adil.aliyev at owasp.org
Wed Aug 27 22:09:02 UTC 2014
Anyway the idea is great because of the following reasons:
1. Java is popular and more relevant today. Even PIC, Atmel folks who need
more high-level features starting to use raspberry and ideal platform for
it is Java+Linux. I dont know how about .NET, last time I used it 7 years
2. A lot of people turns to Java web from PHP recent years as Java has more
powerful and easy to use frameworks for web, mvc, db abstraction, mapping
etc. that makes web development easier and scalable. Such people need to be
careful and they need to be educated. PHP is not Java, PHP "compilers" are
not bytecode, forking is not direct multithreading and apache httpd, nginx
etc are not application servers. They all have too many differences. In my
experience I've seen a lot of people who confuses these basics.
3. People who used Java and C++ only for desktop apps mostly writing
unsecure code when writing for web. Once I have seen in very big company
one wrote a program where authentication process is just for hiding login
screen visually and assigning username to a global variable. Very sensitive
information could be sent, received or sniffed via tcp. Another case was
also in big company where programmer used session and serverside processing
just for selecting DIV-based listbox item. I see that on internet also
often. They all need serious experience. Web is not closed environment
without malicious users.
mails. I mean from market point view. They all are not such relevant for
enterprise systems for today.
P.S. My friends, please judge and tell your opinions on idea. The naming is
very little thing to discuss. There is almost no difference between jowasp
On Thursday, August 28, 2014, Jim Manico <jim.manico at owasp.org> wrote:
> Thank you Jerry. I want to experiment *responsibly* and respect the OWASP
> brand rules! And by the way, I do not intend to follow any of rule #3
> because this goal is not to advertise my or any company; I want to do this
> as an OWASP property.
> So with respect I plan to "go for it". If this is successful then by all
> means we can figure out what to do next as a team.
> OWASP Brand Usage Rules
> The following rules make reference to the OWASP Materials, meaning any
> tools, documentation, or other content from OWASP. The rules also make
> reference to "OWASP Published Standards" which are currently in the process
> of being developed and released. Currently there are no OWASP Published
> 1. The OWASP Brand may be used to direct people to the OWASP website
> for information about application security.
> 2. The OWASP Brand may be used in commentary about the materials found
> on the OWASP website.
> 3. The OWASP Brand may be used by OWASP Members in good standing to
> promote a person or company's involvement in OWASP.
> 4. The OWASP Brand may be used in association with an application
> security assessment only if a complete and detailed methodology, sufficient
> to reproduce the results, is disclosed.
> 5. The OWASP Brand must not be used in a manner that suggests that The
> OWASP Foundation supports, advocates, or recommends any particular product
> or technology.
> 6. The OWASP Brand must not be used in a manner that suggests that a
> product or technology is compliant with any OWASP Materials other than an
> OWASP Published Standard.
> 7. The OWASP Brand must not be used in a manner that suggests that a
> product or technology can enable compliance with any OWASP Materials other
> than an OWASP Published Standard.
> 8. The OWASP Brand must not be used in any materials that could
> mislead readers by narrowly interpreting a broad application security
> category. For example, a vendor product that can find or protect against
> forced browsing must not claim that they address all of the access control
> 9. The OWASP Brand may be used by special arrangement with The OWASP
> On 8/27/14, 12:15 PM, Jerry Hoff wrote:
> Just to be clear - there are no owasp restrictions regarding this, right ?
> I think all the ideas are good, and we should implement them all - but I
> think Jim should still build out jowasp. I think owasp needs a bit more
> risk-taking and experimentation like this. I'm a fan!
> Jerry Hoff
> On Aug 27, 2014, at 21:56, Jim Manico <jim.manico at owasp.org
> I would use all of the OWASP brand usage rules and style guidelines and
> make the work transparent to the community. At some point early in the
> process, I plan to transfer ownership of the domain to OWASP.
> > a) owasp.org has non-attractive design. But there is web redesign
> project under way, so why duplicate design efforts?!
> I have a different vision. I want to only highlight Java developer
> projects, not do a full redesign of the main website.
> And if it's successful I say keep supporting and enhancing it as opposed
> to kill it. ;)
> Jim Manico
> (808) 652-3805
> On Aug 27, 2014, at 11:48 AM, "Timur 'x' Khrotko (owasp)" <timur at owasp.org
> Hello, Jim,
> (be careful with using owasp creative property, the design, for a body,
> site not recognized by owasp due to its not fitting the existing notions,
> as is it a project or a chapter? :))
> What you are saying, is two things for me:
> a) owasp.org has non-attractive design. But there is web redesign
> project under way, so why duplicate design efforts?!
> b) When a developer visits owasp.org she (:) sees mess, while she
> probably came with one simple motivation in mind, to find Java related
> appsec advise. And while we spend energies to tell dev folks deal with
> security we make our own advice hardly accessible. Only if one does not
> insist that this page makes Java security visible and accessible:
> So if jowasp gets successful I propose to kill it in the very moment it
> proves your technology-centric approach right and asap create
> technology-centric web-face and section on owasp.org with all the modern
> technologies, js, java, dotnet, scala, argh php, etc. - according to the
> structure you invent.
> On Wed, Aug 27, 2014 at 8:44 PM, Jerry Hoff <jerry at owasp.org
>> I like it - we need more experimentation like this - the owasp wiki
>> style landing page needs some serious overhauling in my opinion - would
>> love to see what a pro designer comes up with. If the jowasp design is a
>> hit, maybe we can port it over to owasp.
>> My vote would be to do it!
>> Jerry Hoff
>> On Aug 27, 2014, at 21:26, Jim Manico <jim.manico at owasp.org
>> Duly noted, Jerry. I agree a dot.net "version" of OWASP would be a
>> GOOD idea!
>> For jowasp.org, I was planning on using a *very* professional designer
>> to build the site using *OWASP brand rules and style* and POINT to
>> OWASP.org projects. I intend to copy or fork *nothing* just be a "front
>> page" to help developers get to good Java security developer resources
>> easily. So yea, I would not copy the cheat sheets, just point to them, for
>> On 8/27/14, 11:24 AM, Jerry Hoff wrote:
>> I would say that OWASP is already largely the java view of application security! We need a dotnetwasp.org!! :)
>> Joking aside I think it's a fun idea - almost like a filtered view of OWASP for java folk. Are you going to set up your own web page, or make some auto redirect to a particular page on the OWASP wiki?
>> A while ago I registered jowasp.org with the intention of providing a
>> view into OWASP specific to Java developers. I intended to do this is
>> a non-commercial way, but I realize that Java is tied to a commercial
>> entity fairly tightly.
>> What do you think?
>> Jim Manico
>> (808) 652-3805
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle it
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders