That's a self-evidently dumb comment, but in fact I've had experience trying to talk to OWASP about crypto, and found it an enervating waste of time.
Things may have gotten better in the last 2 years since I stopped paying attention (though: I doubt it), but my experience of it is that it's governed mostly by the kinds of consultants who parachute into projects to configure Fortify. Despite not having much software development experience, those kinds of consultants have very strong opinions about things like crypto.
The problem is very much not limited to crypto.
I think OWASP is mostly unsalvageable, and that the most productive thing to be done is to warn developers to take their advice with a grain of salt. There's useful stuff in there, but there's bad stuff too. That's fine if all you're purporting to build is a wiki, but it's less fine when your goal is to be the bible of appsec. They are simply not that.
Things may have gotten better in the last 2 years since I stopped paying attention (though: I doubt it), but my experience of it is that it's governed mostly by the kinds of consultants who parachute into projects to configure Fortify. Despite not having much software development experience, those kinds of consultants have very strong opinions about things like crypto.
The problem is very much not limited to crypto.
I think OWASP is mostly unsalvageable, and that the most productive thing to be done is to warn developers to take their advice with a grain of salt. There's useful stuff in there, but there's bad stuff too. That's fine if all you're purporting to build is a wiki, but it's less fine when your goal is to be the bible of appsec. They are simply not that.