[Owasp-testing] Flagship Project Status

Christian Heinrich christian.heinrich at cmlh.id.au
Sat Jun 7 23:59:55 UTC 2014


No offence but I have to correct your record.

You promoted ZAP to OWASP as a web proxy intended for developers and
not webappsec professionals and your subsequent development has
focused on features for the webappsec end user.  For comparison
purposes http://www.charlesproxy.com/ development has continued to
focus on web application developers.

I would assume that Paros had no end users and that its developer(s)
either didn't respond or refused to accept your patches (I am not sure
of the exact background) because they no longer wanted to maintain
Paros.  Furthermore, a majority of WebScarab end users where
transiting http://portswigger.net/burp/ which has a modest fee to
support its development.

Paros has the worst UI have ever seen and ZAP has not improved on the
UI after I tried it based on the recommendation of "The Testicles"
i.e. https://twitter.com/search?f=realtime&q=sergicles%20ZAP&src=typd

Your promotion of ZAP on mailing lists not hosted by OWASP appears to
the public that WebScarab that it is no longer being developed and is
therefore devalued.

Both you and Michael (OWASP Chair) work[ed] at Mozilla and this is a
conflict of interest.  Also, Paul Theriaut (Mozilla) wanted to present
ZAP during the very unsuccessful relaunch of the OWASP Sydney,
Australia Chapter, of which he is also one of the [chapter] leaders

Those are the facts as I understand them, please let me know if I am incorrect?

On Sat, Jun 7, 2014 at 7:34 PM, psiinon <psiinon at gmail.com> wrote:
> On the contrary, I was very aware of WebScarab and its importance to OWASP
> at the time - I half expected my application for ZAP to become an OWASP
> project to be rejected due to the clear overlap with WebScarab.
> I wanted to create a powerful but easy to use security tool for developers,
> and I seriously considered using WebScarab as the basis for that tool.
> However while WebScarab had much more of the functionality that I wanted
> than Paros did, I found WebScarab very complicated and unintuitive.
> I decided that I would rather add functionality to Paros than try to make
> WebScarab easier to use, and I've not regretted that decision :)
> I do agree that OWASP has not been very effective at promoting any of its
> projects, including ZAP.
> However I'm not going to point fingers at any individuals.
> OWASP is primarily a volunteer organization, and its up to all of us to
> address issues that we are concerned with.
> While I think OWASP could do a better job of promoting all of its projects I
> dont have any big ideas how that could be achieved - marketing is not my
> area of expertise ;)
> I dont like criticizing unless I can offer constructive alternatives.

Christian Heinrich


More information about the Owasp-testing mailing list