- Michael Tubinis (IRC handle: mtubinis)
- Brian Escriche (IRC handle: Pharas)
We simply never heard of OWASP, so why not find out more about it?
- 501(c)(3) “Worldwide non-for-profit charitable organization”
- Founded April 21, 2004 by Mark Curphey
- Private company with 0 acquisitions and 0 investments
- 7 Global Board Members and 8 Employees / Contractors
- OWASP.org
- Wikipedia: OWASP
-
Facebook - 8,900 likes.
-
Twitter - 41,600 followers.
-
Google+ - 2293 members.
-
OWASP has a Blog that contains up to date posts about generic OWASP/Internet security news and development progress on the various OWASP projects.
-
OWASP does participate in their own AppSec conferences, both in the EU and in the US.
-
OWASP does not have a source code repository itself as it is a coalition of projects. For this section we decided to write about one of their flagship projects in review called "Dependency Check"
-
If applicable, list and provide links to:
-
Dependency-check is an open source solution the OWASP Top 10 2013 entry: A9 - Using Components with Known Vulnerabilities. Dependency-check can currently be used to scan Java applications (and their dependent libraries) to identify known vulnerable components.
-
Initial commit was on September 6th, 2012. Latest commit was on May 6th, 2015.
-
Jeremy Long is the only one who can approve patches.
-
There have been 12 contributors to the project overall.
-
Jeremy Long is the BDFL ("Benevolent Dictator for Life")
-
There has been no change in the core team since there really is no core team, just the BDFL, who has stayed active for the entire duration of the project's history.
-
Since Jeremy Long is the main developer by an overwhelming majority, the front and back end developers are the same people (or rather the same person, the BDFL).
-
There have been no major bugs or problems within the project code wise, and there is no clear indication as to who is in charge of problems. We assume it is the BDFL.
-
The project's participation trending is fairly consistent with Jeremy Long committing most of the code.
-
The project would not survive the Raptor test or the Git by a bus test since only one person has really contributed to the project.
-
There is no clear indication of an on-boarding process.
-
For documentation, http://jeremylong.github.io/DependencyCheck/ has a large amount of information about the project, but nothing as far as code.
-
Contributing to the project will most likely need to be started by contacting the BDFL Jeremy Long on the mailing list via Subscribe or Post
-
Since there is no real structure to the project's community, I would personally not enjoy working on this project.