[Owasp-leaders] OWASP ESAPI Project Status
Tobias
tobias.gondrom at owasp.org
Sun Mar 30 04:36:41 UTC 2014
Dear Johanna,
thank you for your email. I can feel your concerns.
And rest assured that Jim and all the others very much value and
appreciate all OWASP volunteers work.
Maybe a small question:
What do you think we should do with outdated projects that are not
maintained for a long time, like e.g. ESAPI.
Because IMHO clearly they can not stay Flagship projects....?
Just my 2cents,
All the best, Tobias
Ps.: maybe a small personal comment: in my personal view, the maturity
level of a project should not be a given and retained forever without
any maintenance efforts, but it should be earned and judged by maturity
and quality compared to other projects on a continuous basis. So if
something deprecates, we should not recommend it as flagship anymore.
Same like we recommend old functions in old code may become deprecated....?
On 30/03/14 06:48, johanna curiel curiel wrote:
> I was part of the project advisory board, but it seems that I
> felt from that board without knowing it.
>
> Now I hear the news about taking out flagship status from certain
> projects.
>
> I was against this because, once a project reaches maturity is not
> likely to go back to "incubator".
> The term is not appropiate for a mature project to go back to
> something it's not anymore.
>
> what had happend here is that the project has loose his drive, has
> become outdated. in case of ESAPI, certain components have become
> obsolete with time, but noway they are INCUBATOR!
>
> people of owasp, you want to have volunteers? Respect their role when
> asking to be part and now I feel rudelessly taken out of that board
> and decisions are been made secretly without those volunteers not
> knowing...I'm very dissapointed.
>
> This is in no way a democratic system. even less when volunteers put
> efforts tnat now are taken for granted and wiped like nothing out of
> the table.
>
> You want volunteers? Respect them.
>
> Regards
>
> johanna
>
>
>
>
> On Saturday, March 29, 2014, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
> Dinis,
>
> If we set our sights to small usable components instead of huge
> securing coding frameworks we can win. I shepherd several projects
> at OWASP that coincidentally Apache Shiro will be using to help
> add AntiXSS capabilities.
>
> I'm not hot on the "standard" that ESAPI is seeking, it's a good
> idea, but I'd rather focus on giving devs something that is
> immediately usable and helpful to solve a discrete problem .in a
> production quality high performance way.. This is why I'm so fond
> the the work of Jeff Ichnowski (Java Encoder Project) and Mike
> Samuel (OWASP HTML Sanitizer and OWASP JSON encoder). These gents
> are both PhD level software engineers and applied defensive AppSec
> experts. They are not software engineering hackers. ;)
>
> We are going to slice and dice ESAPI into several small projects
> under a non-ESAPI banner. Trust me, this is the right path to
> serve the mission of helping devs build secure web applications.
>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Mar 29, 2014, at 6:10 PM, Dinis Cruz <dinis.cruz at owasp.org
> <javascript:_e(%7B%7D,'cvml','dinis.cruz at owasp.org');>> wrote:
>
>> I think this is a great step for ESAPI which maybe will help it
>> (ESAPI) to have a much more realistic and achievable focus.
>>
>> Kudos to Kevin for doing this and allowing the correct mapping of
>> ESAPI
>>
>> I've written (in 2010, 2011) about my views about ESAPI and where
>> it should go (i.e. ESTAPI):
>>
>> * The ESTAPI idea
>> <http://blog.diniscruz.com/2011/06/estapi-idea.html>
>> * A couple more comments on ESAPI and ESTAPI
>> <http://blog.diniscruz.com/2010/01/couple-more-comments-on-esapi-and.html>
>> * Recommending ESAPI?
>> <http://blog.diniscruz.com/2010/01/recommending-esapi.html>
>>
>> And in case you missed these, recently (2013) I was able to
>> consume ESAPI java from .NET (i.e. the O2 Platform)
>>
>> * Loading OWASP ESAPI jar and its dependencies from C# (using
>> jni4net)
>> <http://blog.diniscruz.com/2013/03/loading-owasp-esapi-jar-and-its.html>
>> * View ESAPI 11 Encodings methods in real-time via an ASP.NET
>> Web Page
>> <http://blog.diniscruz.com/2013/06/view-esapi-11-encodings-methods-in-real.html>
>> * Another step in the use of ESAPI and AppSensor Jars from
>> .Net/C# (using Jni4Net)
>> <http://blog.diniscruz.com/2013/06/another-step-in-use-of-esapi-and.html>
>> * First execution of ESAPI.jar Encoder methods from O2's C#
>> REPL
>> <http://blog.diniscruz.com/2013/05/first-execution-of-easpijar-encoder.html>
>>
>> Btw, I still think ESAPI is a great idea and something that just
>> about all frameworks and companies needs (i.e. an Enterprise
>> Security APIs).
>>
>> The problem was that OWASP's community tried to be a
>> 'professional development org', which is something that (with
>> some minor exceptions) we are not capable of.
>> Organisations/groups like http://shiro.apache.org/ are much more
>> suited for that type of 'mission critical development'
>>
>> Dinis
>>
>>
>>
>> On 29 March 2014 06:08, Jim Manico <jim.manico at owasp.org
>> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>
>> Why you should no longer use the OWASP ESAPI project, why you
>> should not be recommending the OWASP ESAPI project, and why
>> the OWASP ESAPI project is not deserving of flagship status.
>>
>> http://off-the-wall-security.blogspot.in/2014/03/esapi-no-longer-owasp-flagship-project.html
>>
>> - Jim
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140330/0da0e789/attachment.html>
More information about the OWASP-Leaders
mailing list