisbon, Portugal
>> 
>> Email: samantha.groves at owasp.org<mailto:samantha.groves at owasp.org>
>> 
>> Skype: samanthahz
>> 
>> 
>> OWASP Global 
>>Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>> 
>> Book a Meeting with Me<http://goo.gl/mZXdZ>
>> 
>> OWASP Contact US Form<http://owasp4.owasp.org/contactus.html>
>> 
>> New Project Application
>>Form<https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHZ
>>fWGhHZ0Z4UFFwZU42djBXcVVLSlE6MQ#gid=0>
>> 
>> 
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>
>_______________________________________________
>OWASP-Leaders mailing list
>OWASP-Leaders at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-leaders




More information about the OWASP-Leaders mailing list