[Owasp-leaders] Fwd: Getting in touch with the leader ?

vanderaj vanderaj vanderaj at owasp.org
Thu May 16 12:41:31 UTC 2013


Dinis,

I know what you mean about the lack of O2 feedback. So I'm going to
give you a tiny bit, and hopefully it will help rather than hinder the
discussion.

I think the main constructive criticism I can help you with for O2 is
the UX is almost certainly best represented as "Dinis Cruz's best
13487 ideas in a single app with a fair few extra options just to make
sure they are there, plus magic lemur juice".

O2 could really do with some community, particularly to untangle the
hot mess that is the UI. I watched a few of the videos, tried it a
couple of times over the last couple of years when I've had .NET code
reviews, and honestly, I am moderately sure it can do what I am asking
of it if only I knew what I'm supposed to do, but I find it's utterly
impenetrable. I bet many more do too, but I'm not sure many have tried
it as it's plain scary on first boot.

Can I humbly suggest that you work with some folks who can work with
you to edit the feature set into progressive disclosure, put some
metrics into it to work out some (simpler) common workflows, and
somehow (and I'm not sure this is possible) simplify the use of the
tool so that mere mortals can use say the 20% of the product that
would be used 80% of the time? There's a fine, powerful product hiding
in there somewhere.

Lastly, you're one of the very few in our OWASP community who likes,
develops, and uses Microsoft platforms. That platform is a critical
commercial niche, but I doubt more than a handful of us could
participate in developing O2 unless it could be made to run under Mono
as well. Is there any chance of that?

thanks,
Andrew

On Thu, May 16, 2013 at 9:36 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
> easy there Chris, Jim is making valid points and although I am a big fan of
> the ESAPI concept (and have written about it here,  here and here) it is not
> as healthy as it was a while back.
>
> As a fellow OWASP leader that is also working hard on an OWASP project, it
> is our job to accept and understand the comments made about our
> efforts/projects.
>
> Like I have already mentioned before, I'm jealous about the criticism that
> ESAPI gets, because it means that people care about it :)
>
> In the O2 Plaform, even after 192 blog posts and a gazilion of innovations,
> I'm still mainly at the stage  of '... interresting ... but I have no idea
> how to use it? btw where is the documentation' :)
>
> In fact, I'm even trying to contribute to ESAPI and AppSensor since I last
> month (with colin) I was able to consume ESAPI from O2. See First execution
> of ESAPI.jar Encoder methods from O2's C# REPL  which is a follow-up from my
> previous attempt: Loading OWASP ESAPI jar and its dependencies from C#
> (using jni4net)
>
> ESAPI is in a hard position and needs help/focus, and I don't think that
> blaming Jim for voicing his opinion (which I share) is the right way about
> it. In fact, Chris, I would recommend that one of your personal goals for
> ESAPI in 2013 is to change Jim's mind and get him to recommend ESAPI again
> (and I remember going back a couple years when Jim was the BIGGEST ESAPI FAN
> in world, and I got into a lot of trouble by voicing my concerns about
> ESAPI)
>
> We need more comments and honest feedback at OWASP, that is the only way our
> projects will grow.
>
> And yes, the O2 Platform still sucks in lot of ways, but (slowly) there are
> more users actually using it, and I am able to do things with it that I
> couldn't do a year ago (for example Downloading the entire NuGet package
> database  or (grab a coffee first) Using AST to programatically create a
> Proxy class for a WSDL webservice (in this case HacmeBank and Checkmarx
> ASMX)  or GUI with WebStorm and JsTestDriver controlling 3 Hijacked Browser
> windows (Chrome, Firefox and IE)  ), so I know that O2 is going in the right
> direction :)
>
> It's just a long and (mostly) lonely road :)
>
> Dinis
>
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
>
> On 28 March 2013 19:19, Chris Schmidt <chris.schmidt at owasp.org> wrote:
>>
>> I feel a more constructive approach to most of these issues is to propose
>> them in a way that is non-confrontational and proposes solutions.
>>
>> 1) The singleton pattern, while a valid approach to solve some problems is
>> overused in the ESAPI project - perhaps adding an option, as Spring
>> Framework does, to enable the singleton pattern over a default Flyweight
>> or Factory pattern would be a better approach to object distribution in
>> ESAPI.
>>
>> 2) There are quite a few open bugs in the ESAPI project that *I* feel are
>> important - so I have up voted and commented on them with potential ideas
>> that could help resolve the problems.
>>
>> 3) I noticed that there hasn't been a lot of commit activity on the
>> project since last July - I feel this is an important project so I have
>> leveraged my voice as a prominent member of the OWASP community to see if
>> I can get some additional volunteers to help you guys address the issues
>> that I mentioned above.
>>
>> We are an open organization of volunteers and there are a lot of projects
>> under the OWASP umbrella, there are a select few of us who champion the
>> OWASP projects cause and we are all busy individuals. Calling anyones baby
>> ugly and not providing constructive feedback for a project within our own
>> organization only hurts our common mission and as such I think it is
>> important that we all self-moderate our comments with regards to any OWASP
>> project. Healthy debate is healthy and I (and most others within the
>> organization that I have had the pleasure of meeting and/or working with)
>> openly and warmly accept any and all feedback, but when it is constructive
>> and meaningful it helps all of us.
>>
>> Further, there is an appropriate channel for this conversation and I don't
>> feel that channel is the leaders list. Sebastian asked a valid question
>> after not getting a response on the ESAPI dev list, and answering his
>> question then taking this conversation to the dev list would have been the
>> appropriate move.
>>
>> I currently wear the mantle of ESAPI leadership and one of my
>> responsibilities as the leader for one of the most visible OWASP projects
>> is to be aware of how I am performing my own job. I will happily
>> relinquish my leadership role if anyone feels that I am not adequately
>> filling the role and will continue to contribute to the project because I
>> believe in the mission of ESAPI. Remember just because you may not see the
>> work going on doesn't mean that work isn't happening. As I said in other
>> messages - ESAPI is a large and very visible project and making rash
>> decisions that introduce incompatibilities will not help anyone -
>> compounded with the fact that we (Kevin and I) are both working on this
>> while very busy with other responsibilities means that change may not be
>> happening as quickly as anyone may like it too - but it is happening.
>>
>> I will happily continue this conversation in the appropriate channel if
>> you would like to further discuss it and anyone is welcome to join in to
>> the conversation on the ESAPI-Dev mailing list if they have ideas,
>> opinions, or comments in general. Let's keep conversation on the leaders
>> list on topic for the leaders list.
>>
>> </soapbox>
>>
>>
>>
>> On 3/28/13 12:32 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>
>> >Chris,
>> >
>> >I agree that ESAPI is not dead, and I'm eager to see you and others
>> >return to actively working on the project.
>> >
>> >But I do objectively feel that it's not a release quality project and I
>> >no longer recommend that organizations use it. I think it's a great
>> >research project, but other projects trump ESAPI in terms of quality and
>> >activity like I mentioned earlier.
>> >
>> >1) The singleton is a fundamental design flaw and needs to be removed
>> >2) The project has a large number of active bugs, many of these are VERY
>> >significant https://code.google.com/p/owasp-esapi-java/issues/list
>> >3) There has not been major coding activity on ESAPI for Java since July
>> >2012.
>> >
>> >When these things change, I'll change my tune.
>> >
>> >- Jim
>> >
>> >> Sebastian and all -
>> >>
>> >> While we try to monitor what is happening on the list all the time,
>> >>understandably we all get busy from time to time. That being said, the
>> >>ESAPI project is far from dead. Sebastian, feel free to contact Jeff and
>> >>Myself off-list and we would be more than happy to address any questions
>> >>that you have! Thanks!
>> >>
>> >> ~Chris
>> >>
>> >> From: Samantha Groves
>> >><samantha.groves at owasp.org<mailto:samantha.groves at owasp.org>>
>> >> Date: Thursday, March 28, 2013 11:10 AM
>> >> To: Konstantinos Papapanagiotou
>> >><Konstantinos at owasp.org<mailto:Konstantinos at owasp.org>>
>> >> Cc: "spyrosgaster at gmail.com<mailto:spyrosgaster at gmail.com>"
>> >><spyrosgaster at gmail.com<mailto:spyrosgaster at gmail.com>>, Leaders
>> >><owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>>
>> >> Subject: Re: [Owasp-leaders] Fwd: Getting in touch with the leader ?
>> >>
>> >> Agreed.
>> >>
>> >> Can I get a list of names of the individuals actively contributing to
>> >>this project. I need to update our records.
>> >>
>> >> Additionally, I need someone to volunteer to manage requests and
>> >>questions that come into the ESAPI mailing list. Please message me if
>> >>you are interested. This person will be responsible for answering
>> >>questions, and liaising between contributors and the community.
>> >>
>> >> Thank you, Leaders.
>> >>
>> >> Sam G.
>> >>
>> >> On Thu, Mar 28, 2013 at 4:47 PM, Konstantinos Papapanagiotou
>> >><Konstantinos at owasp.org<mailto:Konstantinos at owasp.org>> wrote:
>> >> All,
>> >>
>> >> Spyros (cc-ed as he's not on the leaders list) is also already working
>> >>on an ESAPI for PHP rewrite and actually a few days ago also tried to
>> >>get in touch with someone on the ESAPI mailing lists.
>> >> Since apparently people are working on it we should have some kind of
>> >>co-ordination.
>> >>
>> >> Kostas
>> >>
>> >>
>> >> On Thursday, March 28, 2013, Abbas Naderi wrote:
>> >> Hello
>> >> We're doing some PHP security project, which would hopefully result in
>> >>a rewrite of ESAPI. the current ESAPI PHP is 100% against PHP
>> >>programming values.
>> >> Thanks
>> >> -Abbas
>> >> On ۸ فروردین ۱۳۹۲, at ۱۷:۴۷, Samantha Groves
>> >><samantha.groves at owasp.org> wrote:
>> >>
>> >> Hello All,
>> >>
>> >> Chris Schmidt & Kevin Wall are both co-leading this project at the
>> >>moment. A few months ago, we put together a proposal for funding from
>> >>the DHS that included a management and technical management roadmap that
>> >>we submitted for funding. We have been waiting for a decision.
>> >>
>> >> I have just gotten word from DHS that funding for their programs has
>> >>now been approved for 2013. The last I heard is that our ESAPI Project
>> >>proposal was in round two of reviews. In answer to your questions, ESAPI
>> >>is not dead, we were just placed at a halt after our proposal was
>> >>submitted to DHS.
>> >>
>> >> I hope this clears thing up. Let me know if you have questions,
>> >>concerns, etc.
>> >>
>> >> Cheers now, All.
>> >>
>> >> SG
>> >>
>> >> On Thu, Mar 28, 2013 at 11:27 AM, vanderaj vanderaj
>> >><vanderaj at owasp.org> wrote:
>> >> I thought that Chris Schmidt had taken over the helm of ESAPI?
>> >>
>> >> thanks,
>> >> Andrew
>> >>
>> >>
>> >> On Thu, Mar 28, 2013 at 9:11 PM, Sebastien Gioria
>> >><sebastien.gioria at owasp.org> wrote:
>> >> No news from anyone ? Is ESAPI dev definitively dead ?
>> >>
>> >> I'm in touch with a new potential big corporate member who has
>> >> integrate ESAPI in his product and have problem. Any value for them
>> >> before making they membership could be the OWASP capacity to be in
>> >> touch with the leader of the ESAPI Java.
>> >>
>> >> We (France) are in touch with them to Host the First OWASP France Day
>> >> and many more other opportunity.
>> >>
>> >> It's really a big reference for OWASP if we have it.
>> >>
>> >> Thanks.
>> >>
>> >>
>> >> ---------- Forwarded message ----------
>> >> From: Sebastien Gioria <sebastien.gioria at owasp.org>
>> >> Date: 2013/3/26
>> >> Subject: Getting in touch with the leader ?
>> >> To: owasp-esapi-dev <owasp-esapi-dev at owasp.org>
>> >> Cc : Jeff Williams <jeff.williams at owasp.org>
>> >>
>> >>
>> >> Hi guys,
>> >>
>> >> I'm not sure Jeff is always the leader of the JavaEE ESAPI project,
>> >> and I need to be in touch with the leader of the project for some
>> >> related presentations and experiences exchange with a big french
>> >> company.
>> >>
>> >> Thanks in advance
>> >>
>> >>
>> >> --
>> >> OWASP French Chapter Leader
>> >> GSM: +33 6 70 59 11 44
>> >>
>> >>
>> >> --
>> >> OWASP French Chapter Leader
>> >> GSM: +33 6 70 59 11 44
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >>
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Samantha Groves, MBA
>> >> OWASP Project Manager
>> >>
>> >> The OWASP Foundation
>> >>
>> >>
>> >>
>> >> --
>> >>
>> >> Samantha Groves, MBA
>> >>
>> >> OWASP Project Manager
>> >>
>> >>
>> >> The OWASP Foundation
>> >>
>> >> Lisbon, Portugal
>> >>
>> >> Email: samantha.groves at owasp.org<mailto:samantha.groves at owasp.org>
>> >>
>> >> Skype: samanthahz
>> >>
>> >>
>> >> OWASP Global
>> >>Projects<https://www.owasp.org/index.php/Category:OWASP_Project>
>> >>
>> >> Book a Meeting with Me<http://goo.gl/mZXdZ>
>> >>
>> >> OWASP Contact US Form<http://owasp4.owasp.org/contactus.html>
>> >>
>> >> New Project Application
>>
>> >> >>Form<https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHZ
>> >>fWGhHZ0Z4UFFwZU42djBXcVVLSlE6MQ#gid=0>
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >
>> >_______________________________________________
>> >OWASP-Leaders mailing list
>> >OWASP-Leaders at lists.owasp.org
>> >https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list