[Owasp-leaders] jowasp.org

Jim Manico jim.manico at owasp.org
Wed Aug 27 22:59:44 UTC 2014

I support building up java.owasp.org and will have jowasp.org 
transferred to OWASP and suggest that it be redirected to java.owasp.org.

And Yvan, may I politely suggest a little Shakespeare for you non-tech 
reading? From Romeo and Juliet....


'Tis but thy name that is my enemy;
Thou art thyself, though not a Montague.
What's Montague? it is nor hand, nor foot,
Nor arm, nor face, nor any other part
Belonging to a man. O, be some other name!
*_What's in a name? that which we call a rose_**
**_By any other name would smell as sweet_**;*
So Romeo would, were he not Romeo call'd,
Retain that dear perfection which he owes
Without that title. Romeo, doff thy name,
And for that name which is no part of thee
Take all myself.


On 8/27/14, 3:54 PM, Yvan Boily wrote:
> On the contrary, naming *is* very important[1].  One of the single 
> most significant protections that any open source project can leverage 
> is trademark protection, and a proliferation and acceptance of domain 
> names (even from a board member) that riff of OWASP have multiple effects:
> * They weaken the claim to a trademark.  Not that this is a 
> significant fear for OWASP, but one should tread cautiously and defend 
> trademarks vigorously
> * They train users to treat 'non-owasp' domains as canonical resources
> * Privately owned OWASP-related domains weaken OWASP (as a legal 
> entity) capabilities to ensure that OWASP values and commitments are 
> upheld
> I don't have any concerns about what Jim is trying to accomplish, but 
> I do think that having a CNAME to java.owasp.org 
> <http://java.owasp.org> or something similar is a far better approach.
> Just my $0.02!
> Regards,
> Yvan Boily
> [1] "There are only two hard problems in Computer Science: cache 
> invalidation, naming things, and off-by-one errors." - unknown because 
> I am lazy.
> On Wed, Aug 27, 2014 at 3:09 PM, Adil Aliyev <adil.aliyev at owasp.org 
> <mailto:adil.aliyev at owasp.org>> wrote:
>     Dear all,
>     Anyway the idea is great because of the following reasons:
>     1. Java is popular and more relevant today. Even PIC, Atmel folks
>     who need more high-level features starting to use raspberry and
>     ideal platform for it is Java+Linux. I dont know how about .NET,
>     last time I used it 7 years ago.
>     2. A lot of people turns to Java web from PHP recent years as Java
>     has more powerful and easy to use frameworks for web, mvc, db
>     abstraction, mapping etc. that makes web development easier and
>     scalable. Such people need to be careful and they need to be
>     educated. PHP is not Java, PHP "compilers" are not bytecode,
>     forking is not direct multithreading and apache httpd, nginx etc
>     are not application servers. They all have too many differences.
>     In my experience I've seen a lot of people who confuses these basics.
>     3. People who used Java and C++ only for desktop apps mostly
>     writing unsecure code when writing for web. Once I have seen in
>     very big company one wrote a program where authentication process
>     is just for hiding login screen visually and assigning username to
>     a global variable. Very sensitive information could be sent,
>     received or sniffed via tcp. Another case was also in big company
>     where programmer used session and serverside processing just for
>     selecting DIV-based listbox item. I see that on internet also
>     often. They all need serious experience. Web is not closed
>     environment without malicious users.
>     4. Java is not like PHP, JavaScript, Ruby etc as mentioned in
>     previous mails. I mean from market point view. They all are not
>     such relevant for enterprise systems for today.
>     P.S. My friends, please judge and tell your opinions on idea. The
>     naming is very little thing to discuss. There is almost no
>     difference between jowasp or java.owasp.
>     Best Regards,
>     Adil
>     On Thursday, August 28, 2014, Jim Manico <jim.manico at owasp.org
>     <mailto:jim.manico at owasp.org>> wrote:
>         Thank you Jerry. I want to experiment *responsibly* and
>         respect the OWASP brand rules! And by the way, I do not intend
>         to follow any of rule #3 because this goal is not to advertise
>         my or any company; I want to do this as an OWASP property.
>         So with respect I plan to "go for it". If this is successful
>         then by all means we can figure out what to do next as a team.
>         Aloha,
>         Jim
>                 OWASP Brand Usage Rules
>                 https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES
>         The following rules make reference to the OWASP Materials,
>         meaning any tools, documentation, or other content from OWASP.
>         The rules also make reference to "OWASP Published Standards"
>         which are currently in the process of being developed and
>         released. Currently there are no OWASP Published Standards.
>          1. The OWASP Brand may be used to direct people to the OWASP
>             website for information about application security.
>          2. The OWASP Brand may be used in commentary about the
>             materials found on the OWASP website.
>          3. The OWASP Brand may be used by OWASP Members in good
>             standing to promote a person or company's involvement in
>             OWASP.
>          4. The OWASP Brand may be used in association with an
>             application security assessment only if a complete and
>             detailed methodology, sufficient to reproduce the results,
>             is disclosed.
>          5. The OWASP Brand must not be used in a manner that suggests
>             that The OWASP Foundation supports, advocates, or
>             recommends any particular product or technology.
>          6. The OWASP Brand must not be used in a manner that suggests
>             that a product or technology is compliant with any OWASP
>             Materials other than an OWASP Published Standard.
>          7. The OWASP Brand must not be used in a manner that suggests
>             that a product or technology can enable compliance with
>             any OWASP Materials other than an OWASP Published Standard.
>          8. The OWASP Brand must not be used in any materials that
>             could mislead readers by narrowly interpreting a broad
>             application security category. For example, a vendor
>             product that can find or protect against forced browsing
>             must not claim that they address all of the access control
>             category.
>          9. The OWASP Brand may be used by special arrangement with
>             The OWASP Foundation.
>         On 8/27/14, 12:15 PM, Jerry Hoff wrote:
>>         Just to be clear - there are no owasp restrictions regarding
>>         this, right ?
>>         I think all the ideas are good, and we should implement them
>>         all - but I think Jim should still build out jowasp. I think
>>         owasp needs a bit more risk-taking and experimentation like
>>         this. I'm a fan!
>>         -- 
>>         Jerry Hoff
>>         jerry at owasp.com
>>         @jerryhoff
>>         On Aug 27, 2014, at 21:56, Jim Manico <jim.manico at owasp.org>
>>         wrote:
>>>         Timur,
>>>         I would use all of the OWASP brand usage rules and style
>>>         guidelines and make the work transparent to the community.
>>>         At some point early in the process, I plan to transfer
>>>         ownership of the domain to OWASP.
>>>         > a) owasp.org <http://owasp.org/> has non-attractive
>>>         design. But there is web redesign project under way, so why
>>>         duplicate design efforts?!
>>>         I have a different vision. I want to only highlight Java
>>>         developer projects, not do a full redesign of the main website.
>>>         And if it's successful I say keep supporting and enhancing
>>>         it as opposed to kill it. ;)
>>>         Aloha,
>>>         --
>>>         Jim Manico
>>>         @Manicode
>>>         (808) 652-3805 <tel:%28808%29%20652-3805>
>>>         On Aug 27, 2014, at 11:48 AM, "Timur 'x' Khrotko (owasp)"
>>>         <timur at owasp.org> wrote:
>>>>         Hello, Jim,
>>>>         (be careful with using owasp creative property, the design,
>>>>         for a body, site not recognized by owasp due to its not
>>>>         fitting the existing notions, as is it a project or a
>>>>         chapter? :))
>>>>         What you are saying, is two things for me:
>>>>         a) owasp.org <http://owasp.org/> has non-attractive design.
>>>>         But there is web redesign project under way, so why
>>>>         duplicate design efforts?!
>>>>         b) When a developer visits owasp.org <http://owasp.org> she
>>>>         (:) sees mess, while she probably came with one simple
>>>>         motivation in mind, to find Java related appsec advise. And
>>>>         while we spend energies to tell dev folks deal with
>>>>         security we make our own advice hardly accessible. Only if
>>>>         one does not insist that this page makes Java security
>>>>         visible and accessible:
>>>>         https://www.owasp.org/index.php/Category:Java
>>>>         So if jowasp gets successful I propose to kill it in the
>>>>         very moment it proves your technology-centric approach
>>>>         right and asap create technology-centric web-face and
>>>>         section on owasp.org <http://owasp.org> with all the modern
>>>>         technologies, js, java, dotnet, scala, argh php, etc. -
>>>>         according to the structure you invent.
>>>>         Regards:
>>>>         timur
>>>>         On Wed, Aug 27, 2014 at 8:44 PM, Jerry Hoff
>>>>         <jerry at owasp.org> wrote:
>>>>             I like it - we need more experimentation like this -
>>>>             the owasp wiki style landing page needs some serious
>>>>             overhauling in my opinion - would love to see what a
>>>>             pro designer comes up with. If the jowasp design is a
>>>>             hit, maybe we can port it over to owasp.
>>>>             My vote would be to do it!
>>>>             Jerry
>>>>             -- 
>>>>             Jerry Hoff
>>>>             jerry at owasp.com
>>>>             @jerryhoff
>>>>             On Aug 27, 2014, at 21:26, Jim Manico
>>>>             <jim.manico at owasp.org> wrote:
>>>>>             Duly noted, Jerry. I agree a dot.net <http://dot.net>
>>>>>             "version" of OWASP would be a GOOD idea!
>>>>>             For jowasp.org <http://jowasp.org>, I was planning on
>>>>>             using a *very* professional designer to build the site
>>>>>             using *OWASP brand rules and style* and POINT to
>>>>>             OWASP.org <http://OWASP.org> projects. I intend to
>>>>>             copy or fork *nothing* just be a "front page" to help
>>>>>             developers get to good Java security developer
>>>>>             resources easily. So yea, I would not copy the cheat
>>>>>             sheets, just point to them, for example.
>>>>>             Aloha,
>>>>>             Jim
>>>>>             On 8/27/14, 11:24 AM, Jerry Hoff wrote:
>>>>>>             I would say that OWASP is already largely the java view of application security! We need adotnetwasp.org  <http://dotnetwasp.org>!! :)
>>>>>>             Joking aside I think it's a fun idea - almost like a filtered view of OWASP for java folk. Are you going to set up your own web page, or make some auto redirect to a particular page on the OWASP wiki?
>>>>>>             Jerry
>>>>>>             --
>>>>>>             Jerry Hoff
>>>>>>             jerry at owasp.com
>>>>>>             @jerryhoff
>>>>>>>             On Aug 27, 2014, at 21:11, Jim Manico<jim.manico at owasp.org>  wrote:
>>>>>>>             Leaders,
>>>>>>>             A while ago I registeredjowasp.org  <http://jowasp.org>  with the intention of providing a
>>>>>>>             view into OWASP specific to Java developers. I intended to do this is
>>>>>>>             a non-commercial way, but I realize that Java is tied to a commercial
>>>>>>>             entity fairly tightly.
>>>>>>>             What do you think?
>>>>>>>             Aloha,
>>>>>>>             --
>>>>>>>             Jim Manico
>>>>>>>             @Manicode
>>>>>>>             (808) 652-3805  <tel:%28808%29%20652-3805>
>>>>>>>             _______________________________________________
>>>>>>>             OWASP-Leaders mailing list
>>>>>>>             OWASP-Leaders at lists.owasp.org
>>>>>>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>             _______________________________________________
>>>>             OWASP-Leaders mailing list
>>>>             OWASP-Leaders at lists.owasp.org
>>>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>         Email us to enforce secure link with your mail servers
>>>>         (domain).
>>>>         This message may contain confidential information - you
>>>>         should handle it accordingly.
>>>>         Ez a levél bizalmas információt tartalmazhat, és ekként
>>>>         kezelendő.
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140827/e3092196/attachment-0001.html>

More information about the OWASP-Leaders mailing list