update for phpsec.owasp.org?

[enygma]

Given the new state of this project, I'd suggest that the related website, phpsec.owasp.org, be updated to point out the project is deprecated and that any information there is for reference only. It should also mention that the software is no longer available except in archive.

[imifos]

I just wanted to post that as well. I think this web site should simply be removed. There is no reason to keep old stuff online (other than having names in the google index or "because we can").

[mebjas]

I think having a banner that, project is deprecated would be better. It might drive developers to work on a newer version.

[enygma]

@mebjas I don't really see a reason to keep the site around honestly. It's mostly a reference for the tool and doesn't really offer anything by itself.

[enygma]

@abiusx If it points to something deprecated, what's the rationale for leaving it? All it does is provide confusion for users that may want to use the tool and find out that they can't but only by going to the project.

Even the "Download Now!" link only gives them an archive with just the README in it...

[enygma]

But...it did vanish (effectively). Even the repository is empty now.

While I get that other projects leave sites up even though the project is deprecated, this project has been wiped out almost completely.

[imifos]

Jezz...

You want a reason to remove this page?

Articles like this - http://www.devstrend.com/8-best-php-security-libraries/ (date: November 25,2015) - pointing to this page and prising it as one of the best PHP security frameworks "of da world11".

If you still want to take responsability for the potential damage caused by this framework being used and the resulting security problems, that is your choice of course. You can fork this page on a domain that you host and you will have your name attributed to it for all eternity, no problem, but it should definitively not be published under the name of a foundation that promotes security.

And the "the OWASP folks forced their influence upon this" are just responsible people not having the same opinion than you have.

[abiusx]

Closed.

[paragonie-scott]

I don't think we should listen to @abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

[mebjas]

Yeah there is a website pointing to phpsec as one of the best php security library. If someone lands on phpsec.owasp.org, it wont be difficult for them to realize, this project isn't being maintained if there is a big banner.

If you ask what's the point of keeping it up, I think the problems the library was trying to solve still exist, and we should try to solve existing glitches and make the libraries secure rather than hiding it. Its an open source project after all.

Shouldn't we just change the front page with information about its current status and TODOs we need to solve before bringing this project up again!

[owaspjocur]

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

[imifos]

@mebjas I'm totally with you on that. If the library gets some love, of course it should stay up and running. Speaking of the problems the library wants solve, it sounded just like an awesome idea for a blog post or an article in the PHP section of the OWASP wiki :) ... oh yes... the PHP section on the OWASP wiki would need some work too, if you are fancy :) (Of course, anybody of you is invited to tune the info there.)

[ircmaxell]

I think there's an important thing to consider here. Yes, this is open source. And yes, anyone can "fix" it because of that, and nobody has a right to say no because it's open source.

However, it's also being advertised with the OWASP name, with a very "official" sounding domain/project name. The implication is that it's a supported library. And if that's the case, then it needs to be accurate and promote good security.

The simple fact here is that the vast majority of people disagree as to the value the library provides. That doesn't mean it's bad. That doesn't mean the people who wrote it are bad. It just means that it shouldn't be published under an official name or domain until it's to the point where people in the industry agree that it's not promoting bad practices.

And I completely get that things are being done by volunteers. But that doesn't mean that there is no responsibility. In fact, I'd argue that there's a greater responsibility precisely because it's run by volunteers.

[paragonie-scott]

To be completely honest, instead of reinventing the wheel, I'd rather see a PHP Security project that evaluates and recommends the existing packages in the ecosystem, regardless of vendor/supplier, that are believed (by a panel of volunteer experts perhaps?) to be secure, not only against the OWASP Top Ten, but against more pernicious threats.

That would be a constructive direction to take this.

[paragonie-scott]

As a follow-up to my previous comment, here's a rough draft for a hypothetical system to track negative findings (i.e. no vulnerabilities):

(in PostgreSQL, which is how I usually express data structures in my notes)

CREATE TABLE suppliers (
    supplierid BIGSERIAL PRIMARY KEY,
    name TEXT
);
CREATE TABLE projects (
    projectid BIGSERIAL PRIMARY KEY,
    supplier BIGINTEGER,
    name TEXT
);
CREATE TABLE project_versions (
    versionid BIGSERIAL PRIMARY KEY,
    project BIGINTEGER,
    version TEXT,
    created TIMESTAMP DEFAULT NOW()
);
CREATE TABLE reviewers (
    reviewerid BIGSERIAL PRIMARY KEY,
    auditor TEXT,
    bio JSONB
);
CREATE TABLE evaluations (
    reviewid BIGSERIAL PRIMARY KEY,
    project BIGINTEGER,
    version BIGINTEGER,
    reviewbody TEXT,
    sev_lo INTEGER,
    sev_med INTEGER,
    sev_hi INTEGER,
    created TIMESTAMP DEFAULT NOW(),
    modified TIMESTAMP,
    passed BOOLEAN DEFAULT FALSE
);

Volunteers can join and offer to evaluate the code for a particular version of a library or widget. The incentive here isn't just to discover/report/get-credit-for vulnerabilities, but also to attest for "I looked and didn't find any problems".

This would be useful in multiple ways:

1. We can ensure that the "many eyes" approach is being followed, at least within the PHP Security project.
2. We can expose new people to code auditing practices, train them to find and fix vulnerabilities in PHP projects, and grow the talent pool for appsec-savvy PHP developers.

I think this would be a win-win.

(Yes, I'm being optimistic that less than 2^31 sev:hi vulnerabilities will be found in any particular review of any given version of any given PHP project. I hope this isn't wrong.)

[jmanico]

That was me. Several bugs were filed against the project and the project leader chose to hide them all. At that point I revoked access to all OWASP repositories.

Jim Manico @Manicode

On Dec 2, 2015, at 11:12 AM, AbiusX notifications@github.com wrote:

The repository holds the history of the code. Only the current version is empty. I did not choose to delete the files. Some OWASP folks forced their influence upon this.

On Dec 2, 2015, at 2:06 PM, Chris Cornutt notifications@github.com wrote:

But...it did vanish (effectively). Event the repository is empty now.

While I get that other projects leave sites up even though the project is deprecated, this project has been wiped out almost completely.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161400290.

— Reply to this email directly or view it on GitHub.

[jmanico]

I am in the process of changing phpsec.owasp.org point to the github repo. I am not sure who runs the actual website but I am on it.

Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805

On Dec 2, 2015, at 9:04 AM, minhaz notifications@github.com wrote:

I think having a banner that, project is deprecated would be better. It might drive developers to work on a newer version.

— Reply to this email directly or view it on GitHub.

[jmanico]

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

[abiusx]

I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.

On Dec 2, 2015, at 6:53 PM, Jim Manico notifications@github.com wrote:

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470380.

[jmanico]

Abbas, when you hid all reported issues you demonstrated a major lack of integrity yet you still blame everyone else instead of taking personal responsibility for your actions. Not cool. I expect more from someone of your seniority.

Jim Manico @Manicode

On Dec 2, 2015, at 3:54 PM, AbiusX notifications@github.com wrote:

I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.

On Dec 2, 2015, at 6:53 PM, Jim Manico notifications@github.com wrote:

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470380.

— Reply to this email directly or view it on GitHub.

[abiusx]

The lack of integrity is for the person who claims he is fair and objective, does nothing when the project gets wiped, but instanly reverts back any efforts that do not approve his views.

That’s what I call abusing influence. I really have no more respect for you Jim, specially after seeing your tweets :) Good luck.

On Dec 2, 2015, at 6:56 PM, Jim Manico notifications@github.com wrote:

Abbas, when you hid all reported issues you demonstrated a major lack of integrity yet you still blame everyone else instead of taking personal responsibility for your actions. Not cool. I expect more from someone of your seniority.

Jim Manico @Manicode

On Dec 2, 2015, at 3:54 PM, AbiusX notifications@github.com wrote:

I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.

On Dec 2, 2015, at 6:53 PM, Jim Manico notifications@github.com wrote:

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470380.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470955.

[jmanico]

All of the code is available in archive form.

Take a look at https://github.com/OWASP/phpsec a link to all of the old code is still there listed prominently near the top of this page.

So per your request I left the code and project up there and made all of the code prominently available. Thats called compromise. I did my best to hear all parties.

I only took over when you consciously edited the project and hid all reported issues. What were you thinking when you made this choice?

Jim Manico @Manicode

On Dec 2, 2015, at 3:58 PM, AbiusX notifications@github.com wrote:

The lack of integrity is for the person who claims he is fair and objective, does nothing when the project gets wiped, but instanly reverts back any efforts that do not approve his views.

That’s what I call abusing influence. I really have no more respect for you Jim, specially after seeing your tweets :) Good luck.

On Dec 2, 2015, at 6:56 PM, Jim Manico notifications@github.com wrote:

Abbas, when you hid all reported issues you demonstrated a major lack of integrity yet you still blame everyone else instead of taking personal responsibility for your actions. Not cool. I expect more from someone of your seniority.

Jim Manico @Manicode

On Dec 2, 2015, at 3:54 PM, AbiusX notifications@github.com wrote:

I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.

On Dec 2, 2015, at 6:53 PM, Jim Manico notifications@github.com wrote:

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470380.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470955.

— Reply to this email directly or view it on GitHub.

[abiusx]

My request is that you delete this project or maintain it yourself. I am no longer associated with it.

You did your best to hear all parties? I think you made multiple promises none of which you ever kept.

What where you thinking when you hid all the code? The issues were also available in the history of the project. Since the code was in the history, the issues of that code also belonged to the history.

But apparently you know better, so good luck maintaining this project, along with many others.

And please do not bother me again.

On Dec 2, 2015, at 7:04 PM, Jim Manico notifications@github.com wrote:

All of the code is available in archive form.

Take a look at https://github.com/OWASP/phpsec a link to all of the old code is still there listed prominently near the top of this page.

So per your request I left the code and project up there and made all of the code prominently available. Thats called compromise. I did my best to hear all parties.

I only took over when you consciously edited the project and hid all reported issues. What were you thinking when you made this choice?

Jim Manico @Manicode

On Dec 2, 2015, at 3:58 PM, AbiusX notifications@github.com wrote:

The lack of integrity is for the person who claims he is fair and objective, does nothing when the project gets wiped, but instanly reverts back any efforts that do not approve his views.

That’s what I call abusing influence. I really have no more respect for you Jim, specially after seeing your tweets :) Good luck.

On Dec 2, 2015, at 6:56 PM, Jim Manico notifications@github.com wrote:

Abbas, when you hid all reported issues you demonstrated a major lack of integrity yet you still blame everyone else instead of taking personal responsibility for your actions. Not cool. I expect more from someone of your seniority.

Jim Manico @Manicode

On Dec 2, 2015, at 3:54 PM, AbiusX notifications@github.com wrote:

I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.

On Dec 2, 2015, at 6:53 PM, Jim Manico notifications@github.com wrote:

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470380.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470955.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161472163.

[jmanico]

You did your best to hear all parties? I think you made multiple promises none of which you ever kept.

Which ones? Please let me know.

What where you thinking when you hid all the code?

There is a link to all of the code at the top of the repository! I made sure it was a PROMINENT link.

You are responding to me on a public list. If you do not want to be bothered, please consider removing yourself from this list. I am not replying to your personal email, I am responding to the list.

• Jim

My request is that you delete this project or maintain it yourself. I am no longer associated with it.

You did your best to hear all parties? I think you made multiple promises none of which you ever kept.

What where you thinking when you hid all the code? The issues were also available in the history of the project. Since the code was in the history, the issues of that code also belonged to the history.

But apparently you know better, so good luck maintaining this project, along with many others.

And please do not bother me again.

On Dec 2, 2015, at 7:04 PM, Jim Manico notifications@github.com wrote:

All of the code is available in archive form.

Take a look at https://github.com/OWASP/phpsec a link to all of the old code is still there listed prominently near the top of this page.

So per your request I left the code and project up there and made all of the code prominently available. Thats called compromise. I did my best to hear all parties.

I only took over when you consciously edited the project and hid all reported issues. What were you thinking when you made this choice?

Jim Manico @Manicode

On Dec 2, 2015, at 3:58 PM, AbiusX notifications@github.com wrote:

The lack of integrity is for the person who claims he is fair and objective, does nothing when the project gets wiped, but instanly reverts back any efforts that do not approve his views.

That’s what I call abusing influence. I really have no more respect for you Jim, specially after seeing your tweets :) Good luck.

On Dec 2, 2015, at 6:56 PM, Jim Manico notifications@github.com wrote:

Abbas, when you hid all reported issues you demonstrated a major lack of integrity yet you still blame everyone else instead of taking personal responsibility for your actions. Not cool. I expect more from someone of your seniority.

Jim Manico @Manicode

On Dec 2, 2015, at 3:54 PM, AbiusX notifications@github.com wrote:

I am no longer maintaining this project per the discussion that we had and the abuses of power that I have observed. Go ahead and fix them yourself.

On Dec 2, 2015, at 6:53 PM, Jim Manico notifications@github.com wrote:

I am grateful for everyones help and I'm very willing to revive this project if a full audit is done and critical bugs are fixed.

I am only upset at one occurrence - where a project leader modified the GitHub repository and "hid" all active reported issues without fixing them. This is not cool, at least.

So please contact me when these issues are fixed as well as a full scope audit is conducted. Would be happy to revive this project.

Jim Manico @Manicode

On Dec 2, 2015, at 12:43 PM, owaspjocur notifications@github.com wrote:

Hi Scott, If you want to make a former request to take the phpsec.owasp.org website down then take contact with jim.manico@owasp.org claudia.aviles-casanovas@owasp.org

One of the problems at owasp is that there are no volunteers neither technical staff to administrate projects properly not even the little resources around them such as the Github or the domain owasp name

Please bear with us, phpsec was an effort and an experiment, if you consider it failed and all regarding this project should disappear from the internet, we understand but please understand also there was an effort with all the good intentions to create a security library and the author of this effort, Abbas, did tried. At least he tried and we should respect that.

if there are articles like http://www.devstrend.com/8-best-php-security-libraries/ mentioning this is secure maybe , just as an advice, would be wise you contact the author of this website and explain why you consider this is not valid. This is outside owasp domain, what is decided to be published or not.

Regards

Johanna

On Wed, Dec 2, 2015 at 4:19 PM, Scott notifications@github.com wrote:

I don't think we should listen to @abiusx https://github.com/abiusx here as if he's an OWASP officer, let's instead let the OWASP folks force their influence upon this again for the good of developers the whole world over.

— Reply to this email directly or view it on GitHub

https://github.com/OWASP/phpsec/issues/120#issuecomment-161421511.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470380.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161470955.

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161472163.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161472491.

Jim Manico Manicode Security https://www.manicode.com

[jmanico]

Hello folks,

http://phpsec.owasp.org now redirects to https://github.com/OWASP/phpsec

All good?

• Jim

On 12/2/15 2:10 PM, Scott wrote:

As a follow-up to my previous comment, here's a rough draft for a hypothetical system to track negative findings (i.e. no vulnerabilities):

(in PostgreSQL, which is how I usually express data structures in my notes)

CREATE TABLE suppliers ( supplieridBIGSERIAL PRIMARY KEY, nameTEXT ); CREATE TABLE projects ( projectidBIGSERIAL PRIMARY KEY, supplier BIGINTEGER, nameTEXT ); CREATE TABLE project_versions ( versionidBIGSERIAL PRIMARY KEY, project BIGINTEGER, versionTEXT, createdTIMESTAMP DEFAULT NOW() ); CREATE TABLE reviewers ( revieweridBIGSERIAL PRIMARY KEY, auditorTEXT, bio JSONB ); CREATE TABLE evaluations ( reviewidBIGSERIAL PRIMARY KEY, project BIGINTEGER, version BIGINTEGER, reviewbodyTEXT, sev_loINTEGER, sev_medINTEGER, sev_hiINTEGER, createdTIMESTAMP DEFAULT NOW(), modifiedTIMESTAMP, passedBOOLEAN DEFAULT FALSE );

Volunteers can join and offer to evaluate the code for a particular version of a library or widget. The incentive here isn't just to discover/report/get-credit-for vulnerabilities, but also to attest for "I looked and didn't find any problems".

This would be useful in multiple ways:

1. We can ensure that the "many eyes" approach is being followed, at least within the PHP Security project.
2. We can expose new people to code auditing practices, train them to find and fix vulnerabilities in PHP projects, and grow the talent pool for appsec-savvy PHP developers.

I think this would be a win-win.

— Reply to this email directly or view it on GitHub https://github.com/OWASP/phpsec/issues/120#issuecomment-161449488.

[enygma]

Thank you @jmanico for your help on this. I appreciate you taking the time to work through this all with us.

[jmanico]

If anyone knows of perhaps a university computer science team or other group who may wish to pick this project back up, let me know.

Also, if anyone cares to throw some SAST or other analysis at this and identify other real bugs, please file a few more.

To all volunteers who worked on this in any way - thank you for your efforts. There is no shame in not being able to work on a OSS project any more, we all have busy lives.

Last, on a personal note, I hate playing OWASP sheriff. I've lost many friends along the way. Abbas is a brilliant engineer who is very upset at this process and if I was in shoes I would feel the same way. ••I think we did the right thing in the end for the community••, but certainly at an expense where good will was lost. Imagine if this was your code and "the world" was pointing out critical security bugs....

I ask us all as humanz to reflect on that. When these situations come up again, is there a way we can go about this is in kinder ways? I ask myself, could I had been more respectful, could I had more gentle, could I have found a way to serve our community without losing someone along the way?

Even though the right thing was done, and honestly must rule, I feel a deep sense of failure.

Aloha, Jim Manico OWASP Board

[SvenRtbg]

Only deleted code is the easiest to maintain, and the safest to run.

When I merged the proposed deletion of the project, I knew it was necessary making a very strong statement about this project's status. However human feelings have been hurt, and this makes me feel sorry, although it was somehow not to be avoided. If we'd had a constant flow of contributions improving the code, my decision would be different, but with no one committing anything for more than a year, this project was already dead. Removing it from public consumption was the only sane choice I saw.

On the other hand: The github issue #108 had several messages deleted from public view, and there are traces of attempts at reverting the deleting merge without documenting this in the repositories history. I have also seen some very unprofessional reactions to the security reports, where valid points have been answered with basically "you are using it wrong/don't understand the use case", and said issue being closed without contributing a fix. There is no excuse for this.

[jmanico]

Sadly, I agree which is why I did took the actions I did. :/

[paragonie-scott]

I don't envy your position there, Jim, but I believe you made the right call.

What do you think of my above suggestion? There's already a ton of wheel reinventing and a lot of it's not very innovative. For example, OpenCart's Encryption library is a joke.

[jmanico]

Scott,

I would support ANY high quality and secure efforts to revive PHP Security at OWASP (guides, framework help, etc).

[ghost]

@jmanico @paragonie-scott There doesn't seem to be a single good all in one security guide on PHP anywhere on the web. Scott's recent guide on his blog is probably the best I've found, and it took time to find it. Would it be possible to revive this repo (or create a new one)?

[mebjas]

A new library for best PHP security practices? Or a framework? Or a guide maintained open source?

[paragonie-scott]

I believe @danehrlich1 is referring to https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software (source).

[ghost]

@mebjas It would be a guide. I returned to PHP after 5 years away and was extraordinarily frustrated at what was available for help with security.

@paragonie-scott's guide basically covers 90% of it, but it would on Github under OWASP so easier visibility and could be updated/commented on.

I am in PHP for the long haul now because of open source commitments I've made, so have the bandwidth to run this for years and not let it die.

[ghost]

As an aside, also am starting to work with Senator Mark Warner's office to draft a letter to the PHP leadership. If security could be taken care of there at the lowest level, would be a lot easier for everyone.

Warner (D-VA) co-founded the Cybersecurity Caucus with Cory Gardner (R-CO) last year: https://www.warner.senate.gov/public/index.cfm/cybersecurity-caucus

[mebjas]

@mebjas It would be a guide. I returned to PHP after 5 years away and was extraordinarily frustrated at what was available for help with security.

@paragonie-scott's guide basically covers 90% of it, but it would on Github under OWASP so easier visibility and could be updated/commented on.

Just to get more idea on your vision

• How does it differ from set of articles on OWASP wiki?
• Are there reference project like this?

  I am in PHP for the long haul now because of open source commitments I've made, so have the bandwidth to run this for years and not let it die.

:)

As an aside, also am starting to work with Senator Mark Warner's office to draft a letter to the PHP leadership. If security could be taken care of there at the lowest level, would be a lot easier for everyone.

This might be a very good idea, but given the nature of how the language is used, lot of the things can only be done at higher level based on requirement, I believe.

[paragonie-scott]

@paragonie-scott's guide basically covers 90% of it, but it would on Github under OWASP so easier visibility and could be updated/commented on.

The entire reason we publish our blog posts' Markdown source code under a CC license is so that they can be easily forked into projects in a situation like this. If you'd like to adapt what is already written to cover 100% of what you're envisioning, feel free.

[ghost]

I am talking to Chris Cornutt (he's in Austin by chance) tomorrow and I'll figure out next steps.

Plan as of now:

1. Fork @paragonie-scott's guide, add some more stuff, and place under OWASP
2. Revive super dead PHP stuff on OWASP like the below link. Maybe this just means linking to the yet-to-be-created repo: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

QUESTION: Who gives authorization to create repos under OWASP?

[ghost]

@paragonie-scott @mebjas @jmanico

Do you all know how to get an OWASP wiki account? I already have an OWASP email, but I cannot for the life of me get a wiki account and I've reached out to several people.

I'd like to update stuff that is clearly wrong on the PHP wiki. Also @jmanico I'd like to add security header information (as long as you approve the edits) to some of the sections with no content to your Secure Headers project.