[OWASP-wiki-editors] [phpsec] confidentialString function uses hard-coded key (#108)

johanna curiel curiel johanna.curiel at owasp.org
Fri Nov 20 16:46:50 UTC 2015


Hi Sven, Andrew

Thank you for your feedback and I think there are enough valid points to
consider that the project is inactive right now and it should be set as an
inactive project.

As a defender security library project , there are definitely high risks
using it at this stage and that can be misinterpreted by potential users.
Considering  owasp guidelines, the project in indeed inactive since it has
not been updated for that long.

I have asked Claudia, our project coordinator to set the project as an
inactive project and also set a label on the wiki similar to this
https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

With regards on the github content, since it falls under OWASP github,
there should be also a clear label that the project is inactive and
contains many security issues that makes the project not usable as a
security library

I will also contact the wiki editors group to make sure we have a label for
this kind of situation as the project wiki page must also be archived.


Best regards

Johanna
OWASP Volunteer


On Fri, Nov 20, 2015 at 12:17 PM, SvenRtbg <notifications at github.com> wrote:

> As one of the contributors to this repository, it's current state makes me
> sad.
>
> You all are correct asserting that this particular library, in its current
> state, is a failure. Its goals, set before a Google "summer of code" event
> long ago, were to write for once a secure library that everyone should use.
> In the effort that followed, @rash805115 <https://github.com/rash805115>
> wrote code for basically everything that you'd need in a decent web
> framework: Form validation, controllers, database, logging, security stuff,
> session handling.
>
> This probably has been a very educational effort, however I always found
> that this approach is flawed: There are already plenty of libraries around
> that do database abstraction or logging. IF they have security problems,
> the solution should be to fix them, not write another library that cannot
> compete with the other's features (no matter if it is more secure or not).
>
> I have tried to find the one unique feature that no other library has, and
> there probably is one: Asserting secure passwords. There are several
> interesting checks I haven't seen anywhere else. This should be separated
> into one package, made to live up to expectations, and be released.
>
> However, with this library being started at a time where Composer was in
> it's infancy, some things would have to change: I do find it annoying that
> there are so many violations of coding standards just because "Well yeah
> this is better for entry level developers I think".
>
> Let's put an end to this project as it was intended at the start. Nobody
> did work on it since Aug 18, 2014. My merge from @philsturgeon
> <https://github.com/philsturgeon> 's pull request only added fixes to the
> TravisCI build tool.
>
> So effectively this project is on hiatus for more than a year!
>
>> Reply to this email directly or view it on GitHub
> <https://github.com/OWASP/phpsec/issues/108#issuecomment-158447768>.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-wiki-editors/attachments/20151120/4018107f/attachment.html>


More information about the OWASP-wiki-editors mailing list