[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation

Jim Manico jim.manico at owasp.org
Thu Nov 26 00:20:44 UTC 2015


The project is still live and will continue to be.

https://github.com/OWASP/phpsec

1) It's been labeled clearly as abandoned, which is fair to say I think 
(In both GitHub and the Wiki).
2) The codebase has been deleted from the main branch
3) For anyone who wishes to revive this project, all the code is in the 
project history

I think this is a fair balance of all concerns.

Aloha,
Jim


On 11/26/15 1:46 AM, Antonio Fontes wrote:
> Hi,
>
> I agree with Abbas on this point.
>
> OWASP has a responsibility to warn users when a library project is 
> inactive, unmaintained and/or was identified as broken by experts in 
> the domain (if it really is, disclaimer: I have only read the content 
> posed in the leaders list).
>
> However, I don't see a valid rationale behind the decision to suppress 
> it entirely. Users don't get to decide what gets suppressed or not 
> from the web, especially when the content doesn't belong to them, more 
> especially when the argument is "it's not clean", and even more 
> especially when the request for deletion comes from "crypto-experts" 
> (I want to see the badge first).
>
> Our mission as OWASP leaders is to lead, not to baby-sit people, who 
> download code marked as unsafe and abandoned, and install it in their 
> organization's systems.
>
> If we abide by this rationale, then we should suppress all previous 
> versions of the OWASP guides that are currently available for download 
> as archives.
> Most of them are incomplete, do not cover the state of the art 
> knowledge we have reached today, and many of them contain advice that 
> is outdated.
>
> regards,
> Antonio
>
> --
> OWASP Geneva Chapter
> Contact:geneva at owasp.ch
> Twitter: @owasp_geneva
> Newsletter:https://lists.owasp.org/mailman/listinfo/owasp-geneva
> On 11/25/2015 8:02 PM, johanna curiel curiel wrote:
>> >>All they want is to delete the code entirely, which doesn’t make sense to me 
>> at all.
>>
>> Abbas their point is, that is not responsible to leave this open if 
>> no one is going to document or fix. I don't think is responsible to 
>> leave an insecure library. And Ii did take the time to read the 
>> issues they mentioned.
>>
>>  You  are the major responsible for your project, not the users that 
>> pin pointed the issues nor they should go and change when they have 
>> the opinion that the entire library does not serve the purpose.
>>
>> For people who wants to see whole thread can judge by themselves
>> https://github.com/OWASP/phpsec/issues/108#issuecomment-159699690
>>
>> I even defend you as volunteer but I have the opinion that we have a 
>> responsibility towards users especially if you have not worked in 
>> this project for more than a year and have no time to fix issues in a 
>> security library.
>>
>> Even Sven who was a contributor in this project accepted that this 
>> library does not achieve its purpose and should not be available to 
>> users, is just not responsible.
>>
>> Sometimes we need to kill our darlings...
>>
>> Btw I'm just a contributor as you are.
>>
>>
>>
>> Regards
>>
>> Johanna
>>
>> On Wed, Nov 25, 2015 at 2:47 PM, Abbas Naderi <abiusx at owasp.org 
>> <mailto:abiusx at owasp.org>> wrote:
>>
>>     I’m perfectly fine with criticising and QAing projects.
>>
>>     What I’m not fine with, is reading some blogs or posts somewhere,
>>     without verifying their validity, and then putting the blame on
>>     our contributors without proper investigation.
>>
>>     This is not how we defend and motivate our community.
>>
>>     Plus, the only solution for a “broken library” is either to fix
>>     it, or to announce it as broken. These gentlemen insisting on
>>     removing the library sounds like trolling to me. They even refuse
>>     to add a README file to the Github repo which clearly states that
>>     this project is inactive and insecure. All they want is to delete
>>     the code entirely, which doesn’t make sense to me at all.
>>
>>     I’m unhappy with your post, because you say “they have valid
>>     points” without properly investgating. They think they didn’t
>>     make progress by trolling on Github, and now are using you to
>>     reflect this issue on the leaders list. You could’ve contacted me
>>     first and asked about this before going public with it. I’m very
>>     unhappy with the process you have taken for this, undermining a
>>     contributor completely.
>>
>>     Regards
>>     -Abbas
>>
>>
>>>     On Nov 25, 2015, at 1:44 PM, johanna curiel curiel
>>>     <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>>
>>>     >>If you’d want to keep your “users” happy and your
>>>     “contributors” unhappy, you should think of a
>>>     commercial organisation instead of an open one.
>>>
>>>     I think this is a very difficult balance to do. I understand
>>>     from your pov as contributor but fact is, OWASP has also a
>>>     reputation of being 'secure' so probably the expectations are
>>>     higher because we preach security.
>>>
>>>     Look ,I volunteer too but my proposals get questioned and
>>>     criticised  in a way that it feels to me  like I've been
>>>     questioned as an employee and not a volunteer, but in a certain
>>>     way, if you look deeply, people questioning my proposals wants
>>>     to achieve goals that are aligned with OWASP mission. And that
>>>     means I have to work harder to present my arguments. Not because
>>>     the effort is 'volunteered' means it does not hold certain
>>>     responsabilities.
>>>
>>>     Let  me ask you: Has this project ever been tested to verify how
>>>     well it works or not? Most projects at OWASP does not have any
>>>     form of QA. Security libraries hold more responsibility in this
>>>     case.
>>>
>>>     This is a security library and if it contains security issues
>>>     then this is a problem. This does not align with the mission,
>>>     even if a lot of work was put to create this project.
>>>
>>>     I don't think they are trolling you. They have valid points and
>>>     their complain is that it is not responsible to leave this
>>>     library to be used if it holds these issues or are not properly
>>>     explained. And is not only the crypto issue.
>>>
>>>     Regards
>>>
>>>     Johanna
>>>
>>>     On Wed, Nov 25, 2015 at 2:28 PM, Abbas Naderi <abiusx at owasp.org
>>>     <mailto:abiusx at owasp.org>> wrote:
>>>
>>>         I agree with all of that.
>>>
>>>         This is an open source project. If they find issues,
>>>         specially tiny issues that can be fixed with a few lines of
>>>         code,
>>>         they are welcome to do so. That is not grounds for deleting
>>>         a project.
>>>
>>>         The way I see it, is that they are trolling, and not
>>>         helping. I have not created this library, and I’m only
>>>         defending it because it is the right thing to do.
>>>         If you’d want to keep your “users” happy and your
>>>         “contributors” unhappy, you should think of a commercial
>>>         organization instead of an open one.
>>>
>>>         Regards
>>>         -Abbas
>>>
>>>>         On Nov 25, 2015, at 1:25 PM, johanna curiel curiel
>>>>         <johanna.curiel at owasp.org> wrote:
>>>>
>>>>         Abbas
>>>>
>>>>         I think they made very strong points and the project is
>>>>         right now inactive since it has not been updated in more
>>>>         than a year.
>>>>
>>>>         The people commenting on your project have themselves quite
>>>>         reputation too.
>>>>
>>>>         I think if these issues cannot be fixed by you since you
>>>>         are the leader and since the project is inactive, the best
>>>>         is to warn users.
>>>>         Sven who was a contributor also acknowledge the issues.
>>>>
>>>>         By the way , from complains of multiple PHP developers in
>>>>         the github page of the project to now twitter means they
>>>>         are not happy and they are trying to escalate their
>>>>         concerns.Thats how I see this.
>>>>
>>>>         regards
>>>>
>>>>         Johanna
>>>>
>>>>         On Wed, Nov 25, 2015 at 2:20 PM, Abbas Naderi
>>>>         <abiusx at owasp.org> wrote:
>>>>
>>>>             They are trying to troll the project.
>>>>             Read the thread at
>>>>             https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to
>>>>             realize that.
>>>>             We have provided ample opportunity for them to
>>>>             contribute, fix, or help the project.
>>>>             All they want is to take the project down, which I
>>>>             obviously refuse.
>>>>
>>>>             I don’t think it really hurts OWASP reputation. If
>>>>             anyone delves into the technical discussions that would
>>>>             be apparent.
>>>>             Regards
>>>>             -Abbas
>>>>
>>>>>             On Nov 25, 2015, at 1:17 PM, johanna curiel curiel
>>>>>             <johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>             Hi Erlend
>>>>>
>>>>>             We are aware of the issues and remediation is underway ;-)
>>>>>
>>>>>             regards
>>>>>
>>>>>             Johanna
>>>>>
>>>>>             On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico
>>>>>             <jim.manico at owasp.org> wrote:
>>>>>
>>>>>                 Yup, it's bad.
>>>>>
>>>>>                 Johanna Curiel and Claudia are leading the charge
>>>>>                 here. They are in the process of fully removing
>>>>>                 the project from GitHub. As in, right now…
>>>>>
>>>>>                 - Jim
>>>>>
>>>>>
>>>>>
>>>>>                 On 11/25/15 7:50 PM, erlend.oftedal at owasp.org wrote:
>>>>>>                 Hi
>>>>>>
>>>>>>                 See
>>>>>>                 https://twitter.com/voodooKobra/status/669537889500311553
>>>>>>                 and the link in that message.
>>>>>>
>>>>>>                 According to the OWASP website the project is
>>>>>>                 inactive, yet contributions are made on github,
>>>>>>                 and there are no signs of the project status on
>>>>>>                 github.
>>>>>>                 The crypto code is bad, as voodooKobra rightly
>>>>>>                 points out. With a known key and iv, this
>>>>>>                 encryption is useless.
>>>>>>                 And the code is referenced from stackoverflow++.
>>>>>>
>>>>>>                 When deactivating a project we need to make sure
>>>>>>                 the deactivation is clearly visble on github as well.
>>>>>>
>>>>>>                 Best regards
>>>>>>                 Erlend Oftedal
>>>>>>                 OWASP Norway
>>>>>>                 @webtonull
>>>>>>
>>>>>>
>>>>>>                 _______________________________________________
>>>>>>                 OWASP-Leaders mailing list
>>>>>>                 OWASP-Leaders at lists.owasp.org
>>>>>>                 <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>>                 _______________________________________________
>>>>>                 OWASP-Leaders mailing list
>>>>>                 OWASP-Leaders at lists.owasp.org
>>>>>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>>             _______________________________________________
>>>>>             OWASP-Leaders mailing list
>>>>>             OWASP-Leaders at lists.owasp.org
>>>>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151126/10141571/attachment-0001.html>


More information about the OWASP-Leaders mailing list