[Owasp-leaders] OWASP ESAPI Project Status

Jim Manico jim.manico at owasp.org
Mon Mar 31 00:46:03 UTC 2014


+1 Samantha. I think that is a fair perspective. But I think project
evaluations are still a mess and the advisory boards and proper reviews are
not happening and it's been about a year now.

I have an abundance of free time this year and can volunteer to help you be
more successful. I would be happy to be your assistant and run the advisory
teams, issue proper qualitative surveys to the projects, and help track
that data so we can better evaluate those projects.

I have a great deal of experience in this area and am usually right about
these things, except for the one time I thought I was wrong.

Thanks Samantha, you call it. I'm not just complaining, I'm very willing to
help make it happen.
--
Jim Manico
@Manicode
(808) 652-3805

On Mar 30, 2014, at 11:06 AM, Samantha Groves <samantha.groves at owasp.org>
wrote:

Excuse me, Johanna but I did not propose this system. It was a collective
decision made during the summit by the project working session
participants. I was not even a participant in this session for the majority
of the time as I was busy running the summit itself. You did voice your
concerns, but the team decided to move forward with this plan as far as I
understand it because I was not there.

Once again, my role here is to be the facilitator for the community. I have
no decision making power at OWASP. The decisions come from leader
contributions and initiatives. If the community is unhappy with what the
group came up with, I suggest we get back on track and make positive
changes with the now very clear responses we are getting from Leaders. I am
glad that we are now getting feedback from the community.



On Sun, Mar 30, 2014 at 12:51 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

>
> Frankly speaking, I felt unnatural to score OWASP Project using OpenSAMM
> ways and the form when I received the mail from this mailing list.
> Using a governance model or commercial model may be a kind of far to score
> each
> "value" of "as-is" based OWASP projects. And it may be too conceptual  and
>  difficult to answer for people those who have never used each projects.
>
> Well, this is exactly what I told Samantha when she proposed this system.
> I understand from Samantha that this decision was not from her alone. I
> knew it was not going to work but I guess sometimes you just need to try
> something so you can make your point
>
> We should use very simple, satisfaction kind of surveys for users of the
> projects. This will provide us a better picture of the
> situation. Someone that does not know the project cannot judge it.
>
>
> It is not only issue of "flagship" projects. All projects will be
> interested in
> how OWASP promote and pick up projects as "flagship". It will be one of
> standpoint of OWASP community.I am really interested in how OWASP can
> discuss about this matter.
>
> Well, I'm volunteering to be in next  APPSEC EU & US so you let me know if
> we can set as we did last year, sessions to discuss this. The criteria to
> analyze the situation per project type has been done, but we need better
> input mechanisms from the community , such as a simple survey, to gather
> data about the project.
>
>  Community's opinion plays a major factor to determine the status of a
> project, not only what we as Project advisory board think.
>
>
>
>
> On Sun, Mar 30, 2014 at 1:56 AM, Riotaro OKADA <riotaro.okada at owasp.org>wrote:
>
>> > Ps.: maybe a small personal comment: in my personal view, the maturity
>> level
>> > of a project should not be a given and retained forever without any
>> > maintenance efforts, but it should be earned and judged by maturity and
>> > quality compared to other projects on a continuous basis.
>>
>> I totally agree this point.
>>
>> Actually I was in charge of a committee member focusing on investigating
>> OSS maturity models collaborated with QualiPSo (EU project) team for 3
>> years.
>> We tested  by using various methodologies like MOSST(focusing on
>> the code analysis), OP2A(focusing on their communication website), OMM
>> (focusing on the development cycle), and so on.
>> Throughout these studies we only have learned about how it is not simple
>>  to measure "values" of open source software projects.
>>
>> I do not have best idea to solve this but I understand to the full that
>> both of project and software have each "life-cycle" and steps to be
>> "mature"
>> for their own purpose and usage (which are of course vary, too).
>> Some should update frequently to fit up-to-date issues, but others should
>> not do so because of the stability.
>>
>> Frankly speaking, I felt unnatural to score OWASP Project using OpenSAMM
>> ways and the form when I received the mail from this mailing list.
>> Using a governance model or commercial model may be a kind of far to
>> score each
>> "value" of "as-is" based OWASP projects. And it may be too conceptual  and
>>  difficult to answer for people those who have never used each projects.
>>
>> So that it is understandable some key persons of projects may feel
>> disappointed
>> even if the projects has been used by many people because of "maturity".
>> I also think it would be careful matter for us all.
>>
>> It is not only issue of "flagship" projects. All projects will be
>> interested in
>> how OWASP promote and pick up projects as "flagship". It will be one of
>> standpoint of OWASP community.
>>
>> I am really interested in how OWASP can discuss about this matter.
>>
>> Thanks,
>>
>> Rio
>>
>> On Sun, Mar 30, 2014 at 1:36 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>> > Dear Johanna,
>> >
>> > thank you for your email. I can feel your concerns.
>> > And rest assured that Jim and all the others very much value and
>> appreciate
>> > all OWASP volunteers work.
>> >
>> > Maybe a small question:
>> > What do you think we should do with outdated projects that are not
>> > maintained for a long time, like e.g. ESAPI.
>> >
>> > Because IMHO clearly they can not stay Flagship projects....?
>> >
>> > Just my 2cents,
>> >
>> > All the best, Tobias
>> >
>> >
>> > Ps.: maybe a small personal comment: in my personal view, the maturity
>> level
>> > of a project should not be a given and retained forever without any
>> > maintenance efforts, but it should be earned and judged by maturity and
>> > quality compared to other projects on a continuous basis. So if
>> something
>> > deprecates, we should not recommend it as flagship anymore. Same like we
>> > recommend old functions in old code may become deprecated....?
>> >
>> >
>> >
>> > On 30/03/14 06:48, johanna curiel curiel wrote:
>> >
>> > I was part of the project advisory board, but it seems that I felt from
>> that
>> > board without knowing it.
>> >
>> > Now I hear the news about taking out flagship status from certain
>> projects.
>> >
>> > I was against this because, once a project reaches maturity is not
>> likely to
>> > go back to "incubator".
>> > The term is not appropiate for a mature project to go back to something
>> it's
>> > not anymore.
>> >
>> > what had happend here is that the project has loose his drive, has
>> become
>> > outdated. in case of ESAPI, certain components have become obsolete with
>> > time, but noway they are INCUBATOR!
>> >
>> > people of owasp, you want to have volunteers? Respect their role when
>> asking
>> > to be part and now I feel rudelessly taken out of that board and
>> decisions
>> > are been made secretly without those volunteers not knowing...I'm very
>> > dissapointed.
>> >
>> > This is in no way a democratic system. even less when volunteers put
>> efforts
>> > tnat now are taken for granted and wiped like nothing out of the table.
>> >
>> > You want volunteers? Respect them.
>> >
>> > Regards
>> >
>> > johanna
>> >
>> >
>> >
>> >
>> > On Saturday, March 29, 2014, Jim Manico <jim.manico at owasp.org> wrote:
>> >>
>> >> Dinis,
>> >>
>> >> If we set our sights to small usable components instead of huge
>> securing
>> >> coding frameworks we can win. I shepherd several projects at OWASP that
>> >> coincidentally Apache Shiro will be using to help add AntiXSS
>> capabilities.
>> >>
>> >> I'm not hot on the "standard" that ESAPI is seeking, it's a good idea,
>> but
>> >> I'd rather focus on giving devs something that is immediately usable
>> and
>> >> helpful to solve a discrete problem *in a production quality high
>> >> performance way*. This is why I'm so fond the the work of Jeff
>> Ichnowski
>> >> (Java Encoder Project) and Mike Samuel (OWASP HTML Sanitizer and OWASP
>> JSON
>> >> encoder). These gents are both PhD level software engineers and applied
>> >> defensive AppSec experts. They are not software engineering hackers. ;)
>> >>
>> >> We are going to slice and dice ESAPI into several small projects under
>> a
>> >> non-ESAPI banner. Trust me, this is the right path to serve the
>> mission of
>> >> helping devs build secure web applications.
>> >>
>> >> --
>> >> Jim Manico
>> >> @Manicode
>> >> (808) 652-3805
>> >>
>> >> On Mar 29, 2014, at 6:10 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>> >>
>> >> I think this is a great step for ESAPI which maybe will help it
>> (ESAPI) to
>> >> have a much more realistic and achievable focus.
>> >>
>> >> Kudos to Kevin for doing this and allowing the correct mapping of ESAPI
>> >>
>> >> I've written (in 2010, 2011) about my views about ESAPI and where it
>> >> should go (i.e. ESTAPI):
>> >>
>> >> The ESTAPI idea
>> >> A couple more comments on ESAPI and ESTAPI
>> >> Recommending ESAPI?
>> >>
>> >> And in case you missed these, recently (2013) I was able to consume
>> ESAPI
>> >> java from .NET (i.e. the O2 Platform)
>> >>
>> >> Loading OWASP ESAPI jar and its dependencies from C# (using jni4net)
>> >> View ESAPI 11 Encodings methods in real-time via an ASP.NET Web Page
>> >> Another step in the use of ESAPI and AppSensor Jars from .Net/C# (using
>> >> Jni4Net)
>> >> First execution of ESAPI.jar Encoder methods from O2's C# REPL
>> >>
>> >> Btw, I still think ESAPI is a great idea and something that just about
>> all
>> >> frameworks and companies needs (i.e. an Enterprise Security APIs).
>> >>
>> >> The problem was that OWASP's community tried to be a 'professional
>> >> development org', which is something that (with some minor exceptions)
>> we
>> >> are not capable of. Organisations/groups like http://shiro.apache.org/are
>> >> much more suited for that type of 'mission critical development'
>> >>
>> >> Dinis
>> >>
>> >>
>> >>
>> >> On 29 March 2014 06:08, Jim Manico <jim.manico at owasp.org> wrote:
>> >>>
>> >>> Why you should no longer use the OWASP ESAPI project, why you should
>> not
>> >>> be recommending the OWASP ESAPI project, and why the OWASP ESAPI
>> project is
>> >>> not deserving of flagship status.
>> >>>
>> >>>
>> >>>
>> http://off-the-wall-security.blogspot.in/2014/03/esapi-no-longer-owasp-flagship-project.html
>> >>>
>> >>> - Jim
>> >>> _______________________________________________
>> >>> OWASP-Leaders mailing list
>> >>> OWASP-Leaders at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >>
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>>
>>
>>
>> --
>> Riotaro OKADA
>> OWASP Japan Chapter
>> Leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 

*Samantha Groves, MBA*

*OWASP Projects Manager*


The OWASP Foundation

Phoenix, USA

Email: samantha.groves at owasp.org

Skype: samanthahz


OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>

Book a Meeting with Me <http://goo.gl/mZXdZ>

OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>

New Project Application Form <http://www.tfaforms.com/263506>



 _______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140330/2e3805e9/attachment-0001.html>


More information about the OWASP-Leaders mailing list