[Owasp-leaders] Fwd: Is it feasible to have an OWASP project that is a web application?

Dave Wichers dave.wichers at owasp.org
Wed Mar 25 17:47:28 UTC 2015

You can use any language you want. What has to be open source is whatever the project produces. If you leverage languages, tools, libraries, whatever that aren’t open source, that’s OK.


For example, someone could produce extensions to Burp, which is a free, but commercial, application security tool (there is a paid version too), and release them under OWASP. They could release new rules for Fortify or AppScan or whatever. Those tools certainly aren’t free, but if what the project produces is free/open, that’s OK and what is required to be on OWASP project.




From: Mike Goodwin [mailto:mike.goodwin at owasp.org] 
Sent: Wednesday, March 25, 2015 12:07 PM
To: Dave Wichers
Cc: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Fwd: Is it feasible to have an OWASP project that is a web application?


Hmm. Open source...


I was going to use ASP.Net since that is what I'm best at. Would that be allowed? It is open source now. WebGoat.Net is .Net (obviously) so I assumed that was a precedent. The other 3rd party components I was thinking of so far are all open source.


As for distributing on a VM or with an installer, I'd have to think about what that would mean. With my DevOps hat on, I already designed a multi-server, HA architecture :o)


On Wed, Mar 25, 2015 at 3:48 PM, Dave Wichers <dave.wichers at owasp.org> wrote:

Can you make it deliverable on a VM or installable like WebGoat? I.e., there could be many copies of the web app not just one? If you do that, no problem at all.


And everything developed to build it is open source of course.




From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Mike Goodwin
Sent: Wednesday, March 25, 2015 11:22 AM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Fwd: Is it feasible to have an OWASP project that is a web application?


Hello all,


All the OWASP projects I have looked at are either

*	Media projects (e.g. ASVS), or
*	Locally installed tools (e.g. ZAP)

Is it feasible do you think to have a project that is a web application? I am thinking about a collaborative threat modelling tool. It feels like it should be a web application rather than an installed application.


It seems like the cost of operating a secure multi-user web app with all the hosting, backup, availability and security responsibilities that come along with that would make it infeasible for an organisation like OWASP.


On the other hand, it seems odd that an organisation that is about web applications does not run any (other than the OWASP web site, obviously).


Thoughts welcome...







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150325/d4665ec8/attachment.html>

More information about the OWASP-Leaders mailing list