[Owasp-leaders] Higher standards for accepting OWASP projects especially defender library projects

Tony Turner tony.turner at owasp.org
Fri Nov 20 18:25:32 UTC 2015


It is my opinion that any code project that purports to provide defensive
capabilities, not just libraries but projects such as seraphimdroid and
others should undergo a standard code testing process before being promoted
to Flagship. All other projects should be clearly marked as "not production
ready" or "beta quality" both on the wiki, as well as the Github. Perhaps
we should have separate Github accounts for Incubator vs Flagship vs...

Why not at a minimum, leverage the SWAMP?

On Fri, Nov 20, 2015 at 1:09 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Leaders,
>
> There was a very interesting discussion regarding the OWASP PHPSEC library.
>
> The issues brought by some users of the library (Andrew Carter, James
> Titcumb, Katy Ereira and Sven Rautenberg (a former contributor)on the
> github repository mailing list is that the library contains many security
> issues ,
> It has not being maintained for more than a year and it should be taken
> down from  OWASP Github repository.
>
> https://github.com/OWASP/phpsec/issues/108#issuecomment-158447768
> https://github.com/OWASP/phpsec/issues/108#issuecomment-158436572
> https://github.com/OWASP/phpsec/issues/108#issuecomment-158428769
> https://github.com/OWASP/phpsec/issues/108#issuecomment-158418384
>
> They all presented quite strong arguments with code references that
> the library,
>  even though  it is an incubator project, they mentioned it can mislead
> potential users of the project to use it (which happened to them)
> They feel OWASP has a responsibility to not allow these projects to be
> under OWASP Github and delete them
>
> While I argument that a lot of effort was put by volunteers, which might
> not obtained the expected results , Andrew Carter argument back:
>
> *Could you confirm to me that you consider the feelings of your volunteers
> and contributors more important than the security of the applications
> developed by people trusting the OWASP namespace?*
>
> He presented a list of issues and also Sven the former contributor agreed
> that sadly, the library should be taken down from Github,but also the OWASP
> inventory (to be set as inactive)
>
> I cc Claudia so this could be taken internally with the staff as PHPSEC is
> not the only inactive library under OWASP Github and it definitely needs a
> clean up
>
> The point I want to bring up is that higher standards are definitely
> needed to allow projects, but especially when these projects are 'security
> libraries'.
>
> Unfortunately, even though volunteers are setting big efforts, I do agree
> this is definitely not an excuse (as Andrew mentioned) to allow them when
> people are trusting the OWASP name for security . Even if it is an
> incubator project.
>
>
>
> Regards
>
> Johanna
>
>
>
>
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner at owasp.org
https://www.owasp.org/index.php/Orlando
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151120/76024b9e/attachment-0001.html>


More information about the OWASP-Leaders mailing list