[GPC] OWASP LAPSE Project

Jason Li jli at owasp.org
Tue Mar 1 14:49:06 EST 2011


Pablo,

I'm confused - does that mean you have everything you need to begin working
on your project?

I was not able to find the source code to the LAPSE project anywhere on the
SUIF Group website. However, if you have the original source code LAPSE, I
don't see any reason why can't proceed forward.

Likewise, if you plan on rebuilding a brand new plugin from scratch, you can
certainly start right away.

Please let me know if you are waiting on anything to proceed.

GPC - I have not gotten any reply from Ben Livshits (original LAPSE author)
regarding a project update or addressing the lack of source code. I believe
we should follow up on this situation as part of our lifecycle discussion
during the next GPC meeting.

-Jason

2011/3/1 Pablo Martín Pérez <pmperez at di.uc3m.es>

> Dear Jason,
>
> we consider the GNU General Public License of LAPSE to develop our new
> version. We have the latest stable version, LAPSE 2.5.6, which we downloaded
> from the website of SUIF Group of Stanford University<http://suif.stanford.edu/%7Elivshits/work/lapse/download.html>in which we had to fill a form to download it.
>
> Best Regards.
>
> Pablo.
>
> 2011/2/24 Jason Li <jli at owasp.org>
>
> All,
>>
>> As I mentioned in my original reply, there's no reason why Pablo couldn't
>> begin working on the project immediately. We welcome anyone that wants to
>> work on an project and donate that project to OWASP; as such there isn't an
>> "approval" process to start working.
>>
>> Looking more into the LAPSE's project details, I think I see the reason
>> for the confusion though.
>>
>> Although the LAPSE project is listed on the OWASP website, it is not
>> *hosted* on by OWASP. The project is hosted on the original author's site
>> and the source is *NOT* available.
>>
>> Pablo - if you are waiting for OWASP to provide access to the source code
>> so that you can begin work, unfortunately we do not have the source. As an
>> open volunteer organization, we welcome anyone to participate and add
>> content. It seems that while LAPSE was added to the collection of OWASP
>> tools, it does not follow OWASP principles of being open sourced. This
>> situation is one of the many project lifecycle questions we are trying to
>> address within OWASP.  This exact scenario is why the Summit session focused
>> on standing up a centralized project repository for all OWASP projects.
>>
>> We can certainly reach out to the project author to see if he will open
>> the source so that Pablo can fork it and continue development and wait for
>> the author's response.
>>
>> -Jason
>>
>> 2011/2/23 Jeff Williams <jeff.williams at aspectsecurity.com>
>>
>> All,
>>>
>>>
>>>
>>> I think we should approve this project and get it underway as soon as
>>> possible.  Paulo and the GPC can help you get the existing OWASP project
>>> rebooted.
>>>
>>>
>>>
>>> Thanks for the hard work!
>>>
>>>
>>>
>>> --Jeff
>>>
>>>
>>>
>>>
>>>
>>> *From:* pablomartinmail at gmail.com [mailto:pablomartinmail at gmail.com] *On
>>> Behalf Of *Pablo Martín Pérez
>>> *Sent:* Wednesday, February 23, 2011 5:49 PM
>>> *To:* Jeff Williams; jason.li at owasp.org; dinis.cruz at owasp.org
>>>
>>> *Subject:* Re: [GPC] OWASP LAPSE Project
>>>
>>>
>>>
>>> Dear All,
>>>
>>> how did the Global Summit go? I have seen in the website that your
>>> calendar is quite full of events and I suppose you are a bit busy.
>>>
>>> I write to speak about the proposal of our lab Evalues - IT Security
>>> Evaluation <http://www.evalues.es/> to take over the orphaned OWASP
>>> LAPSE Project. We are interested in this project because one of our main
>>> fields of research is the White Box Analysis of Java J2EE Applications.
>>> Currently we are researching on vulnerabilities over Java Web
>>> Applications that use XML Databases. These kind of applications, just to
>>> give an example, can have some vulnerabilities that are not detected by the
>>> current version of LAPSE.
>>>
>>> We want to develop an enhanced version of LAPSE Plugin to have an updated
>>> catalog of vulnerabilities. Also, we aim to add new features to analyze the
>>> code and make the back-propagation in the Provenance Tracker View. We want
>>> to make the plugin work on the last version of Eclipse because we have
>>> checked that the current version of LAPSE doesn't work properly on it.
>>>
>>> A future work we have in mind is the development of a LAPSE console mode
>>> version. We want to make the analysis of the code independent of Eclipse,
>>> generating, for example, an XML output file with the results of the
>>> vulnerabilities detected.
>>>
>>> We hope to assume the lead of OWASP LAPSE Project because we think it is
>>> important for OWASP to have an updated tool for auditing Java J2EE
>>> Applications and it is a good opportunity for our research on white box
>>> analysis of Java J2EE Applications.
>>>
>>> Best regards,
>>>
>>> Pablo Martín Pérez
>>>
>>>
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *Pablo Martín Pérez* <pmperez at di.uc3m.es>
>>> Date: 2011/2/17
>>> Subject: Re: [GPC] OWASP LAPSE Project
>>>
>>> To: dinis cruz <dinis.cruz at owasp.org>
>>> Cc: Jeff Williams <jeff.williams at aspectsecurity.com>, Jason Li <jason.li
>>> @owasp.org>, sierra at inf.uc3m.es
>>>
>>>
>>> Dear Dinis,
>>>
>>>
>>>
>>> we are willing to swap some ideas on how we are focusing our project on
>>> improving Lapse. We want to develop a new version of the plugin for Eclipse
>>> Helios, including more potential vulnerabilities in the catalog. We aim to
>>> have an updated catalog of vulnerabilities, trying to cover all the possible
>>> vulnerabilities. Also, we want to develop a version of Lapse in console
>>> mode. With this, we try to make Lapse independent of Eclipse Interface,
>>> having the option of analysing the source code without running Eclipse, and
>>> offering an output, for example, in XML language, showing all the
>>> information related to the vulnerability detected. We spoke in our last
>>> email about the idea of making a version of Lapse plugin for .NET. We
>>> suggested it as a future development but for now we have first in mind the
>>> improvement of Lapse, to develop a Lapse Plus version and integrate it in
>>> console mode.
>>>
>>>
>>>
>>> Best regards,
>>>
>>> Pablo Martín Pérez.
>>>
>>>
>>>
>>> On 5 February 2011 01:54, dinis cruz <dinis.cruz at owasp.org> wrote:
>>>
>>> Hi Pablo, I would like to swap some ideas with you on how to Implement
>>> such static analysis engine.
>>>
>>>
>>>
>>> I have created a static analysis engine for .NET (on the OWASP O2
>>> Platform project) and am currently trying to port it for Java
>>>
>>> Dinis Cruz
>>>
>>>
>>> On 4 Feb 2011, at 19:37, Jeff Williams <jeff.williams at aspectsecurity.com>
>>> wrote:
>>>
>>> Hi Pablo – this is an amazing idea that is long overdue.  The world
>>> really needs some better open source static analysis tools for security!
>>> Jason is right that we’re all a little crazy right now before our big summit
>>> in Portugal, but I fully support this idea and can’t wait to see what you
>>> all have done.
>>>
>>>
>>>
>>> Thank you so much for your efforts!
>>>
>>>
>>>
>>> --Jeff
>>>
>>>
>>>
>>>
>>>
>>> *From:* global-projects-committee-bounces at lists.owasp.org [mailto:
>>> global-projects-committee-bounces at lists.owasp.org] *On Behalf Of *Jason
>>> Li
>>> *Sent:* Friday, February 04, 2011 2:21 PM
>>> *To:* Pablo Martín Pérez
>>> *Cc:* Global Projects Committee
>>> *Subject:* Re: [GPC] OWASP LAPSE Project
>>>
>>>
>>>
>>> Pablo,
>>>
>>>
>>>
>>> OWASP welcomes anyone with the time and energy to contribute to our
>>> projects.
>>>
>>>
>>>
>>> We are currently attending the OWASP Summit so you may have to forgive me
>>> if our responses are delayed.
>>>
>>>
>>>
>>> We are happy to discuss ideas with you but you should also feel free to
>>> begin working on this effort now.
>>>
>>>
>>>
>>> In the meantime, we will work on the logistics of transferring the
>>> project.
>>>
>>>
>>>
>>> Please let me know if you have any questions.
>>>
>>>
>>>
>>> -Jason
>>>
>>>
>>>
>>> 2011/2/4 Pablo Martín Pérez <pmperez at di.uc3m.es>
>>>
>>> Dear Jason,
>>>
>>>
>>>
>>> my name is Pablo Martín, Computer Engineer of Evalues Security Lab<http://www.evalues.es/>in Spain. Regarding to OWASP LAPSE Project, we have noticed that this
>>> project is orphaned. Since we are experienced in static white box testing of
>>> J2EE applications, we have been working since 2008 on Standford University
>>> LAPSE version 2.5.5, analyzing the application to improve it.
>>>
>>>
>>>
>>> For this reason, we offer to take over this project to develop a new
>>> version of LAPSE for detecting more vulnerability categories. Also, we have
>>> taking into account the possibility of integrating LAPSE in other platforms
>>> and developing a console mode version.
>>>
>>>
>>>
>>> In case you are interested in our proposal we can speak about the duties
>>> we had to take and the goals of the project in more detail.
>>>
>>>
>>>
>>> Best regards,
>>>
>>> Pablo Martín Pérez.
>>>
>>>
>>>
>>> _______________________________________________
>>> Global-projects-committee mailing list
>>> Global-projects-committee at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20110301/d9e40ae8/attachment.html 


More information about the Global-projects-committee mailing list