[Owasp-leaders] OWASP ESAPI Project Status

Samantha Groves samantha.groves at owasp.org
Sun Mar 30 21:04:34 UTC 2014


Excuse me, Johanna but I did not propose this system. It was a collective
decision made during the summit by the project working session
participants. I was not even a participant in this session for the majority
of the time as I was busy running the summit itself. You did voice your
concerns, but the team decided to move forward with this plan as far as I
understand it because I was not there.

Once again, my role here is to be the facilitator for the community. I have
no decision making power at OWASP. The decisions come from leader
contributions and initiatives. If the community is unhappy with what the
group came up with, I suggest we get back on track and make positive
changes with the now very clear responses we are getting from Leaders. I am
glad that we are now getting feedback from the community.



On Sun, Mar 30, 2014 at 12:51 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

>
> Frankly speaking, I felt unnatural to score OWASP Project using OpenSAMM
> ways and the form when I received the mail from this mailing list.
> Using a governance model or commercial model may be a kind of far to score
> each
> "value" of "as-is" based OWASP projects. And it may be too conceptual  and
>  difficult to answer for people those who have never used each projects.
>
> Well, this is exactly what I told Samantha when she proposed this system.
> I understand from Samantha that this decision was not from her alone. I
> knew it was not going to work but I guess sometimes you just need to try
> something so you can make your point
>
> We should use very simple, satisfaction kind of surveys for users of the
> projects. This will provide us a better picture of the
> situation. Someone that does not know the project cannot judge it.
>
>
> It is not only issue of "flagship" projects. All projects will be
> interested in
> how OWASP promote and pick up projects as "flagship". It will be one of
> standpoint of OWASP community.I am really interested in how OWASP can
> discuss about this matter.
>
> Well, I'm volunteering to be in next  APPSEC EU & US so you let me know if
> we can set as we did last year, sessions to discuss this. The criteria to
> analyze the situation per project type has been done, but we need better
> input mechanisms from the community , such as a simple survey, to gather
> data about the project.
>
>  Community's opinion plays a major factor to determine the status of a
> project, not only what we as Project advisory board think.
>
>
>
>
> On Sun, Mar 30, 2014 at 1:56 AM, Riotaro OKADA <riotaro.okada at owasp.org>wrote:
>
>> > Ps.: maybe a small personal comment: in my personal view, the maturity
>> level
>> > of a project should not be a given and retained forever without any
>> > maintenance efforts, but it should be earned and judged by maturity and
>> > quality compared to other projects on a continuous basis.
>>
>> I totally agree this point.
>>
>> Actually I was in charge of a committee member focusing on investigating
>> OSS maturity models collaborated with QualiPSo (EU project) team for 3
>> years.
>> We tested  by using various methodologies like MOSST(focusing on
>> the code analysis), OP2A(focusing on their communication website), OMM
>> (focusing on the development cycle), and so on.
>> Throughout these studies we only have learned about how it is not simple
>>  to measure "values" of open source software projects.
>>
>> I do not have best idea to solve this but I understand to the full that
>> both of project and software have each "life-cycle" and steps to be
>> "mature"
>> for their own purpose and usage (which are of course vary, too).
>> Some should update frequently to fit up-to-date issues, but others should
>> not do so because of the stability.
>>
>> Frankly speaking, I felt unnatural to score OWASP Project using OpenSAMM
>> ways and the form when I received the mail from this mailing list.
>> Using a governance model or commercial model may be a kind of far to
>> score each
>> "value" of "as-is" based OWASP projects. And it may be too conceptual  and
>>  difficult to answer for people those who have never used each projects.
>>
>> So that it is understandable some key persons of projects may feel
>> disappointed
>> even if the projects has been used by many people because of "maturity".
>> I also think it would be careful matter for us all.
>>
>> It is not only issue of "flagship" projects. All projects will be
>> interested in
>> how OWASP promote and pick up projects as "flagship". It will be one of
>> standpoint of OWASP community.
>>
>> I am really interested in how OWASP can discuss about this matter.
>>
>> Thanks,
>>
>> Rio
>>
>> On Sun, Mar 30, 2014 at 1:36 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>> > Dear Johanna,
>> >
>> > thank you for your email. I can feel your concerns.
>> > And rest assured that Jim and all the others very much value and
>> appreciate
>> > all OWASP volunteers work.
>> >
>> > Maybe a small question:
>> > What do you think we should do with outdated projects that are not
>> > maintained for a long time, like e.g. ESAPI.
>> >
>> > Because IMHO clearly they can not stay Flagship projects....?
>> >
>> > Just my 2cents,
>> >
>> > All the best, Tobias
>> >
>> >
>> > Ps.: maybe a small personal comment: in my personal view, the maturity
>> level
>> > of a project should not be a given and retained forever without any
>> > maintenance efforts, but it should be earned and judged by maturity and
>> > quality compared to other projects on a continuous basis. So if
>> something
>> > deprecates, we should not recommend it as flagship anymore. Same like we
>> > recommend old functions in old code may become deprecated....?
>> >
>> >
>> >
>> > On 30/03/14 06:48, johanna curiel curiel wrote:
>> >
>> > I was part of the project advisory board, but it seems that I felt from
>> that
>> > board without knowing it.
>> >
>> > Now I hear the news about taking out flagship status from certain
>> projects.
>> >
>> > I was against this because, once a project reaches maturity is not
>> likely to
>> > go back to "incubator".
>> > The term is not appropiate for a mature project to go back to something
>> it's
>> > not anymore.
>> >
>> > what had happend here is that the project has loose his drive, has
>> become
>> > outdated. in case of ESAPI, certain components have become obsolete with
>> > time, but noway they are INCUBATOR!
>> >
>> > people of owasp, you want to have volunteers? Respect their role when
>> asking
>> > to be part and now I feel rudelessly taken out of that board and
>> decisions
>> > are been made secretly without those volunteers not knowing...I'm very
>> > dissapointed.
>> >
>> > This is in no way a democratic system. even less when volunteers put
>> efforts
>> > tnat now are taken for granted and wiped like nothing out of the table.
>> >
>> > You want volunteers? Respect them.
>> >
>> > Regards
>> >
>> > johanna
>> >
>> >
>> >
>> >
>> > On Saturday, March 29, 2014, Jim Manico <jim.manico at owasp.org> wrote:
>> >>
>> >> Dinis,
>> >>
>> >> If we set our sights to small usable components instead of huge
>> securing
>> >> coding frameworks we can win. I shepherd several projects at OWASP that
>> >> coincidentally Apache Shiro will be using to help add AntiXSS
>> capabilities.
>> >>
>> >> I'm not hot on the "standard" that ESAPI is seeking, it's a good idea,
>> but
>> >> I'd rather focus on giving devs something that is immediately usable
>> and
>> >> helpful to solve a discrete problem *in a production quality high
>> >> performance way*. This is why I'm so fond the the work of Jeff
>> Ichnowski
>> >> (Java Encoder Project) and Mike Samuel (OWASP HTML Sanitizer and OWASP
>> JSON
>> >> encoder). These gents are both PhD level software engineers and applied
>> >> defensive AppSec experts. They are not software engineering hackers. ;)
>> >>
>> >> We are going to slice and dice ESAPI into several small projects under
>> a
>> >> non-ESAPI banner. Trust me, this is the right path to serve the
>> mission of
>> >> helping devs build secure web applications.
>> >>
>> >> --
>> >> Jim Manico
>> >> @Manicode
>> >> (808) 652-3805
>> >>
>> >> On Mar 29, 2014, at 6:10 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>> >>
>> >> I think this is a great step for ESAPI which maybe will help it
>> (ESAPI) to
>> >> have a much more realistic and achievable focus.
>> >>
>> >> Kudos to Kevin for doing this and allowing the correct mapping of ESAPI
>> >>
>> >> I've written (in 2010, 2011) about my views about ESAPI and where it
>> >> should go (i.e. ESTAPI):
>> >>
>> >> The ESTAPI idea
>> >> A couple more comments on ESAPI and ESTAPI
>> >> Recommending ESAPI?
>> >>
>> >> And in case you missed these, recently (2013) I was able to consume
>> ESAPI
>> >> java from .NET (i.e. the O2 Platform)
>> >>
>> >> Loading OWASP ESAPI jar and its dependencies from C# (using jni4net)
>> >> View ESAPI 11 Encodings methods in real-time via an ASP.NET Web Page
>> >> Another step in the use of ESAPI and AppSensor Jars from .Net/C# (using
>> >> Jni4Net)
>> >> First execution of ESAPI.jar Encoder methods from O2's C# REPL
>> >>
>> >> Btw, I still think ESAPI is a great idea and something that just about
>> all
>> >> frameworks and companies needs (i.e. an Enterprise Security APIs).
>> >>
>> >> The problem was that OWASP's community tried to be a 'professional
>> >> development org', which is something that (with some minor exceptions)
>> we
>> >> are not capable of. Organisations/groups like http://shiro.apache.org/are
>> >> much more suited for that type of 'mission critical development'
>> >>
>> >> Dinis
>> >>
>> >>
>> >>
>> >> On 29 March 2014 06:08, Jim Manico <jim.manico at owasp.org> wrote:
>> >>>
>> >>> Why you should no longer use the OWASP ESAPI project, why you should
>> not
>> >>> be recommending the OWASP ESAPI project, and why the OWASP ESAPI
>> project is
>> >>> not deserving of flagship status.
>> >>>
>> >>>
>> >>>
>> http://off-the-wall-security.blogspot.in/2014/03/esapi-no-longer-owasp-flagship-project.html
>> >>>
>> >>> - Jim
>> >>> _______________________________________________
>> >>> OWASP-Leaders mailing list
>> >>> OWASP-Leaders at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >>
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>>
>>
>>
>> --
>> Riotaro OKADA
>> OWASP Japan Chapter
>> Leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 

*Samantha Groves, MBA*

*OWASP Projects Manager*


The OWASP Foundation

Phoenix, USA

Email: samantha.groves at owasp.org

Skype: samanthahz


OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>

Book a Meeting with Me <http://goo.gl/mZXdZ>

OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>

New Project Application Form <http://www.tfaforms.com/263506>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140330/23e80048/attachment-0001.html>


More information about the OWASP-Leaders mailing list