[Owasp-leaders] jowasp.org

Yvan Boily yvanboily at gmail.com
Wed Aug 27 22:54:24 UTC 2014


On the contrary, naming *is* very important[1].  One of the single most
significant protections that any open source project can leverage is
trademark protection, and a proliferation and acceptance of domain names
(even from a board member) that riff of OWASP have multiple effects:

* They weaken the claim to a trademark.  Not that this is a significant
fear for OWASP, but one should tread cautiously and defend trademarks
vigorously
* They train users to treat 'non-owasp' domains as canonical resources
* Privately owned OWASP-related domains weaken OWASP (as a legal entity)
capabilities to ensure that OWASP values and commitments are upheld

I don't have any concerns about what Jim is trying to accomplish, but I do
think that having a CNAME to java.owasp.org or something similar is a far
better approach.

Just my $0.02!


Regards,
Yvan Boily


[1] "There are only two hard problems in Computer Science: cache
invalidation, naming things, and off-by-one errors." - unknown because I am
lazy.


On Wed, Aug 27, 2014 at 3:09 PM, Adil Aliyev <adil.aliyev at owasp.org> wrote:

> Dear all,
>
> Anyway the idea is great because of the following reasons:
>
> 1. Java is popular and more relevant today. Even PIC, Atmel folks who need
> more high-level features starting to use raspberry and ideal platform for
> it is Java+Linux. I dont know how about .NET, last time I used it 7 years
> ago.
>
> 2. A lot of people turns to Java web from PHP recent years as Java has
> more powerful and easy to use frameworks for web, mvc, db abstraction,
> mapping etc. that makes web development easier and scalable. Such people
> need to be careful and they need to be educated. PHP is not Java, PHP
> "compilers" are not bytecode, forking is not direct multithreading and
> apache httpd, nginx etc are not application servers. They all have too many
> differences. In my experience I've seen a lot of people who confuses these
> basics.
>
> 3. People who used Java and C++ only for desktop apps mostly writing
> unsecure code when writing for web. Once I have seen in very big company
> one wrote a program where authentication process is just for hiding login
> screen visually and assigning username to a global variable. Very sensitive
> information could be sent, received or sniffed via tcp. Another case was
> also in big company where programmer used session and serverside processing
> just for selecting DIV-based listbox item. I see that on internet also
> often. They all need serious experience. Web is not closed environment
> without malicious users.
>
> 4. Java is not like PHP, JavaScript, Ruby etc as mentioned in previous
> mails. I mean from market point view. They all are not such relevant for
> enterprise systems for today.
>
> P.S. My friends, please judge and tell your opinions on idea. The naming
> is very little thing to discuss. There is almost no difference between
> jowasp or java.owasp.
>
> Best Regards,
> Adil
>
>
>
>
>
>
>
> On Thursday, August 28, 2014, Jim Manico <jim.manico at owasp.org> wrote:
>
>>  Thank you Jerry. I want to experiment *responsibly* and respect the
>> OWASP brand rules! And by the way, I do not intend to follow any of rule #3
>> because this goal is not to advertise my or any company; I want to do this
>> as an OWASP property.
>>
>> So with respect I plan to "go for it". If this is successful then by all
>> means we can figure out what to do next as a team.
>>
>> Aloha,
>> Jim
>>
>>  OWASP Brand Usage Rules
>> https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES
>>
>> The following rules make reference to the OWASP Materials, meaning any
>> tools, documentation, or other content from OWASP. The rules also make
>> reference to "OWASP Published Standards" which are currently in the process
>> of being developed and released. Currently there are no OWASP Published
>> Standards.
>>
>>    1. The OWASP Brand may be used to direct people to the OWASP website
>>    for information about application security.
>>    2. The OWASP Brand may be used in commentary about the materials
>>    found on the OWASP website.
>>    3. The OWASP Brand may be used by OWASP Members in good standing to
>>    promote a person or company's involvement in OWASP.
>>    4. The OWASP Brand may be used in association with an application
>>    security assessment only if a complete and detailed methodology, sufficient
>>    to reproduce the results, is disclosed.
>>    5. The OWASP Brand must not be used in a manner that suggests that
>>    The OWASP Foundation supports, advocates, or recommends any particular
>>    product or technology.
>>    6. The OWASP Brand must not be used in a manner that suggests that a
>>    product or technology is compliant with any OWASP Materials other than an
>>    OWASP Published Standard.
>>    7. The OWASP Brand must not be used in a manner that suggests that a
>>    product or technology can enable compliance with any OWASP Materials other
>>    than an OWASP Published Standard.
>>    8. The OWASP Brand must not be used in any materials that could
>>    mislead readers by narrowly interpreting a broad application security
>>    category. For example, a vendor product that can find or protect against
>>    forced browsing must not claim that they address all of the access control
>>    category.
>>    9. The OWASP Brand may be used by special arrangement with The OWASP
>>    Foundation.
>>
>>
>> On 8/27/14, 12:15 PM, Jerry Hoff wrote:
>>
>> Just to be clear - there are no owasp restrictions regarding this, right
>> ?
>>
>> I think all the ideas are good, and we should implement them all - but I
>> think Jim should still build out jowasp. I think owasp needs a bit more
>> risk-taking and experimentation like this. I'm a fan!
>>
>>
>>
>> --
>> Jerry Hoff
>> jerry at owasp.com
>> @jerryhoff
>>
>> On Aug 27, 2014, at 21:56, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>   Timur,
>>
>>  I would use all of the OWASP brand usage rules and style guidelines and
>> make the work transparent to the community. At some point early in the
>> process, I plan to transfer ownership of the domain to OWASP.
>>
>>  > a) owasp.org has non-attractive design. But there is web redesign
>> project under way, so why duplicate design efforts?!
>>
>>  I have a different vision. I want to only highlight Java developer
>> projects, not do a full redesign of the main website.
>>
>>  And if it's successful I say keep supporting and enhancing it as
>> opposed to kill it. ;)
>>
>>  Aloha,
>>  --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> On Aug 27, 2014, at 11:48 AM, "Timur 'x' Khrotko (owasp)" <
>> timur at owasp.org> wrote:
>>
>>   Hello, Jim,
>>
>>  (be careful with using owasp creative property, the design, for a body,
>> site not recognized by owasp due to its not fitting the existing notions,
>> as is it a project or a chapter? :))
>>
>>  What you are saying, is two things for me:
>>
>>  a) owasp.org has non-attractive design. But there is web redesign
>> project under way, so why duplicate design efforts?!
>>
>>  b) When a developer visits owasp.org she (:) sees mess, while she
>> probably came with one simple motivation in mind, to find Java related
>> appsec advise. And while we spend energies to tell dev folks deal with
>> security we make our own advice hardly accessible. Only if one does not
>> insist that this page makes Java security visible and accessible:
>> https://www.owasp.org/index.php/Category:Java
>>
>>  So if jowasp gets successful I propose to kill it in the very moment it
>> proves your technology-centric approach right and asap create
>> technology-centric web-face and section on owasp.org with all the modern
>> technologies, js, java, dotnet, scala, argh php, etc. - according to the
>> structure you invent.
>>
>>  Regards:
>> timur
>>
>>
>>
>> On Wed, Aug 27, 2014 at 8:44 PM, Jerry Hoff <jerry at owasp.org> wrote:
>>
>>>  I like it - we need more experimentation like this - the owasp wiki
>>> style landing page needs some serious overhauling in my opinion - would
>>> love to see what a pro designer comes up with. If the jowasp design is a
>>> hit, maybe we can port it over to owasp.
>>>
>>>  My vote would be to do it!
>>>
>>>  Jerry
>>>
>>>
>>> --
>>> Jerry Hoff
>>> jerry at owasp.com
>>> @jerryhoff
>>>
>>> On Aug 27, 2014, at 21:26, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>   Duly noted, Jerry. I agree a dot.net "version" of OWASP would be a
>>> GOOD idea!
>>>
>>> For jowasp.org, I was planning on using a *very* professional designer
>>> to build the site using *OWASP brand rules and style* and POINT to
>>> OWASP.org projects. I intend to copy or fork *nothing* just be a "front
>>> page" to help developers get to good Java security developer resources
>>> easily. So yea, I would not copy the cheat sheets, just point to them, for
>>> example.
>>>
>>> Aloha,
>>> Jim
>>>
>>>
>>>
>>> On 8/27/14, 11:24 AM, Jerry Hoff wrote:
>>>
>>> I would say that OWASP is already largely the java view of application security! We need a dotnetwasp.org!! :)
>>>
>>> Joking aside I think it's a fun idea - almost like a filtered view of OWASP for java folk. Are you going to set up your own web page, or make some auto redirect to a particular page on the OWASP wiki?
>>>
>>> Jerry
>>>
>>> --
>>> Jerry Hoffjerry at owasp.com
>>> @jerryhoff
>>>
>>>
>>>  On Aug 27, 2014, at 21:11, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>> Leaders,
>>>
>>> A while ago I registered jowasp.org with the intention of providing a
>>> view into OWASP specific to Java developers. I intended to do this is
>>> a non-commercial way, but I realize that Java is tied to a commercial
>>> entity fairly tightly.
>>>
>>> What do you think?
>>>
>>> Aloha,
>>> --
>>> Jim Manico
>>> @Manicode(808) 652-3805
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> Email us to enforce secure link with your mail servers (domain).
>> This message may contain confidential information - you should handle it
>> accordingly.
>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>>
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140827/40308900/attachment-0001.html>


More information about the OWASP-Leaders mailing list