[Owasp-leaders] OWASP ESAPI Project Status

johanna curiel curiel johanna.curiel at owasp.org
Sun Mar 30 19:40:44 UTC 2014

Maybe a small question:
What do you think we should do with outdated projects that are not
maintained for a long time, like e.g. ESAPI.

What I proposed in this case was:
Contact project leader and get a status of the situation. Also using a
simple survey among users to get a picture of the actual status. People who
do not use the project cannot say much or judge a project.
I took the work of downloading every flagship project and look at the code,
read their documentation, also what the community was saying and the amount
of activity in their discussion boards or groups.

Categorized Flagship & other  projects based on activity to a subcategory
such as
"Flagship-Active" ==> Project continuous to develops regularly and counts
with a good amount of contributors: Example: ZAP

"Flagship-Stable"==> It has reach stability but no major contributions or
changes are been done, however is widely adopted by the community
example==> Most document projects fall in this category. However if the
document has not been updated in a long time, it may fall into "recession"

"Flagship-Recession"==> Project is in the brink of becoming obsolete.It
 has not active contributors or users.==> For example, certain modules of
ESAPI but some are very good and actively used

 A flagship project that is not active should be set aside but not before
we speak with the project leader and provide him a chance for surviving if
there is a chance. If not then, we should set aside this projects as
something they were (Flasghip) but has get cold.

Projects with Recession label should be set apart. We must consider if due
to technological changes, are they not interesting to the community any
more(example ESAPI.NET, .NET framework has much stronger security features
so this seems like becoming obsolete read this threat ==>

comment from one user: Dead for .NET perhaps. Alive and kicking for Java.
(I've implemented it in two corporations, one fortune-500 and one fortune
1000) ESAPI is also used as the de-facto training tool for security
remediation by SANS and Veracode alike. -
 Mar 20 at 15:22<http://stackoverflow.com/questions/4318410/is-esapi-net-a-dead-project#comment34297789_7501617>

On Sun, Mar 30, 2014 at 12:36 AM, Tobias <tobias.gondrom at owasp.org> wrote:

>  Dear Johanna,
> thank you for your email. I can feel your concerns.
> And rest assured that Jim and all the others very much value and
> appreciate all OWASP volunteers work.
> Maybe a small question:
> What do you think we should do with outdated projects that are not
> maintained for a long time, like e.g. ESAPI.
> Because IMHO clearly they can not stay Flagship projects....?
> Just my 2cents,
> All the best, Tobias
> Ps.: maybe a small personal comment: in my personal view, the maturity
> level of a project should not be a given and retained forever without any
> maintenance efforts, but it should be earned and judged by maturity and
> quality compared to other projects on a continuous basis. So if something
> deprecates, we should not recommend it as flagship anymore. Same like we
> recommend old functions in old code may become deprecated....?
> On 30/03/14 06:48, johanna curiel curiel wrote:
> I was part of the project advisory board, but it seems that I felt from
> that board without knowing it.
>  Now I hear the news about taking out flagship status from certain
> projects.
>  I was against this because, once a project reaches maturity is not
> likely to go back to "incubator".
> The term is not appropiate for a mature project to go back to
> something it's not anymore.
>  what had happend here is that the project has loose his drive, has
> become outdated. in case of ESAPI, certain components have become obsolete
> with time, but noway they are INCUBATOR!
>  people of owasp, you want to have volunteers? Respect their role when
> asking to be part and now I feel rudelessly taken out of that board and
> decisions are been made secretly without those volunteers not knowing...I'm
> very dissapointed.
>  This is in no way a democratic system. even less when volunteers put
> efforts tnat now are taken for granted and wiped like nothing out of the
> table.
>  You want volunteers? Respect them.
>  Regards
>  johanna
> On Saturday, March 29, 2014, Jim Manico <jim.manico at owasp.org> wrote:
>>  Dinis,
>>  If we set our sights to small usable components instead of huge
>> securing coding frameworks we can win. I shepherd several projects at OWASP
>> that coincidentally Apache Shiro will be using to help add AntiXSS
>> capabilities.
>>  I'm not hot on the "standard" that ESAPI is seeking, it's a good idea,
>> but I'd rather focus on giving devs something that is immediately usable
>> and helpful to solve a discrete problem *in a production quality high
>> performance way*. This is why I'm so fond the the work of Jeff Ichnowski
>> (Java Encoder Project) and Mike Samuel (OWASP HTML Sanitizer and OWASP JSON
>> encoder). These gents are both PhD level software engineers and applied
>> defensive AppSec experts. They are not software engineering hackers. ;)
>> We are going to slice and dice ESAPI into several small projects under a
>> non-ESAPI banner. Trust me, this is the right path to serve the mission of
>> helping devs build secure web applications.
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>> On Mar 29, 2014, at 6:10 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>   I think this is a great step for ESAPI which maybe will help it
>> (ESAPI) to have a much more realistic and achievable focus.
>>  Kudos to Kevin for doing this and allowing the correct mapping of ESAPI
>>  I've written (in 2010, 2011) about my views about ESAPI and where it
>> should go (i.e. ESTAPI):
>>    - The ESTAPI idea <http://blog.diniscruz.com/2011/06/estapi-idea.html>
>>     - A couple more comments on ESAPI and ESTAPI<http://blog.diniscruz.com/2010/01/couple-more-comments-on-esapi-and.html>
>>     - Recommending ESAPI?<http://blog.diniscruz.com/2010/01/recommending-esapi.html>
>> And in case you missed these, recently (2013) I was able to consume ESAPI
>> java from .NET (i.e. the O2 Platform)
>>    - Loading OWASP ESAPI jar and its dependencies from C# (using jni4net)<http://blog.diniscruz.com/2013/03/loading-owasp-esapi-jar-and-its.html>
>>     - View ESAPI 11 Encodings methods in real-time via an ASP.NET Web
>>    Page<http://blog.diniscruz.com/2013/06/view-esapi-11-encodings-methods-in-real.html>
>>     - Another step in the use of ESAPI and AppSensor Jars from .Net/C#
>>    (using Jni4Net)<http://blog.diniscruz.com/2013/06/another-step-in-use-of-esapi-and.html>
>>     - First execution of ESAPI.jar Encoder methods from O2's C# REPL<http://blog.diniscruz.com/2013/05/first-execution-of-easpijar-encoder.html>
>>  Btw, I still think ESAPI is a great idea and something that just about
>> all frameworks and companies needs (i.e. an Enterprise Security APIs).
>>  The problem was that OWASP's community tried to be a 'professional
>> development org', which is something that (with some minor exceptions) we
>> are not capable of. Organisations/groups like http://shiro.apache.org/are much more suited for that type of 'mission critical development'
>>  Dinis
>> On 29 March 2014 06:08, Jim Manico <jim.manico at owasp.org> wrote:
>>> Why you should no longer use the OWASP ESAPI project, why you should not
>>> be recommending the OWASP ESAPI project, and why the OWASP ESAPI project is
>>> not deserving of flagship status.
>>> http://off-the-wall-security.blogspot.in/2014/03/esapi-no-longer-owasp-flagship-project.html
>>> - Jim
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140330/5b896e78/attachment.html>

More information about the OWASP-Leaders mailing list