[GPC] OWASP LAPSE Project

Jason Li jli at owasp.org
Wed Mar 2 09:53:56 EST 2011


Pablo,

That's great! Sorry for the confusion.

You can start whenever you are ready!

-Jason


2011/3/2 Pablo Martín Pérez <pmperez at di.uc3m.es>

> Dear Jason,
>
> we have all we need to begin with the project. We have the code of LAPSE
> 2.5.6 to develop an enhanced version of the plugin. If it's okay we can
> start with it.
>
> Regards.
>
> Pablo Martín Pérez.
>
> 2011/3/1 Jason Li <jli at owasp.org>
>
> Pablo,
>>
>> I'm confused - does that mean you have everything you need to begin
>> working on your project?
>>
>> I was not able to find the source code to the LAPSE project anywhere on
>> the SUIF Group website. However, if you have the original source code LAPSE,
>> I don't see any reason why can't proceed forward.
>>
>> Likewise, if you plan on rebuilding a brand new plugin from scratch, you
>> can certainly start right away.
>>
>> Please let me know if you are waiting on anything to proceed.
>>
>> GPC - I have not gotten any reply from Ben Livshits (original LAPSE
>> author) regarding a project update or addressing the lack of source code. I
>> believe we should follow up on this situation as part of our lifecycle
>> discussion during the next GPC meeting.
>>
>> -Jason
>>
>> 2011/3/1 Pablo Martín Pérez <pmperez at di.uc3m.es>
>>
>> Dear Jason,
>>>
>>> we consider the GNU General Public License of LAPSE to develop our new
>>> version. We have the latest stable version, LAPSE 2.5.6, which we downloaded
>>> from the website of SUIF Group of Stanford University<http://suif.stanford.edu/%7Elivshits/work/lapse/download.html>in which we had to fill a form to download it.
>>>
>>> Best Regards.
>>>
>>> Pablo.
>>>
>>> 2011/2/24 Jason Li <jli at owasp.org>
>>>
>>> All,
>>>>
>>>> As I mentioned in my original reply, there's no reason why Pablo
>>>> couldn't begin working on the project immediately. We welcome anyone that
>>>> wants to work on an project and donate that project to OWASP; as such there
>>>> isn't an "approval" process to start working.
>>>>
>>>> Looking more into the LAPSE's project details, I think I see the reason
>>>> for the confusion though.
>>>>
>>>> Although the LAPSE project is listed on the OWASP website, it is not
>>>> *hosted* on by OWASP. The project is hosted on the original author's site
>>>> and the source is *NOT* available.
>>>>
>>>> Pablo - if you are waiting for OWASP to provide access to the source
>>>> code so that you can begin work, unfortunately we do not have the source. As
>>>> an open volunteer organization, we welcome anyone to participate and add
>>>> content. It seems that while LAPSE was added to the collection of OWASP
>>>> tools, it does not follow OWASP principles of being open sourced. This
>>>> situation is one of the many project lifecycle questions we are trying to
>>>> address within OWASP.  This exact scenario is why the Summit session focused
>>>> on standing up a centralized project repository for all OWASP projects.
>>>>
>>>> We can certainly reach out to the project author to see if he will open
>>>> the source so that Pablo can fork it and continue development and wait for
>>>> the author's response.
>>>>
>>>> -Jason
>>>>
>>>> 2011/2/23 Jeff Williams <jeff.williams at aspectsecurity.com>
>>>>
>>>> All,
>>>>>
>>>>>
>>>>>
>>>>> I think we should approve this project and get it underway as soon as
>>>>> possible.  Paulo and the GPC can help you get the existing OWASP project
>>>>> rebooted.
>>>>>
>>>>>
>>>>>
>>>>> Thanks for the hard work!
>>>>>
>>>>>
>>>>>
>>>>> --Jeff
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *From:* pablomartinmail at gmail.com [mailto:pablomartinmail at gmail.com] *On
>>>>> Behalf Of *Pablo Martín Pérez
>>>>> *Sent:* Wednesday, February 23, 2011 5:49 PM
>>>>> *To:* Jeff Williams; jason.li at owasp.org; dinis.cruz at owasp.org
>>>>>
>>>>> *Subject:* Re: [GPC] OWASP LAPSE Project
>>>>>
>>>>>
>>>>>
>>>>> Dear All,
>>>>>
>>>>> how did the Global Summit go? I have seen in the website that your
>>>>> calendar is quite full of events and I suppose you are a bit busy.
>>>>>
>>>>> I write to speak about the proposal of our lab Evalues - IT Security
>>>>> Evaluation <http://www.evalues.es/> to take over the orphaned OWASP
>>>>> LAPSE Project. We are interested in this project because one of our main
>>>>> fields of research is the White Box Analysis of Java J2EE Applications.
>>>>> Currently we are researching on vulnerabilities over Java Web
>>>>> Applications that use XML Databases. These kind of applications, just to
>>>>> give an example, can have some vulnerabilities that are not detected by the
>>>>> current version of LAPSE.
>>>>>
>>>>> We want to develop an enhanced version of LAPSE Plugin to have an
>>>>> updated catalog of vulnerabilities. Also, we aim to add new features to
>>>>> analyze the code and make the back-propagation in the Provenance Tracker
>>>>> View. We want to make the plugin work on the last version of Eclipse because
>>>>> we have checked that the current version of LAPSE doesn't work properly on
>>>>> it.
>>>>>
>>>>> A future work we have in mind is the development of a LAPSE console
>>>>> mode version. We want to make the analysis of the code independent of
>>>>> Eclipse, generating, for example, an XML output file with the results of the
>>>>> vulnerabilities detected.
>>>>>
>>>>> We hope to assume the lead of OWASP LAPSE Project because we think it
>>>>> is important for OWASP to have an updated tool for auditing Java J2EE
>>>>> Applications and it is a good opportunity for our research on white box
>>>>> analysis of Java J2EE Applications.
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Pablo Martín Pérez
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: *Pablo Martín Pérez* <pmperez at di.uc3m.es>
>>>>> Date: 2011/2/17
>>>>> Subject: Re: [GPC] OWASP LAPSE Project
>>>>>
>>>>> To: dinis cruz <dinis.cruz at owasp.org>
>>>>> Cc: Jeff Williams <jeff.williams at aspectsecurity.com>, Jason Li <
>>>>> jason.li at owasp.org>, sierra at inf.uc3m.es
>>>>>
>>>>>
>>>>> Dear Dinis,
>>>>>
>>>>>
>>>>>
>>>>> we are willing to swap some ideas on how we are focusing our project on
>>>>> improving Lapse. We want to develop a new version of the plugin for Eclipse
>>>>> Helios, including more potential vulnerabilities in the catalog. We aim to
>>>>> have an updated catalog of vulnerabilities, trying to cover all the possible
>>>>> vulnerabilities. Also, we want to develop a version of Lapse in console
>>>>> mode. With this, we try to make Lapse independent of Eclipse Interface,
>>>>> having the option of analysing the source code without running Eclipse, and
>>>>> offering an output, for example, in XML language, showing all the
>>>>> information related to the vulnerability detected. We spoke in our last
>>>>> email about the idea of making a version of Lapse plugin for .NET. We
>>>>> suggested it as a future development but for now we have first in mind the
>>>>> improvement of Lapse, to develop a Lapse Plus version and integrate it in
>>>>> console mode.
>>>>>
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Pablo Martín Pérez.
>>>>>
>>>>>
>>>>>
>>>>> On 5 February 2011 01:54, dinis cruz <dinis.cruz at owasp.org> wrote:
>>>>>
>>>>> Hi Pablo, I would like to swap some ideas with you on how to Implement
>>>>> such static analysis engine.
>>>>>
>>>>>
>>>>>
>>>>> I have created a static analysis engine for .NET (on the OWASP O2
>>>>> Platform project) and am currently trying to port it for Java
>>>>>
>>>>> Dinis Cruz
>>>>>
>>>>>
>>>>> On 4 Feb 2011, at 19:37, Jeff Williams <
>>>>> jeff.williams at aspectsecurity.com> wrote:
>>>>>
>>>>> Hi Pablo – this is an amazing idea that is long overdue.  The world
>>>>> really needs some better open source static analysis tools for security!
>>>>> Jason is right that we’re all a little crazy right now before our big summit
>>>>> in Portugal, but I fully support this idea and can’t wait to see what you
>>>>> all have done.
>>>>>
>>>>>
>>>>>
>>>>> Thank you so much for your efforts!
>>>>>
>>>>>
>>>>>
>>>>> --Jeff
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *From:* global-projects-committee-bounces at lists.owasp.org [mailto:
>>>>> global-projects-committee-bounces at lists.owasp.org] *On Behalf Of *Jason
>>>>> Li
>>>>> *Sent:* Friday, February 04, 2011 2:21 PM
>>>>> *To:* Pablo Martín Pérez
>>>>> *Cc:* Global Projects Committee
>>>>> *Subject:* Re: [GPC] OWASP LAPSE Project
>>>>>
>>>>>
>>>>>
>>>>> Pablo,
>>>>>
>>>>>
>>>>>
>>>>> OWASP welcomes anyone with the time and energy to contribute to our
>>>>> projects.
>>>>>
>>>>>
>>>>>
>>>>> We are currently attending the OWASP Summit so you may have to forgive
>>>>> me if our responses are delayed.
>>>>>
>>>>>
>>>>>
>>>>> We are happy to discuss ideas with you but you should also feel free to
>>>>> begin working on this effort now.
>>>>>
>>>>>
>>>>>
>>>>> In the meantime, we will work on the logistics of transferring the
>>>>> project.
>>>>>
>>>>>
>>>>>
>>>>> Please let me know if you have any questions.
>>>>>
>>>>>
>>>>>
>>>>> -Jason
>>>>>
>>>>>
>>>>>
>>>>> 2011/2/4 Pablo Martín Pérez <pmperez at di.uc3m.es>
>>>>>
>>>>> Dear Jason,
>>>>>
>>>>>
>>>>>
>>>>> my name is Pablo Martín, Computer Engineer of Evalues Security Lab<http://www.evalues.es/>in Spain. Regarding to OWASP LAPSE Project, we have noticed that this
>>>>> project is orphaned. Since we are experienced in static white box testing of
>>>>> J2EE applications, we have been working since 2008 on Standford University
>>>>> LAPSE version 2.5.5, analyzing the application to improve it.
>>>>>
>>>>>
>>>>>
>>>>> For this reason, we offer to take over this project to develop a new
>>>>> version of LAPSE for detecting more vulnerability categories. Also, we have
>>>>> taking into account the possibility of integrating LAPSE in other platforms
>>>>> and developing a console mode version.
>>>>>
>>>>>
>>>>>
>>>>> In case you are interested in our proposal we can speak about the
>>>>> duties we had to take and the goals of the project in more detail.
>>>>>
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Pablo Martín Pérez.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Global-projects-committee mailing list
>>>>> Global-projects-committee at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20110302/9a15c6f7/attachment-0001.html 


More information about the Global-projects-committee mailing list