[Owasp-leaders] OWASP ESAPI Project Status

Andrew van der Stock vanderaj at owasp.org
Sun Mar 30 23:12:14 UTC 2014

For what it is worth, and I almost hesitate to step in here, ESAPI for PHP
could be retired once the PHP Sec folks get a stable release. There doesn't
seem to be an active interest in maintaining or using it.


On Mon, Mar 31, 2014 at 9:31 AM, Dennis Groves <dennis.groves at owasp.org>wrote:

> I personally proposed the use of our very own best of breed application
> maturity model known as OpenSAMM. And it was adopted by the technical team
> for use in evaluation of the projects.
> OpenSAMM intentional or not is based on the Capability Maturity Model; and
> the capability maturity model is a standard created by Carnegie Mellon
> University and required by many DOD and U.S. Government contracts,
> especially software development. The CMM is the result of several PhD level
> sciences coming together in an interdisciplinary model.
> By standing on this bedrock of history, we promote our own derivative of
> the CMM, a project known as OpenSAMM; and this is a great idea because we
> want to promote the adoption of OWASP and the use of its projects. And
> OpenSAMM is rooted in this history of great science and is one of our very
> best projects because of this heritage, not to mention all the love and
> attention that was given to it.
> Second, CMM is based on a scientific method known as the Rarsh Model,
> which allows you to statistically analyse the question, allowing you to
> identify the subset of data where people are talking from experience.
> Third, it defines a set of four buckets; Governance, development,
> verification and operations - and for the very same reason we can use
> OpenSAMM from everything to an SDLC to evaluating the maturity of an entire
> enterprise security management system of a company (as I have done
> literally hundreds of times, this our flavour of a CMM and it is much, much
> more than an SDLC tool as I demonstrated now twice.)
> In the case of OWASP we derived all three values from using OpenSAMM as
> the basis for the project evaluation criteria. However, it should also be
> understood that it was only one of several questionnaires used in
> evaluating the project maturity.
> I also hope you will understand that OpenSAMM is much more than an SDLC
> tool; but that it inherits much of the science that went into the CMM and
> CMMI and can be used similarly.
> And as a side note additional value was derived as well, we learned that
> most projects did not fall into the Governance or Operational categories,
> but into the development and verification catagories.
> In other words - OWASP is failing to give complete advice about how to
> deal with cyber-security!  (Opportunities for growth!)
> We are over focused on development and verification - this is stuff
> *everybody* has advice for. (Pen-Testing and Development)
> This has allowed us to branch out into areas where there is less
> competition such as the CISO guide (which I personally partially-funded,
> from one of my chapters) and the operational project I am working on now
> with BCS and GNU to start and fund a new OWASP project. Because we can
> create unique value in those spaces, keeping OWASP relevant!
> In order to remain relevant OWASP requires a long-game strategy (the
> project evaluations are part of that), we will not remain relevant if we
> keep playing in the same sandbox with everybody else. The project
> evaluations were part of understanding what that strategy maybe and how to
> expand our current offerings.
> This is basic education for MBA's (like Samantha) and business management
> like the awesome OWASP Foundation Staff (Sarah and her team).
> What is most disappointing to me is that there are people in this thread
> calling community activities stupid; and not seeking to understand why
> something was done and what value it created.
> Dennis
> --
> Dennis Groves, MSc
> Email me, or schedule a meeting.
> This email is licensed under a CC BY-ND 3.0 license.
> Stand up for your freedom to install free software.
> Please do not send me Microsoft Office/Apple iWork documents.
> Send OpenDocument instead!
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140331/c3175c21/attachment.html>

More information about the OWASP-Leaders mailing list