[Owasp-leaders] OWASP ESAPI Project Status

Riotaro OKADA riotaro.okada at owasp.org
Sun Mar 30 05:56:22 UTC 2014


> Ps.: maybe a small personal comment: in my personal view, the maturity level
> of a project should not be a given and retained forever without any
> maintenance efforts, but it should be earned and judged by maturity and
> quality compared to other projects on a continuous basis.

I totally agree this point.

Actually I was in charge of a committee member focusing on investigating
OSS maturity models collaborated with QualiPSo (EU project) team for 3 years.
We tested  by using various methodologies like MOSST(focusing on
the code analysis), OP2A(focusing on their communication website), OMM
(focusing on the development cycle), and so on.
Throughout these studies we only have learned about how it is not simple
 to measure "values" of open source software projects.

I do not have best idea to solve this but I understand to the full that
both of project and software have each "life-cycle" and steps to be "mature"
for their own purpose and usage (which are of course vary, too).
Some should update frequently to fit up-to-date issues, but others should
not do so because of the stability.

Frankly speaking, I felt unnatural to score OWASP Project using OpenSAMM
ways and the form when I received the mail from this mailing list.
Using a governance model or commercial model may be a kind of far to score each
"value" of "as-is" based OWASP projects. And it may be too conceptual  and
 difficult to answer for people those who have never used each projects.

So that it is understandable some key persons of projects may feel disappointed
even if the projects has been used by many people because of "maturity".
I also think it would be careful matter for us all.

It is not only issue of "flagship" projects. All projects will be interested in
how OWASP promote and pick up projects as "flagship". It will be one of
standpoint of OWASP community.

I am really interested in how OWASP can discuss about this matter.

Thanks,

Rio

On Sun, Mar 30, 2014 at 1:36 PM, Tobias <tobias.gondrom at owasp.org> wrote:
> Dear Johanna,
>
> thank you for your email. I can feel your concerns.
> And rest assured that Jim and all the others very much value and appreciate
> all OWASP volunteers work.
>
> Maybe a small question:
> What do you think we should do with outdated projects that are not
> maintained for a long time, like e.g. ESAPI.
>
> Because IMHO clearly they can not stay Flagship projects....?
>
> Just my 2cents,
>
> All the best, Tobias
>
>
> Ps.: maybe a small personal comment: in my personal view, the maturity level
> of a project should not be a given and retained forever without any
> maintenance efforts, but it should be earned and judged by maturity and
> quality compared to other projects on a continuous basis. So if something
> deprecates, we should not recommend it as flagship anymore. Same like we
> recommend old functions in old code may become deprecated....?
>
>
>
> On 30/03/14 06:48, johanna curiel curiel wrote:
>
> I was part of the project advisory board, but it seems that I felt from that
> board without knowing it.
>
> Now I hear the news about taking out flagship status from certain projects.
>
> I was against this because, once a project reaches maturity is not likely to
> go back to "incubator".
> The term is not appropiate for a mature project to go back to something it's
> not anymore.
>
> what had happend here is that the project has loose his drive, has become
> outdated. in case of ESAPI, certain components have become obsolete with
> time, but noway they are INCUBATOR!
>
> people of owasp, you want to have volunteers? Respect their role when asking
> to be part and now I feel rudelessly taken out of that board and decisions
> are been made secretly without those volunteers not knowing...I'm very
> dissapointed.
>
> This is in no way a democratic system. even less when volunteers put efforts
> tnat now are taken for granted and wiped like nothing out of the table.
>
> You want volunteers? Respect them.
>
> Regards
>
> johanna
>
>
>
>
> On Saturday, March 29, 2014, Jim Manico <jim.manico at owasp.org> wrote:
>>
>> Dinis,
>>
>> If we set our sights to small usable components instead of huge securing
>> coding frameworks we can win. I shepherd several projects at OWASP that
>> coincidentally Apache Shiro will be using to help add AntiXSS capabilities.
>>
>> I'm not hot on the "standard" that ESAPI is seeking, it's a good idea, but
>> I'd rather focus on giving devs something that is immediately usable and
>> helpful to solve a discrete problem *in a production quality high
>> performance way*. This is why I'm so fond the the work of Jeff Ichnowski
>> (Java Encoder Project) and Mike Samuel (OWASP HTML Sanitizer and OWASP JSON
>> encoder). These gents are both PhD level software engineers and applied
>> defensive AppSec experts. They are not software engineering hackers. ;)
>>
>> We are going to slice and dice ESAPI into several small projects under a
>> non-ESAPI banner. Trust me, this is the right path to serve the mission of
>> helping devs build secure web applications.
>>
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> On Mar 29, 2014, at 6:10 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>
>> I think this is a great step for ESAPI which maybe will help it (ESAPI) to
>> have a much more realistic and achievable focus.
>>
>> Kudos to Kevin for doing this and allowing the correct mapping of ESAPI
>>
>> I've written (in 2010, 2011) about my views about ESAPI and where it
>> should go (i.e. ESTAPI):
>>
>> The ESTAPI idea
>> A couple more comments on ESAPI and ESTAPI
>> Recommending ESAPI?
>>
>> And in case you missed these, recently (2013) I was able to consume ESAPI
>> java from .NET (i.e. the O2 Platform)
>>
>> Loading OWASP ESAPI jar and its dependencies from C# (using jni4net)
>> View ESAPI 11 Encodings methods in real-time via an ASP.NET Web Page
>> Another step in the use of ESAPI and AppSensor Jars from .Net/C# (using
>> Jni4Net)
>> First execution of ESAPI.jar Encoder methods from O2's C# REPL
>>
>> Btw, I still think ESAPI is a great idea and something that just about all
>> frameworks and companies needs (i.e. an Enterprise Security APIs).
>>
>> The problem was that OWASP's community tried to be a 'professional
>> development org', which is something that (with some minor exceptions) we
>> are not capable of. Organisations/groups like http://shiro.apache.org/ are
>> much more suited for that type of 'mission critical development'
>>
>> Dinis
>>
>>
>>
>> On 29 March 2014 06:08, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>> Why you should no longer use the OWASP ESAPI project, why you should not
>>> be recommending the OWASP ESAPI project, and why the OWASP ESAPI project is
>>> not deserving of flagship status.
>>>
>>>
>>> http://off-the-wall-security.blogspot.in/2014/03/esapi-no-longer-owasp-flagship-project.html
>>>
>>> - Jim
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
Riotaro OKADA
OWASP Japan Chapter
Leader


More information about the OWASP-Leaders mailing list