[Owasp-leaders] OWASP ESAPI Project Status

johanna curiel curiel johanna.curiel at owasp.org
Sat Mar 29 22:48:14 UTC 2014

I was part of the project advisory board, but it seems that I felt from
that board without knowing it.

Now I hear the news about taking out flagship status from certain projects.

I was against this because, once a project reaches maturity is not likely
to go back to "incubator".
The term is not appropiate for a mature project to go back to
something it's not anymore.

what had happend here is that the project has loose his drive, has become
outdated. in case of ESAPI, certain components have become obsolete with
time, but noway they are INCUBATOR!

people of owasp, you want to have volunteers? Respect their role when
asking to be part and now I feel rudelessly taken out of that board and
decisions are been made secretly without those volunteers not knowing...I'm
very dissapointed.

This is in no way a democratic system. even less when volunteers put
efforts tnat now are taken for granted and wiped like nothing out of the

You want volunteers? Respect them.



On Saturday, March 29, 2014, Jim Manico <jim.manico at owasp.org> wrote:

> Dinis,
> If we set our sights to small usable components instead of huge securing
> coding frameworks we can win. I shepherd several projects at OWASP that
> coincidentally Apache Shiro will be using to help add AntiXSS capabilities.
> I'm not hot on the "standard" that ESAPI is seeking, it's a good idea, but
> I'd rather focus on giving devs something that is immediately usable and
> helpful to solve a discrete problem *in a production quality high
> performance way*. This is why I'm so fond the the work of Jeff Ichnowski
> (Java Encoder Project) and Mike Samuel (OWASP HTML Sanitizer and OWASP JSON
> encoder). These gents are both PhD level software engineers and applied
> defensive AppSec experts. They are not software engineering hackers. ;)
> We are going to slice and dice ESAPI into several small projects under a
> non-ESAPI banner. Trust me, this is the right path to serve the mission of
> helping devs build secure web applications.
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On Mar 29, 2014, at 6:10 PM, Dinis Cruz <dinis.cruz at owasp.org<javascript:_e(%7B%7D,'cvml','dinis.cruz at owasp.org');>>
> wrote:
> I think this is a great step for ESAPI which maybe will help it (ESAPI) to
> have a much more realistic and achievable focus.
> Kudos to Kevin for doing this and allowing the correct mapping of ESAPI
> I've written (in 2010, 2011) about my views about ESAPI and where it
> should go (i.e. ESTAPI):
>    - The ESTAPI idea <http://blog.diniscruz.com/2011/06/estapi-idea.html>
>     - A couple more comments on ESAPI and ESTAPI<http://blog.diniscruz.com/2010/01/couple-more-comments-on-esapi-and.html>
>    - Recommending ESAPI?<http://blog.diniscruz.com/2010/01/recommending-esapi.html>
> And in case you missed these, recently (2013) I was able to consume ESAPI
> java from .NET (i.e. the O2 Platform)
>    - Loading OWASP ESAPI jar and its dependencies from C# (using jni4net)<http://blog.diniscruz.com/2013/03/loading-owasp-esapi-jar-and-its.html>
>    - View ESAPI 11 Encodings methods in real-time via an ASP.NET Web Page<http://blog.diniscruz.com/2013/06/view-esapi-11-encodings-methods-in-real.html>
>    - Another step in the use of ESAPI and AppSensor Jars from .Net/C#
>    (using Jni4Net)<http://blog.diniscruz.com/2013/06/another-step-in-use-of-esapi-and.html>
>    - First execution of ESAPI.jar Encoder methods from O2's C# REPL<http://blog.diniscruz.com/2013/05/first-execution-of-easpijar-encoder.html>
> Btw, I still think ESAPI is a great idea and something that just about all
> frameworks and companies needs (i.e. an Enterprise Security APIs).
> The problem was that OWASP's community tried to be a 'professional
> development org', which is something that (with some minor exceptions) we
> are not capable of. Organisations/groups like http://shiro.apache.org/are much more suited for that type of 'mission critical development'
> Dinis
> On 29 March 2014 06:08, Jim Manico <jim.manico at owasp.org<javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>
> > wrote:
>> Why you should no longer use the OWASP ESAPI project, why you should not
>> be recommending the OWASP ESAPI project, and why the OWASP ESAPI project is
>> not deserving of flagship status.
>> http://off-the-wall-security.blogspot.in/2014/03/esapi-no-
>> longer-owasp-flagship-project.html
>> - Jim
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org<javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140329/5cdaca0e/attachment.html>

More information about the OWASP-Leaders mailing list