[Owasp-leaders] Fwd: Getting in touch with the leader ?

Dinis Cruz dinis.cruz at owasp.org
Thu May 16 11:36:03 UTC 2013


easy there Chris, Jim is making valid points and although I am a big fan of
the ESAPI concept (and have written about it
here<http://blog.diniscruz.com/2010/01/couple-more-comments-on-esapi-and.html>,
 here <http://blog.diniscruz.com/2011/06/estapi-idea.html> and
here<http://blog.diniscruz.com/2010/01/recommending-esapi.html>)
it is not as healthy as it was a while back.

As a fellow OWASP leader that is also working hard on an OWASP project, it
is our job to accept and understand the comments made about our
efforts/projects.

Like I have already mentioned before, I'm jealous about the criticism that
ESAPI gets, because it means that people care about it :)

In the O2 Plaform, even after 192 blog
posts<http://blog.diniscruz.com/search/label/O2%20Platform> and
a gazilion of innovations, I'm still mainly at the stage*  *of *'...
interresting ... but I have no idea how to use it? btw where is
the documentation'* :)

In fact, I'm even trying to contribute to ESAPI and AppSensor since I last
month (with colin) I was able to consume ESAPI from O2. See First execution
of ESAPI.jar Encoder methods from O2's C#
REPL<http://blog.diniscruz.com/2013/05/first-execution-of-easpijar-encoder.html>
which is a follow-up from my previous attempt: Loading OWASP ESAPI jar and
its dependencies from C# (using
jni4net)<http://blog.diniscruz.com/2013/03/loading-owasp-esapi-jar-and-its.html>


ESAPI is in a hard position and needs help/focus, and I don't think that
blaming Jim for voicing his opinion (which I share) is the right way about
it. In fact, Chris, I would recommend that one of your personal goals for
ESAPI in 2013 is to change Jim's mind and get him to recommend ESAPI again
(and I remember going back a couple years when Jim was the BIGGEST ESAPI
FAN in world, and I got into a lot of trouble by voicing my concerns about
ESAPI)

We need more comments and honest feedback at OWASP, that is the only way
our projects will grow.

And yes, the O2 Platform still sucks in lot of ways, but (slowly) there are
more users actually using it, and I am able to do things with it that I
couldn't do a year ago (for example Downloading the entire NuGet package
database<http://blog.diniscruz.com/2013/05/downloading-entire-nuget-package.html>
or (grab
a coffee first) Using AST to programatically create a Proxy class for a
WSDL webservice (in this case HacmeBank and Checkmarx
ASMX)<http://blog.diniscruz.com/2013/05/grab-coffee-first-using-ast-to.html>
or GUI with WebStorm and JsTestDriver controlling 3 Hijacked Browser
windows (Chrome, Firefox and
IE)<http://blog.diniscruz.com/2013/01/gui-with-webstorm-controlling-3.html>
), so I know that O2 is going in the right direction :)

It's just a long and (mostly) lonely road :)

Dinis


Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 28 March 2013 19:19, Chris Schmidt <chris.schmidt at owasp.org> wrote:

> I feel a more constructive approach to most of these issues is to propose
> them in a way that is non-confrontational and proposes solutions.
>
> 1) The singleton pattern, while a valid approach to solve some problems is
> overused in the ESAPI project - perhaps adding an option, as Spring
> Framework does, to enable the singleton pattern over a default Flyweight
> or Factory pattern would be a better approach to object distribution in
> ESAPI.
>
> 2) There are quite a few open bugs in the ESAPI project that *I* feel are
> important - so I have up voted and commented on them with potential ideas
> that could help resolve the problems.
>
> 3) I noticed that there hasn't been a lot of commit activity on the
> project since last July - I feel this is an important project so I have
> leveraged my voice as a prominent member of the OWASP community to see if
> I can get some additional volunteers to help you guys address the issues
> that I mentioned above.
>
> We are an open organization of volunteers and there are a lot of projects
> under the OWASP umbrella, there are a select few of us who champion the
> OWASP projects cause and we are all busy individuals. Calling anyones baby
> ugly and not providing constructive feedback for a project within our own
> organization only hurts our common mission and as such I think it is
> important that we all self-moderate our comments with regards to any OWASP
> project. Healthy debate is healthy and I (and most others within the
> organization that I have had the pleasure of meeting and/or working with)
> openly and warmly accept any and all feedback, but when it is constructive
> and meaningful it helps all of us.
>
> Further, there is an appropriate channel for this conversation and I don't
> feel that channel is the leaders list. Sebastian asked a valid question
> after not getting a response on the ESAPI dev list, and answering his
> question then taking this conversation to the dev list would have been the
> appropriate move.
>
> I currently wear the mantle of ESAPI leadership and one of my
> responsibilities as the leader for one of the most visible OWASP projects
> is to be aware of how I am performing my own job. I will happily
> relinquish my leadership role if anyone feels that I am not adequately
> filling the role and will continue to contribute to the project because I
> believe in the mission of ESAPI. Remember just because you may not see the
> work going on doesn't mean that work isn't happening. As I said in other
> messages - ESAPI is a large and very visible project and making rash
> decisions that introduce incompatibilities will not help anyone -
> compounded with the fact that we (Kevin and I) are both working on this
> while very busy with other responsibilities means that change may not be
> happening as quickly as anyone may like it too - but it is happening.
>
> I will happily continue this conversation in the appropriate channel if
> you would like to further discuss it and anyone is welcome to join in to
> the conversation on the ESAPI-Dev mailing list if they have ideas,
> opinions, or comments in general. Let's keep conversation on the leaders
> list on topic for the leaders list.
>
> </soapbox>
>
>
>
> On 3/28/13 12:32 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>
> >Chris,
> >
> >I agree that ESAPI is not dead, and I'm eager to see you and others
> >return to actively working on the project.
> >
> >But I do objectively feel that it's not a release quality project and I
> >no longer recommend that organizations use it. I think it's a great
> >research project, but other projects trump ESAPI in terms of quality and
> >activity like I mentioned earlier.
> >
> >1) The singleton is a fundamental design flaw and needs to be removed
> >2) The project has a large number of active bugs, many of these are VERY
> >significant https://code.google.com/p/owasp-esapi-java/issues/list
> >3) There has not been major coding activity on ESAPI for Java since July
> >2012.
> >
> >When these things change, I'll change my tune.
> >
> >- Jim
> >
> >> Sebastian and all -
> >>
> >> While we try to monitor what is happening on the list all the time,
> >>understandably we all get busy from time to time. That being said, the
> >>ESAPI project is far from dead. Sebastian, feel free to contact Jeff and
> >>Myself off-list and we would be more than happy to address any questions
> >>that you have! Thanks!
> >>
> >> ~Chris
> >>
> >> From: Samantha Groves
> >><samantha.groves at owasp.org<mailto:samantha.groves at owasp.org>>
> >> Date: Thursday, March 28, 2013 11:10 AM
> >> To: Konstantinos Papapanagiotou
> >><Konstantinos at owasp.org<mailto:Konstantinos at owasp.org>>
> >> Cc: "spyrosgaster at gmail.com<mailto:spyrosgaster at gmail.com>"
> >><spyrosgaster at gmail.com<mailto:spyrosgaster at gmail.com>>, Leaders
> >><owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>>
> >> Subject: Re: [Owasp-leaders] Fwd: Getting in touch with the leader ?
> >>
> >> Agreed.
> >>
> >> Can I get a list of names of the individuals actively contributing to
> >>this project. I need to update our records.
> >>
> >> Additionally, I need someone to volunteer to manage requests and
> >>questions that come into the ESAPI mailing list. Please message me if
> >>you are interested. This person will be responsible for answering
> >>questions, and liaising between contributors and the community.
> >>
> >> Thank you, Leaders.
> >>
> >> Sam G.
> >>
> >> On Thu, Mar 28, 2013 at 4:47 PM, Konstantinos Papapanagiotou
> >><Konstantinos at owasp.org<mailto:Konstantinos at owasp.org>> wrote:
> >> All,
> >>
> >> Spyros (cc-ed as he's not on the leaders list) is also already working
> >>on an ESAPI for PHP rewrite and actually a few days ago also tried to
> >>get in touch with someone on the ESAPI mailing lists.
> >> Since apparently people are working on it we should have some kind of
> >>co-ordination.
> >>
> >> Kostas
> >>
> >>
> >> On Thursday, March 28, 2013, Abbas Naderi wrote:
> >> Hello
> >> We're doing some PHP security project, which would hopefully result in
> >>a rewrite of ESAPI. the current ESAPI PHP is 100% against PHP
> >>programming values.
> >> Thanks
> >> -Abbas
> >> On ۸ فروردین ۱۳۹۲, at ۱۷:۴۷, Samantha Groves
> >><samantha.groves at owasp.org> wrote:
> >>
> >> Hello All,
> >>
> >> Chris Schmidt & Kevin Wall are both co-leading this project at the
> >>moment. A few months ago, we put together a proposal for funding from
> >>the DHS that included a management and technical management roadmap that
> >>we submitted for funding. We have been waiting for a decision.
> >>
> >> I have just gotten word from DHS that funding for their programs has
> >>now been approved for 2013. The last I heard is that our ESAPI Project
> >>proposal was in round two of reviews. In answer to your questions, ESAPI
> >>is not dead, we were just placed at a halt after our proposal was
> >>submitted to DHS.
> >>
> >> I hope this clears thing up. Let me know if you have questions,
> >>concerns, etc.
> >>
> >> Cheers now, All.
> >>
> >> SG
> >>
> >> On Thu, Mar 28, 2013 at 11:27 AM, vanderaj vanderaj
> >><vanderaj at owasp.org> wrote:
> >> I thought that Chris Schmidt had taken over the helm of ESAPI?
> >>
> >> thanks,
> >> Andrew
> >>
> >>
> >> On Thu, Mar 28, 2013 at 9:11 PM, Sebastien Gioria
> >><sebastien.gioria at owasp.org> wrote:
> >> No news from anyone ? Is ESAPI dev definitively dead ?
> >>
> >> I'm in touch with a new potential big corporate member who has
> >> integrate ESAPI in his product and have problem. Any value for them
> >> before making they membership could be the OWASP capacity to be in
> >> touch with the leader of the ESAPI Java.
> >>
> >> We (France) are in touch with them to Host the First OWASP France Day
> >> and many more other opportunity.
> >>
> >> It's really a big reference for OWASP if we have it.
> >>
> >> Thanks.
> >>
> >>
> >> ---------- Forwarded message ----------
> >> From: Sebastien Gioria <sebastien.gioria at owasp.org>
> >> Date: 2013/3/26
> >> Subject: Getting in touch with the leader ?
> >> To: owasp-esapi-dev <owasp-esapi-dev at owasp.org>
> >> Cc : Jeff Williams <jeff.williams at owasp.org>
> >>
> >>
> >> Hi guys,
> >>
> >> I'm not sure Jeff is always the leader of the JavaEE ESAPI project,
> >> and I need to be in touch with the leader of the project for some
> >> related presentations and experiences exchange with a big french
> >> company.
> >>
> >> Thanks in advance
> >>
> >>
> >> --
> >> OWASP French Chapter Leader
> >> GSM: +33 6 70 59 11 44
> >>
> >>
> >> --
> >> OWASP French Chapter Leader
> >> GSM: +33 6 70 59 11 44
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>
> >>
> >> --
> >> Samantha Groves, MBA
> >> OWASP Project Manager
> >>
> >> The OWASP Foundation
> >>
> >>
> >>
> >> --
> >>
> >> Samantha Groves, MBA
> >>
> >> OWASP Project Manager
> >>
> >>
> >> The OWASP Foundation
> >>
> >> Lisbon, Portugal
> >>
> >> Email: samantha.groves at owasp.org<mailto:samantha.groves at owasp.org>
> >>
> >> Skype: samanthahz
> >>
> >>
> >> OWASP Global
> >>Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
> >>
> >> Book a Meeting with Me<http://goo.gl/mZXdZ>
> >>
> >> OWASP Contact US Form<http://owasp4.owasp.org/contactus.html>
> >>
> >> New Project Application
> >>Form<
> https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHZ
> >>fWGhHZ0Z4UFFwZU42djBXcVVLSlE6MQ#gid=0>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >
> >_______________________________________________
> >OWASP-Leaders mailing list
> >OWASP-Leaders at lists.owasp.org
> >https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130516/ce3fc404/attachment-0001.html>


More information about the OWASP-Leaders mailing list