[Owasp-leaders] OWASP ESAPI Project Status

Tobias tobias.gondrom at owasp.org
Sun Mar 30 04:36:41 UTC 2014

Dear Johanna,

thank you for your email. I can feel your concerns.
And rest assured that Jim and all the others very much value and
appreciate all OWASP volunteers work.

Maybe a small question:
What do you think we should do with outdated projects that are not
maintained for a long time, like e.g. ESAPI.

Because IMHO clearly they can not stay Flagship projects....?

Just my 2cents,

All the best, Tobias

Ps.: maybe a small personal comment: in my personal view, the maturity
level of a project should not be a given and retained forever without
any maintenance efforts, but it should be earned and judged by maturity
and quality compared to other projects on a continuous basis. So if
something deprecates, we should not recommend it as flagship anymore.
Same like we recommend old functions in old code may become deprecated....?

On 30/03/14 06:48, johanna curiel curiel wrote:
> I was part of the project advisory board, but it seems that I
> felt from that board without knowing it.
> Now I hear the news about taking out flagship status from certain
> projects.
> I was against this because, once a project reaches maturity is not
> likely to go back to "incubator". 
> The term is not appropiate for a mature project to go back to
> something it's not anymore.
> what had happend here is that the project has loose his drive, has
> become outdated. in case of ESAPI, certain components have become
> obsolete with time, but noway they are INCUBATOR!
> people of owasp, you want to have volunteers? Respect their role when
> asking to be part and now I feel rudelessly taken out of that board
> and decisions are been made secretly without those volunteers not
> knowing...I'm very dissapointed. 
> This is in no way a democratic system. even less when volunteers put
> efforts tnat now are taken for granted and wiped like nothing out of
> the table.
> You want volunteers? Respect them.
> Regards
> johanna
> On Saturday, March 29, 2014, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>     Dinis,
>     If we set our sights to small usable components instead of huge
>     securing coding frameworks we can win. I shepherd several projects
>     at OWASP that coincidentally Apache Shiro will be using to help
>     add AntiXSS capabilities.
>     I'm not hot on the "standard" that ESAPI is seeking, it's a good
>     idea, but I'd rather focus on giving devs something that is
>     immediately usable and helpful to solve a discrete problem .in a
>     production quality high performance way.. This is why I'm so fond
>     the the work of Jeff Ichnowski (Java Encoder Project) and Mike
>     Samuel (OWASP HTML Sanitizer and OWASP JSON encoder). These gents
>     are both PhD level software engineers and applied defensive AppSec
>     experts. They are not software engineering hackers. ;)
>     We are going to slice and dice ESAPI into several small projects
>     under a non-ESAPI banner. Trust me, this is the right path to
>     serve the mission of helping devs build secure web applications. 
>     --
>     Jim Manico
>     @Manicode
>     (808) 652-3805
>     On Mar 29, 2014, at 6:10 PM, Dinis Cruz <dinis.cruz at owasp.org
>     <javascript:_e(%7B%7D,'cvml','dinis.cruz at owasp.org');>> wrote:
>>     I think this is a great step for ESAPI which maybe will help it
>>     (ESAPI) to have a much more realistic and achievable focus.
>>     Kudos to Kevin for doing this and allowing the correct mapping of
>>     ESAPI
>>     I've written (in 2010, 2011) about my views about ESAPI and where
>>     it should go (i.e. ESTAPI):
>>       * The ESTAPI idea
>>         <http://blog.diniscruz.com/2011/06/estapi-idea.html>
>>       * A couple more comments on ESAPI and ESTAPI
>>         <http://blog.diniscruz.com/2010/01/couple-more-comments-on-esapi-and.html> 
>>       * Recommending ESAPI?
>>         <http://blog.diniscruz.com/2010/01/recommending-esapi.html> 
>>     And in case you missed these, recently (2013) I was able to
>>     consume ESAPI java from .NET (i.e. the O2 Platform)
>>       * Loading OWASP ESAPI jar and its dependencies from C# (using
>>         jni4net)
>>         <http://blog.diniscruz.com/2013/03/loading-owasp-esapi-jar-and-its.html> 
>>       * View ESAPI 11 Encodings methods in real-time via an ASP.NET
>>         Web Page
>>         <http://blog.diniscruz.com/2013/06/view-esapi-11-encodings-methods-in-real.html> 
>>       * Another step in the use of ESAPI and AppSensor Jars from
>>         .Net/C# (using Jni4Net)
>>         <http://blog.diniscruz.com/2013/06/another-step-in-use-of-esapi-and.html> 
>>       * First execution of ESAPI.jar Encoder methods from O2's C#
>>         REPL
>>         <http://blog.diniscruz.com/2013/05/first-execution-of-easpijar-encoder.html> 
>>     Btw, I still think ESAPI is a great idea and something that just
>>     about all frameworks and companies needs (i.e. an Enterprise
>>     Security APIs).  
>>     The problem was that OWASP's community tried to be a
>>     'professional development org', which is something that (with
>>     some minor exceptions) we are not capable of.
>>     Organisations/groups like http://shiro.apache.org/ are much more
>>     suited for that type of 'mission critical development'
>>     Dinis
>>     On 29 March 2014 06:08, Jim Manico <jim.manico at owasp.org
>>     <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>         Why you should no longer use the OWASP ESAPI project, why you
>>         should not be recommending the OWASP ESAPI project, and why
>>         the OWASP ESAPI project is not deserving of flagship status.
>>         http://off-the-wall-security.blogspot.in/2014/03/esapi-no-longer-owasp-flagship-project.html
>>         - Jim
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140330/0da0e789/attachment.html>

More information about the OWASP-Leaders mailing list