[Owasp-leaders] OWASP ESAPI Project Status

johanna curiel curiel johanna.curiel at owasp.org
Sun Mar 30 19:51:05 UTC 2014


Frankly speaking, I felt unnatural to score OWASP Project using OpenSAMM
ways and the form when I received the mail from this mailing list.
Using a governance model or commercial model may be a kind of far to score
each
"value" of "as-is" based OWASP projects. And it may be too conceptual  and
 difficult to answer for people those who have never used each projects.

Well, this is exactly what I told Samantha when she proposed this system.
I understand from Samantha that this decision was not from her alone. I
knew it was not going to work but I guess sometimes you just need to try
something so you can make your point

We should use very simple, satisfaction kind of surveys for users of the
projects. This will provide us a better picture of the
situation. Someone that does not know the project cannot judge it.


It is not only issue of "flagship" projects. All projects will be
interested in
how OWASP promote and pick up projects as "flagship". It will be one of
standpoint of OWASP community.I am really interested in how OWASP can
discuss about this matter.

Well, I'm volunteering to be in next  APPSEC EU & US so you let me know if
we can set as we did last year, sessions to discuss this. The criteria to
analyze the situation per project type has been done, but we need better
input mechanisms from the community , such as a simple survey, to gather
data about the project.

 Community's opinion plays a major factor to determine the status of a
project, not only what we as Project advisory board think.




On Sun, Mar 30, 2014 at 1:56 AM, Riotaro OKADA <riotaro.okada at owasp.org>wrote:

> > Ps.: maybe a small personal comment: in my personal view, the maturity
> level
> > of a project should not be a given and retained forever without any
> > maintenance efforts, but it should be earned and judged by maturity and
> > quality compared to other projects on a continuous basis.
>
> I totally agree this point.
>
> Actually I was in charge of a committee member focusing on investigating
> OSS maturity models collaborated with QualiPSo (EU project) team for 3
> years.
> We tested  by using various methodologies like MOSST(focusing on
> the code analysis), OP2A(focusing on their communication website), OMM
> (focusing on the development cycle), and so on.
> Throughout these studies we only have learned about how it is not simple
>  to measure "values" of open source software projects.
>
> I do not have best idea to solve this but I understand to the full that
> both of project and software have each "life-cycle" and steps to be
> "mature"
> for their own purpose and usage (which are of course vary, too).
> Some should update frequently to fit up-to-date issues, but others should
> not do so because of the stability.
>
> Frankly speaking, I felt unnatural to score OWASP Project using OpenSAMM
> ways and the form when I received the mail from this mailing list.
> Using a governance model or commercial model may be a kind of far to score
> each
> "value" of "as-is" based OWASP projects. And it may be too conceptual  and
>  difficult to answer for people those who have never used each projects.
>
> So that it is understandable some key persons of projects may feel
> disappointed
> even if the projects has been used by many people because of "maturity".
> I also think it would be careful matter for us all.
>
> It is not only issue of "flagship" projects. All projects will be
> interested in
> how OWASP promote and pick up projects as "flagship". It will be one of
> standpoint of OWASP community.
>
> I am really interested in how OWASP can discuss about this matter.
>
> Thanks,
>
> Rio
>
> On Sun, Mar 30, 2014 at 1:36 PM, Tobias <tobias.gondrom at owasp.org> wrote:
> > Dear Johanna,
> >
> > thank you for your email. I can feel your concerns.
> > And rest assured that Jim and all the others very much value and
> appreciate
> > all OWASP volunteers work.
> >
> > Maybe a small question:
> > What do you think we should do with outdated projects that are not
> > maintained for a long time, like e.g. ESAPI.
> >
> > Because IMHO clearly they can not stay Flagship projects....?
> >
> > Just my 2cents,
> >
> > All the best, Tobias
> >
> >
> > Ps.: maybe a small personal comment: in my personal view, the maturity
> level
> > of a project should not be a given and retained forever without any
> > maintenance efforts, but it should be earned and judged by maturity and
> > quality compared to other projects on a continuous basis. So if something
> > deprecates, we should not recommend it as flagship anymore. Same like we
> > recommend old functions in old code may become deprecated....?
> >
> >
> >
> > On 30/03/14 06:48, johanna curiel curiel wrote:
> >
> > I was part of the project advisory board, but it seems that I felt from
> that
> > board without knowing it.
> >
> > Now I hear the news about taking out flagship status from certain
> projects.
> >
> > I was against this because, once a project reaches maturity is not
> likely to
> > go back to "incubator".
> > The term is not appropiate for a mature project to go back to something
> it's
> > not anymore.
> >
> > what had happend here is that the project has loose his drive, has become
> > outdated. in case of ESAPI, certain components have become obsolete with
> > time, but noway they are INCUBATOR!
> >
> > people of owasp, you want to have volunteers? Respect their role when
> asking
> > to be part and now I feel rudelessly taken out of that board and
> decisions
> > are been made secretly without those volunteers not knowing...I'm very
> > dissapointed.
> >
> > This is in no way a democratic system. even less when volunteers put
> efforts
> > tnat now are taken for granted and wiped like nothing out of the table.
> >
> > You want volunteers? Respect them.
> >
> > Regards
> >
> > johanna
> >
> >
> >
> >
> > On Saturday, March 29, 2014, Jim Manico <jim.manico at owasp.org> wrote:
> >>
> >> Dinis,
> >>
> >> If we set our sights to small usable components instead of huge securing
> >> coding frameworks we can win. I shepherd several projects at OWASP that
> >> coincidentally Apache Shiro will be using to help add AntiXSS
> capabilities.
> >>
> >> I'm not hot on the "standard" that ESAPI is seeking, it's a good idea,
> but
> >> I'd rather focus on giving devs something that is immediately usable and
> >> helpful to solve a discrete problem *in a production quality high
> >> performance way*. This is why I'm so fond the the work of Jeff Ichnowski
> >> (Java Encoder Project) and Mike Samuel (OWASP HTML Sanitizer and OWASP
> JSON
> >> encoder). These gents are both PhD level software engineers and applied
> >> defensive AppSec experts. They are not software engineering hackers. ;)
> >>
> >> We are going to slice and dice ESAPI into several small projects under a
> >> non-ESAPI banner. Trust me, this is the right path to serve the mission
> of
> >> helping devs build secure web applications.
> >>
> >> --
> >> Jim Manico
> >> @Manicode
> >> (808) 652-3805
> >>
> >> On Mar 29, 2014, at 6:10 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
> >>
> >> I think this is a great step for ESAPI which maybe will help it (ESAPI)
> to
> >> have a much more realistic and achievable focus.
> >>
> >> Kudos to Kevin for doing this and allowing the correct mapping of ESAPI
> >>
> >> I've written (in 2010, 2011) about my views about ESAPI and where it
> >> should go (i.e. ESTAPI):
> >>
> >> The ESTAPI idea
> >> A couple more comments on ESAPI and ESTAPI
> >> Recommending ESAPI?
> >>
> >> And in case you missed these, recently (2013) I was able to consume
> ESAPI
> >> java from .NET (i.e. the O2 Platform)
> >>
> >> Loading OWASP ESAPI jar and its dependencies from C# (using jni4net)
> >> View ESAPI 11 Encodings methods in real-time via an ASP.NET Web Page
> >> Another step in the use of ESAPI and AppSensor Jars from .Net/C# (using
> >> Jni4Net)
> >> First execution of ESAPI.jar Encoder methods from O2's C# REPL
> >>
> >> Btw, I still think ESAPI is a great idea and something that just about
> all
> >> frameworks and companies needs (i.e. an Enterprise Security APIs).
> >>
> >> The problem was that OWASP's community tried to be a 'professional
> >> development org', which is something that (with some minor exceptions)
> we
> >> are not capable of. Organisations/groups like http://shiro.apache.org/are
> >> much more suited for that type of 'mission critical development'
> >>
> >> Dinis
> >>
> >>
> >>
> >> On 29 March 2014 06:08, Jim Manico <jim.manico at owasp.org> wrote:
> >>>
> >>> Why you should no longer use the OWASP ESAPI project, why you should
> not
> >>> be recommending the OWASP ESAPI project, and why the OWASP ESAPI
> project is
> >>> not deserving of flagship status.
> >>>
> >>>
> >>>
> http://off-the-wall-security.blogspot.in/2014/03/esapi-no-longer-owasp-flagship-project.html
> >>>
> >>> - Jim
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
>
>
>
> --
> Riotaro OKADA
> OWASP Japan Chapter
> Leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140330/8ae8fe21/attachment-0001.html>


More information about the OWASP-Leaders mailing list