OWASP / phpsec

OWASP PHP Security Project - THIS PROJECT IS INACTIVE AND MAY CONTAIN SECURITY FLAWS
197 stars 103 forks source link

update for phpsec.owasp.org? #120

Open enygma opened 9 years ago

enygma commented 9 years ago

Given the new state of this project, I'd suggest that the related website, phpsec.owasp.org, be updated to point out the project is deprecated and that any information there is for reference only. It should also mention that the software is no longer available except in archive.

imifos commented 9 years ago

I just wanted to post that as well. I think this web site should simply be removed. There is no reason to keep old stuff online (other than having names in the google index or "because we can").

mebjas commented 9 years ago

I think having a banner that, project is deprecated would be better. It might drive developers to work on a newer version.

enygma commented 9 years ago

@mebjas I don't really see a reason to keep the site around honestly. It's mostly a reference for the tool and doesn't really offer anything by itself.

enygma commented 9 years ago

@abiusx If it points to something deprecated, what's the rationale for leaving it? All it does is provide confusion for users that may want to use the tool and find out that they can't but only by going to the project.

Even the "Download Now!" link only gives them an archive with just the README in it...

enygma commented 9 years ago

But...it did vanish (effectively). Even the repository is empty now.

While I get that other projects leave sites up even though the project is deprecated, this project has been wiped out almost completely.

imifos commented 9 years ago

Jezz...

You want a reason to remove this page?

Articles like this - http://www.devstrend.com/8-best-php-security-libraries/ (date: November 25,2015) - pointing to this page and prising it as one of the best PHP security frameworks "of da world11".

If you still want to take responsability for the potential damage caused by this framework being used and the resulting security problems, that is your choice of course. You can fork this page on a domain that you host and you will have your name attributed to it for all eternity, no problem, but it should definitively not be published under the name of a foundation that promotes security.

And the "the OWASP folks forced their influence upon this" are just responsible people not having the same opinion than you have.

abiusx commented 9 years ago

Closed.

paragonie-scott commented 9 years ago

I don't think we should listen to @abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

mebjas commented 9 years ago

Yeah there is a website pointing to phpsec as one of the best php security library. If someone lands on phpsec.owasp.org, it wont be difficult for them to realize, this project isn't being maintained if there is a big banner.

If you ask what's the point of keeping it up, I think the problems the library was trying to solve still exist, and we should try to solve existing glitches and make the libraries secure rather than hiding it. Its an open source project after all.

Shouldn't we just change the front page with information about its current status and TODOs we need to solve before bringing this project up again!

owaspjocur commented 9 years ago

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

imifos commented 9 years ago

@mebjas I'm totally with you on that. If the library gets some love, of course it should stay up and running. Speaking of the problems the library wants solve, it sounded just like an awesome idea for a blog post or an article in the PHP section of the OWASP wiki :) ... oh yes... the PHP section on the OWASP wiki would need some work too, if you are fancy :) (Of course, anybody of you is invited to tune the info there.)

ircmaxell commented 9 years ago

I think there's an important thing to consider here. Yes, this is open source. And yes, anyone can "fix" it because of that, and nobody has a right to say no because it's open source.

However, it's also being advertised with the OWASP name, with a very "official" sounding domain/project name. The implication is that it's a supported library. And if that's the case, then it needs to be accurate and promote good security.

The simple fact here is that the vast majority of people disagree as to the value the library provides. That doesn't mean it's bad. That doesn't mean the people who wrote it are bad. It just means that it shouldn't be published under an official name or domain until it's to the point where people in the industry agree that it's not promoting bad practices.

And I completely get that things are being done by volunteers. But that doesn't mean that there is no responsibility. In fact, I'd argue that there's a greater responsibility precisely because it's run by volunteers.

paragonie-scott commented 9 years ago

To be completely honest, instead of reinventing the wheel, I'd rather see a PHP Security project that evaluates and recommends the existing packages in the ecosystem, regardless of vendor/supplier, that are believed (by a panel of volunteer experts perhaps?) to be secure, not only against the OWASP Top Ten, but against more pernicious threats.

That would be a constructive direction to take this.

paragonie-scott commented 9 years ago

As a follow-up to my previous comment, here's a rough draft for a hypothetical system to track negative findings (i.e. no vulnerabilities):

(in PostgreSQL, which is how I usually express data structures in my notes)

CREATE TABLE suppliers (
    supplierid BIGSERIAL PRIMARY KEY,
    name TEXT
);
CREATE TABLE projects (
    projectid BIGSERIAL PRIMARY KEY,
    supplier BIGINTEGER,
    name TEXT
);
CREATE TABLE project_versions (
    versionid BIGSERIAL PRIMARY KEY,
    project BIGINTEGER,
    version TEXT,
    created TIMESTAMP DEFAULT NOW()
);
CREATE TABLE reviewers (
    reviewerid BIGSERIAL PRIMARY KEY,
    auditor TEXT,
    bio JSONB
);
CREATE TABLE evaluations (
    reviewid BIGSERIAL PRIMARY KEY,
    project BIGINTEGER,
    version BIGINTEGER,
    reviewbody TEXT,
    sev_lo INTEGER,
    sev_med INTEGER,
    sev_hi INTEGER,
    created TIMESTAMP DEFAULT NOW(),
    modified TIMESTAMP,
    passed BOOLEAN DEFAULT FALSE
);

Volunteers can join and offer to evaluate the code for a particular version of a library or widget. The incentive here isn't just to discover/report/get-credit-for vulnerabilities, but also to attest for "I looked and didn't find any problems".

This would be useful in multiple ways:

  1. We can ensure that the "many eyes" approach is being followed, at least within the PHP Security project.
  2. We can expose new people to code auditing practices, train them to find and fix vulnerabilities in PHP projects, and grow the talent pool for appsec-savvy PHP developers.

I think this would be a win-win.

(Yes, I'm being optimistic that less than 2^31 sev:hi vulnerabilities will be found in any particular review of any given version of any given PHP project. I hope this isn't wrong.)

jmanico commented 9 years ago

That was me. Several bugs were filed against the project and the project leader chose to hide them all. At that point I revoked access to all OWASP repositories.

Jim Manico @Manicode

On Dec 2, 2015, at 11:12 AM, AbiusX notifications@github.com wrote:

The repository holds the history of the code. Only the current version is empty. I did not choose to delete the files. Some OWASP folks forced their influence upon this.

On Dec 2, 2015, at 2:06 PM, Chris Cornutt notifications@github.com wrote:

But...it did vanish (effectively). Event the repository is empty now.

While I get that other projects leave sites up even though the project is deprecated, this project has been wiped out almost completely.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161400290.

— Reply to this email directly or view it on GitHub.

jmanico commented 9 years ago

I am in the process of changing phpsec.owasp.org point to the github repo. I am not sure who runs the actual website but I am on it.

Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805

On Dec 2, 2015, at 9:04 AM, minhaz notifications@github.com wrote:

I think having a banner that, project is deprecated would be better. It might drive developers to work on a newer version.

— Reply to this email directly or view it on GitHub.

jmanico commented 9 years ago

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

abiusx commented 9 years ago

I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.

On Dec 2, 2015, at 6:53 PM, Jim Manico notifications@github.com wrote:

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470380.

jmanico commented 9 years ago

Abbas, when you hid all reported issues you demonstrated a major lack of integrity yet you still blame everyone else instead of taking personal responsibility for your actions. Not cool. I expect more from someone of your seniority.

Jim Manico @Manicode

On Dec 2, 2015, at 3:54 PM, AbiusX notifications@github.com wrote:

I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.

On Dec 2, 2015, at 6:53 PM, Jim Manico notifications@github.com wrote:

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470380.

— Reply to this email directly or view it on GitHub.

abiusx commented 9 years ago

The lack of integrity is for the person who claims he is fair and objective, does nothing when the project gets wiped, but instanly reverts back any efforts that do not approve his views.

That’s what I call abusing influence. I really have no more respect for you Jim, specially after seeing your tweets :) Good luck.

On Dec 2, 2015, at 6:56 PM, Jim Manico notifications@github.com wrote:

Abbas, when you hid all reported issues you demonstrated a major lack of integrity yet you still blame everyone else instead of taking personal responsibility for your actions. Not cool. I expect more from someone of your seniority.

Jim Manico @Manicode

On Dec 2, 2015, at 3:54 PM, AbiusX notifications@github.com wrote:

I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.

On Dec 2, 2015, at 6:53 PM, Jim Manico notifications@github.com wrote:

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470380.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470955.

jmanico commented 9 years ago

All of the code is available in archive form.

Take a look at https://github.com/OWASP/phpsec a link to all of the old code is still there listed prominently near the top of this page.

So per your request I left the code and project up there and made all of the code prominently available. Thats called compromise. I did my best to hear all parties.

I only took over when you consciously edited the project and hid all reported issues. What were you thinking when you made this choice?

Jim Manico @Manicode

On Dec 2, 2015, at 3:58 PM, AbiusX notifications@github.com wrote:

The lack of integrity is for the person who claims he is fair and objective, does nothing when the project gets wiped, but instanly reverts back any efforts that do not approve his views.

That’s what I call abusing influence. I really have no more respect for you Jim, specially after seeing your tweets :) Good luck.

On Dec 2, 2015, at 6:56 PM, Jim Manico notifications@github.com wrote:

Abbas, when you hid all reported issues you demonstrated a major lack of integrity yet you still blame everyone else instead of taking personal responsibility for your actions. Not cool. I expect more from someone of your seniority.

Jim Manico @Manicode

On Dec 2, 2015, at 3:54 PM, AbiusX notifications@github.com wrote:

I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.

On Dec 2, 2015, at 6:53 PM, Jim Manico notifications@github.com wrote:

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470380.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470955.

— Reply to this email directly or view it on GitHub.

abiusx commented 9 years ago

My request is that you delete this project or maintain it yourself. I am no longer associated with it.

You did your best to hear all parties? I think you made multiple promises none of which you ever kept.

What where you thinking when you hid all the code? The issues were also available in the history of the project. Since the code was in the history, the issues of that code also belonged to the history.

But apparently you know better, so good luck maintaining this project, along with many others.

And please do not bother me again.

On Dec 2, 2015, at 7:04 PM, Jim Manico notifications@github.com wrote:

All of the code is available in archive form.

Take a look at https://github.com/OWASP/phpsec a link to all of the old code is still there listed prominently near the top of this page.

So per your request I left the code and project up there and made all of the code prominently available. Thats called compromise. I did my best to hear all parties.

I only took over when you consciously edited the project and hid all reported issues. What were you thinking when you made this choice?

Jim Manico @Manicode

On Dec 2, 2015, at 3:58 PM, AbiusX notifications@github.com wrote:

The lack of integrity is for the person who claims he is fair and objective, does nothing when the project gets wiped, but instanly reverts back any efforts that do not approve his views.

That’s what I call abusing influence. I really have no more respect for you Jim, specially after seeing your tweets :) Good luck.

On Dec 2, 2015, at 6:56 PM, Jim Manico notifications@github.com wrote:

Abbas, when you hid all reported issues you demonstrated a major lack of integrity yet you still blame everyone else instead of taking personal responsibility for your actions. Not cool. I expect more from someone of your seniority.

Jim Manico @Manicode

On Dec 2, 2015, at 3:54 PM, AbiusX notifications@github.com wrote:

I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.

On Dec 2, 2015, at 6:53 PM, Jim Manico notifications@github.com wrote:

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470380.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470955.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161472163.

jmanico commented 9 years ago

You did your best to hear all parties? I think you made multiple promises none of which you ever kept.

Which ones? Please let me know.

What where you thinking when you hid all the code?

There is a link to all of the code at the top of the repository! I made sure it was a PROMINENT link.

You are responding to me on a public list. If you do not want to be bothered, please consider removing yourself from this list. I am not replying to your personal email, I am responding to the list.

My request is that you delete this project or maintain it yourself. I am no longer associated with it.

You did your best to hear all parties? I think you made multiple promises none of which you ever kept.

What where you thinking when you hid all the code? The issues were also available in the history of the project. Since the code was in the history, the issues of that code also belonged to the history.

But apparently you know better, so good luck maintaining this project, along with many others.

And please do not bother me again.

On Dec 2, 2015, at 7:04 PM, Jim Manico notifications@github.com wrote:

All of the code is available in archive form.

Take a look at https://github.com/OWASP/phpsec a link to all of the old code is still there listed prominently near the top of this page.

So per your request I left the code and project up there and made all of the code prominently available. Thats called compromise. I did my best to hear all parties.

I only took over when you consciously edited the project and hid all reported issues. What were you thinking when you made this choice?

Jim Manico @Manicode

On Dec 2, 2015, at 3:58 PM, AbiusX notifications@github.com wrote:

The lack of integrity is for the person who claims he is fair and objective, does nothing when the project gets wiped, but instanly reverts back any efforts that do not approve his views.

That’s what I call abusing influence. I really have no more respect for you Jim, specially after seeing your tweets :) Good luck.

On Dec 2, 2015, at 6:56 PM, Jim Manico notifications@github.com wrote:

Abbas, when you hid all reported issues you demonstrated a major lack of integrity yet you still blame everyone else instead of taking personal responsibility for your actions. Not cool. I expect more from someone of your seniority.

Jim Manico @Manicode

On Dec 2, 2015, at 3:54 PM, AbiusX notifications@github.com wrote:

I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.

On Dec 2, 2015, at 6:53 PM, Jim Manico notifications@github.com wrote:

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub

https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470380.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470955.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161472163.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161472491.

Jim Manico Manicode Security https://www.manicode.com

jmanico commented 9 years ago

Hello folks,

http://phpsec.owasp.org now redirects to https://github.com/OWASP/phpsec

All good?

On 12/2/15 2:10 PM, Scott wrote:

As a follow-up to my previous comment, here's a rough draft for a hypothetical system to track negative findings (i.e. no vulnerabilities):

(in PostgreSQL, which is how I usually express data structures in my notes)

CREATE TABLE suppliers ( supplieridBIGSERIAL PRIMARY KEY, nameTEXT ); CREATE TABLE projects ( projectidBIGSERIAL PRIMARY KEY, supplier BIGINTEGER, nameTEXT ); CREATE TABLE project_versions ( versionidBIGSERIAL PRIMARY KEY, project BIGINTEGER, versionTEXT, createdTIMESTAMP DEFAULT NOW() ); CREATE TABLE reviewers ( revieweridBIGSERIAL PRIMARY KEY, auditorTEXT, bio JSONB ); CREATE TABLE evaluations ( reviewidBIGSERIAL PRIMARY KEY, project BIGINTEGER, version BIGINTEGER, reviewbodyTEXT, sev_loINTEGER, sev_medINTEGER, sev_hiINTEGER, createdTIMESTAMP DEFAULT NOW(), modifiedTIMESTAMP, passedBOOLEAN DEFAULT FALSE );

Volunteers can join and offer to evaluate the code for a particular version of a library or widget. The incentive here isn't just to discover/report/get-credit-for vulnerabilities, but also to attest for "I looked and didn't find any problems".

This would be useful in multiple ways:

  1. We can ensure that the "many eyes" approach is being followed, at least within the PHP Security project.
  2. We can expose new people to code auditing practices, train them to find and fix vulnerabilities in PHP projects, and grow the talent pool for appsec-savvy PHP developers.

I think this would be a win-win.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161449488.

enygma commented 9 years ago

Thank you @jmanico for your help on this. I appreciate you taking the time to work through this all with us.

jmanico commented 9 years ago

If anyone knows of perhaps a university computer science team or other group who may wish to pick this project back up, let me know.

Also, if anyone cares to throw some SAST or other analysis at this and identify other real bugs, please file a few more.

To all volunteers who worked on this in any way - thank you for your efforts. There is no shame in not being able to work on a OSS project any more, we all have busy lives.

Last, on a personal note, I hate playing OWASP sheriff. I've lost many friends along the way. Abbas is a brilliant engineer who is very upset at this process and if I was in shoes I would feel the same way. ••I think we did the right thing in the end for the community••, but certainly at an expense where good will was lost. Imagine if this was your code and "the world" was pointing out critical security bugs....

I ask us all as humanz to reflect on that. When these situations come up again, is there a way we can go about this is in kinder ways? I ask myself, could I had been more respectful, could I had more gentle, could I have found a way to serve our community without losing someone along the way?

Even though the right thing was done, and honestly must rule, I feel a deep sense of failure.

Aloha, Jim Manico OWASP Board

SvenRtbg commented 9 years ago

Only deleted code is the easiest to maintain, and the safest to run.

When I merged the proposed deletion of the project, I knew it was necessary making a very strong statement about this project's status. However human feelings have been hurt, and this makes me feel sorry, although it was somehow not to be avoided. If we'd had a constant flow of contributions improving the code, my decision would be different, but with no one committing anything for more than a year, this project was already dead. Removing it from public consumption was the only sane choice I saw.

On the other hand: The github issue #108 had several messages deleted from public view, and there are traces of attempts at reverting the deleting merge without documenting this in the repositories history. I have also seen some very unprofessional reactions to the security reports, where valid points have been answered with basically "you are using it wrong/don't understand the use case", and said issue being closed without contributing a fix. There is no excuse for this.

jmanico commented 9 years ago

Sadly, I agree which is why I did took the actions I did. :/

paragonie-scott commented 9 years ago

I don't envy your position there, Jim, but I believe you made the right call.

What do you think of my above suggestion? There's already a ton of wheel reinventing and a lot of it's not very innovative. For example, OpenCart's Encryption library is a joke.

jmanico commented 9 years ago

Scott,

I would support ANY high quality and secure efforts to revive PHP Security at OWASP (guides, framework help, etc).

ghost commented 6 years ago

@jmanico @paragonie-scott There doesn't seem to be a single good all in one security guide on PHP anywhere on the web. Scott's recent guide on his blog is probably the best I've found, and it took time to find it. Would it be possible to revive this repo (or create a new one)?

mebjas commented 6 years ago

A new library for best PHP security practices? Or a framework? Or a guide maintained open source?

paragonie-scott commented 6 years ago

I believe @danehrlich1 is referring to https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software (source).

ghost commented 6 years ago

@mebjas It would be a guide. I returned to PHP after 5 years away and was extraordinarily frustrated at what was available for help with security.

@paragonie-scott's guide basically covers 90% of it, but it would on Github under OWASP so easier visibility and could be updated/commented on.

I am in PHP for the long haul now because of open source commitments I've made, so have the bandwidth to run this for years and not let it die.

ghost commented 6 years ago

As an aside, also am starting to work with Senator Mark Warner's office to draft a letter to the PHP leadership. If security could be taken care of there at the lowest level, would be a lot easier for everyone.

Warner (D-VA) co-founded the Cybersecurity Caucus with Cory Gardner (R-CO) last year: https://www.warner.senate.gov/public/index.cfm/cybersecurity-caucus

mebjas commented 6 years ago

@mebjas It would be a guide. I returned to PHP after 5 years away and was extraordinarily frustrated at what was available for help with security.

@paragonie-scott's guide basically covers 90% of it, but it would on Github under OWASP so easier visibility and could be updated/commented on.

Just to get more idea on your vision

:)

As an aside, also am starting to work with Senator Mark Warner's office to draft a letter to the PHP leadership. If security could be taken care of there at the lowest level, would be a lot easier for everyone.

This might be a very good idea, but given the nature of how the language is used, lot of the things can only be done at higher level based on requirement, I believe.

paragonie-scott commented 6 years ago

@paragonie-scott's guide basically covers 90% of it, but it would on Github under OWASP so easier visibility and could be updated/commented on.

The entire reason we publish our blog posts' Markdown source code under a CC license is so that they can be easily forked into projects in a situation like this. If you'd like to adapt what is already written to cover 100% of what you're envisioning, feel free.

ghost commented 6 years ago

I am talking to Chris Cornutt (he's in Austin by chance) tomorrow and I'll figure out next steps.

Plan as of now:

  1. Fork @paragonie-scott's guide, add some more stuff, and place under OWASP
  2. Revive super dead PHP stuff on OWASP like the below link. Maybe this just means linking to the yet-to-be-created repo: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

QUESTION: Who gives authorization to create repos under OWASP?

ghost commented 5 years ago

@paragonie-scott @mebjas @jmanico

Do you all know how to get an OWASP wiki account? I already have an OWASP email, but I cannot for the life of me get a wiki account and I've reached out to several people.

I'd like to update stuff that is clearly wrong on the PHP wiki. Also @jmanico I'd like to add security header information (as long as you approve the edits) to some of the sections with no content to your Secure Headers project.