[Owasp-leaders] Fwd: Is it feasible to have an OWASP project that is a web application?

Jim Manico jim.manico at owasp.org
Wed Mar 25 15:27:14 UTC 2015

Several of our products are web applications. Take WebGoat - a purposely
insecure application for education.

Keep in mind that all OWASP projects must be under an open source license.
So if you want to drive a project that includes a live website for some
reason, all code that drives it must be open source in order for it to be
an OWASP project.

Jim Manico
(808) 652-3805

On Mar 25, 2015, at 9:23 AM, Mike Goodwin <mike.goodwin at owasp.org> wrote:

Hello all,

All the OWASP projects I have looked at are either

   - Media projects (e.g. ASVS), or
   - Locally installed tools (e.g. ZAP)

Is it feasible do you think to have a project that is a web application? I
am thinking about a collaborative threat modelling tool. It feels like it
should be a web application rather than an installed application.

It seems like the cost of operating a secure multi-user web app with all
the hosting, backup, availability and security responsibilities that come
along with that would make it infeasible for an organisation like OWASP.

On the other hand, it seems odd that an organisation that is about web
applications does not run any (other than the OWASP web site, obviously).

Thoughts welcome...


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150325/72623635/attachment.html>

More information about the OWASP-Leaders mailing list