update for phpsec.owasp.org? #120
Comments
|
I just wanted to post that as well. I think this web site should simply be removed. There is no reason to keep old stuff online (other than having names in the google index or "because we can"). |
|
I think having a banner that, project is deprecated would be better. It might drive developers to work on a newer version. |
|
@mebjas I don't really see a reason to keep the site around honestly. It's mostly a reference for the tool and doesn't really offer anything by itself. |
|
@abiusx If it points to something deprecated, what's the rationale for leaving it? All it does is provide confusion for users that may want to use the tool and find out that they can't but only by going to the project. Even the "Download Now!" link only gives them an archive with just the |
|
But...it did vanish (effectively). Even the repository is empty now. While I get that other projects leave sites up even though the project is deprecated, this project has been wiped out almost completely. |
|
Jezz... You want a reason to remove this page? Articles like this - http://www.devstrend.com/8-best-php-security-libraries/ (date: November 25,2015) - pointing to this page and prising it as one of the best PHP security frameworks "of da world11". If you still want to take responsability for the potential damage caused by this framework being used and the resulting security problems, that is your choice of course. You can fork this page on a domain that you host and you will have your name attributed to it for all eternity, no problem, but it should definitively not be published under the name of a foundation that promotes security. And the "the OWASP folks forced their influence upon this" are just responsible people not having the same opinion than you have. |
|
Closed. |
|
I don't think we should listen to @abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over. |
|
Yeah there is a website pointing to phpsec as one of the best php security library. If someone lands on phpsec.owasp.org, it wont be difficult for them to realize, this project isn't being maintained if there is a big banner. If you ask what's the point of keeping it up, I think the problems the library was trying to solve still exist, and we should try to solve existing glitches and make the libraries secure rather than hiding it. Its an open source project after all. Shouldn't we just change the front page with information about its current status and TODOs we need to solve before bringing this project up again! |
|
Hi Scott, One of the problems at owasp is that there are no volunteers neither Please bear with us, phpsec was an effort and an experiment, if you if there are articles like Regards Johanna On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:
|
|
@mebjas |
|
I think there's an important thing to consider here. Yes, this is open source. And yes, anyone can "fix" it because of that, and nobody has a right to say no because it's open source. However, it's also being advertised with the OWASP name, with a very "official" sounding domain/project name. The implication is that it's a supported library. And if that's the case, then it needs to be accurate and promote good security. The simple fact here is that the vast majority of people disagree as to the value the library provides. That doesn't mean it's bad. That doesn't mean the people who wrote it are bad. It just means that it shouldn't be published under an official name or domain until it's to the point where people in the industry agree that it's not promoting bad practices. And I completely get that things are being done by volunteers. But that doesn't mean that there is no responsibility. In fact, I'd argue that there's a greater responsibility precisely because it's run by volunteers. |
|
To be completely honest, instead of reinventing the wheel, I'd rather see a PHP Security project that evaluates and recommends the existing packages in the ecosystem, regardless of vendor/supplier, that are believed (by a panel of volunteer experts perhaps?) to be secure, not only against the OWASP Top Ten, but against more pernicious threats. That would be a constructive direction to take this. |
|
As a follow-up to my previous comment, here's a rough draft for a hypothetical system to track negative findings (i.e. no vulnerabilities): (in PostgreSQL, which is how I usually express data structures in my notes) CREATE TABLE suppliers (
supplierid BIGSERIAL PRIMARY KEY,
name TEXT
);
CREATE TABLE projects (
projectid BIGSERIAL PRIMARY KEY,
supplier BIGINTEGER,
name TEXT
);
CREATE TABLE project_versions (
versionid BIGSERIAL PRIMARY KEY,
project BIGINTEGER,
version TEXT,
created TIMESTAMP DEFAULT NOW()
);
CREATE TABLE reviewers (
reviewerid BIGSERIAL PRIMARY KEY,
auditor TEXT,
bio JSONB
);
CREATE TABLE evaluations (
reviewid BIGSERIAL PRIMARY KEY,
project BIGINTEGER,
version BIGINTEGER,
reviewbody TEXT,
sev_lo INTEGER,
sev_med INTEGER,
sev_hi INTEGER,
created TIMESTAMP DEFAULT NOW(),
modified TIMESTAMP,
passed BOOLEAN DEFAULT FALSE
);Volunteers can join and offer to evaluate the code for a particular version of a library or widget. The incentive here isn't just to discover/report/get-credit-for vulnerabilities, but also to attest for "I looked and didn't find any problems". This would be useful in multiple ways:
I think this would be a win-win. (Yes, I'm being optimistic that less than 2^31 sev:hi vulnerabilities will be found in any particular review of any given version of any given PHP project. I hope this isn't wrong.) |
|
That was me. Several bugs were filed against the project and the project leader chose to hide them all. At that point I revoked access to all OWASP repositories. Jim Manico
|
|
I am in the process of changing phpsec.owasp.org point to the github repo. I am not sure who runs the actual website but I am on it. Jim Manico
|
|
I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed. I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least. So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project. Jim Manico
|
|
I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.
|
|
Abbas, when you hid all reported issues you demonstrated a major lack of integrity yet you still blame everyone else instead of taking personal responsibility for your actions. Not cool. I expect more from someone of your seniority. Jim Manico
|
|
The lack of integrity is for the person who claims he is fair and objective, does nothing when the project gets wiped, but instanly reverts back any efforts that do not approve his views. That’s what I call abusing influence. I really have no more respect for you Jim, specially after seeing your tweets :) Good luck.
|
|
All of the code is available in archive form. Take a look at https://github.com/OWASP/phpsec a link to all of the old code is still there listed prominently near the top of this page. So per your request I left the code and project up there and made all of the code prominently available. Thats called compromise. I did my best to hear all parties. I only took over when you consciously edited the project and hid all reported issues. What were you thinking when you made this choice? Jim Manico
|
|
My request is that you delete this project or maintain it yourself. I am no longer associated with it. You did your best to hear all parties? I think you made multiple promises none of which you ever kept. What where you thinking when you hid all the code? The issues were also available in the history of the project. Since the code was in the history, the issues of that code also belonged to the history. But apparently you know better, so good luck maintaining this project, along with many others. And please do not bother me again.
|
Which ones? Please let me know.
There is a link to all of the code at the top of the repository! I made You are responding to me on a public list. If you do not want to be
Jim Manico |
|
Hello folks, http://phpsec.owasp.org now redirects to https://github.com/OWASP/phpsec All good?
On 12/2/15 2:10 PM, Scott wrote:
|
|
Thank you @jmanico for your help on this. I appreciate you taking the time to work through this all with us. |
|
If anyone knows of perhaps a university computer science team or other group who may wish to pick this project back up, let me know.
Also, if anyone cares to throw some SAST or other analysis at this and identify other real bugs, please file a few more.
To all volunteers who worked on this in any way - thank you for your efforts. There is no shame in not being able to work on a OSS project any more, we all have busy lives.
Last, on a personal note, I hate playing OWASP sheriff. I've lost many friends along the way. Abbas is a brilliant engineer who is very upset at this process and if I was in shoes I would feel the same way. ••I think we did the right thing in the end for the community••, but certainly at an expense where good will was lost. Imagine if this was your code and "the world" was pointing out critical security bugs....
I ask us all as humanz to reflect on that. When these situations come up again, is there a way we can go about this is in kinder ways? I ask myself, could I had been more respectful, could I had more gentle, could I have found a way to serve our community without losing someone along the way?
Even though the right thing was done, and honestly must rule, I feel a deep sense of failure.
Aloha,
Jim Manico
OWASP Board
|
|
Only deleted code is the easiest to maintain, and the safest to run. When I merged the proposed deletion of the project, I knew it was necessary making a very strong statement about this project's status. However human feelings have been hurt, and this makes me feel sorry, although it was somehow not to be avoided. If we'd had a constant flow of contributions improving the code, my decision would be different, but with no one committing anything for more than a year, this project was already dead. Removing it from public consumption was the only sane choice I saw. On the other hand: The github issue #108 had several messages deleted from public view, and there are traces of attempts at reverting the deleting merge without documenting this in the repositories history. I have also seen some very unprofessional reactions to the security reports, where valid points have been answered with basically "you are using it wrong/don't understand the use case", and said issue being closed without contributing a fix. There is no excuse for this. |
|
Sadly, I agree which is why I did took the actions I did. :/
|
|
I don't envy your position there, Jim, but I believe you made the right call. What do you think of my above suggestion? There's already a ton of wheel reinventing and a lot of it's not very innovative. For example, OpenCart's Encryption library is a joke. |
|
Scott,
I would support ANY high quality and secure efforts to revive PHP
Security at OWASP (guides, framework help, etc).
|
|
@jmanico @paragonie-scott There doesn't seem to be a single good all in one security guide on PHP anywhere on the web. Scott's recent guide on his blog is probably the best I've found, and it took time to find it. Would it be possible to revive this repo (or create a new one)? |
|
A new library for best PHP security practices? Or a framework? Or a guide
maintained open source?
|
|
I believe @danehrlich1 is referring to https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software (source). |
|
@mebjas It would be a guide. I returned to PHP after 5 years away and was extraordinarily frustrated at what was available for help with security. @paragonie-scott's guide basically covers 90% of it, but it would on Github under OWASP so easier visibility and could be updated/commented on. I am in PHP for the long haul now because of open source commitments I've made, so have the bandwidth to run this for years and not let it die. |
|
As an aside, also am starting to work with Senator Mark Warner's office to draft a letter to the PHP leadership. If security could be taken care of there at the lowest level, would be a lot easier for everyone. Warner (D-VA) co-founded the Cybersecurity Caucus with Cory Gardner (R-CO) last year: https://www.warner.senate.gov/public/index.cfm/cybersecurity-caucus |
Just to get more idea on your vision
:)
This might be a very good idea, but given the nature of how the language is used, lot of the things can only be done at higher level based on requirement, I believe. |
The entire reason we publish our blog posts' Markdown source code under a CC license is so that they can be easily forked into projects in a situation like this. If you'd like to adapt what is already written to cover 100% of what you're envisioning, feel free. |
|
I am talking to Chris Cornutt (he's in Austin by chance) tomorrow and I'll figure out next steps. Plan as of now:
QUESTION: Who gives authorization to create repos under OWASP? |
|
@paragonie-scott @mebjas @jmanico Do you all know how to get an OWASP wiki account? I already have an OWASP email, but I cannot for the life of me get a wiki account and I've reached out to several people. I'd like to update stuff that is clearly wrong on the PHP wiki. Also @jmanico I'd like to add security header information (as long as you approve the edits) to some of the sections with no content to your Secure Headers project. |
Given the new state of this project, I'd suggest that the related website, phpsec.owasp.org, be updated to point out the project is deprecated and that any information there is for reference only. It should also mention that the software is no longer available except in archive.
The text was updated successfully, but these errors were encountered: