[GPC] OWASP LAPSE Project

Paulo Coimbra paulo.coimbra at owasp.org
Wed Mar 2 11:58:59 EST 2011


Hi Pablo,

 

First of all I thank you for volunteering to lead an OWASP Project.  It is
with volunteers like yourselves that OWASP continues to succeed in making
application security visible. 

 

Secondly, I’ve removed the template that mentioned the project’s orphaned
status and appointed you as project lead
-http://www.owasp.org/index.php/OWASP_LAPSE_Project#tab=Project_About. 

 

In addition, the project has been moved and placed in our Project’s page
amongst the Alpha status projects -
http://www.owasp.org/index.php/Category:OWASP_Project#tab=Alpha_Status_Proje
cts. 

 

Please check it out and let me know if you find any problems or mistakes and
feel obviously free to add any additional information to the project’s wiki
page or to request assistance regarding its edition. 

 

Thirdly, please note that the following basic data is still missing:

 

-        Project leader wiki username* -
https://www.owasp.org/index.php?title=Special:UserLogin
<https://www.owasp.org/index.php?title=Special:UserLogin&type=signup>
&type=signup, 

-        Project Roadmap -
http://www.owasp.org/index.php/OWASP_LAPSE_Project/Roadmap  

 

If you agree, as soon as you send off the above referred info, we will
publicly announce the project has a new leader and a new roadmap. 

 

Fourthly, later on, when your project reaches a point that you'd like OWASP
to assist in its promotion, we will need the following to help spread the
word about it:


- Project Flyer/Pamphlet (PDF file):
http://globalprojectscommittee.wordpress.com/2009/07/21/what-is-this-project
-flyerpamphlet-thing/. 

 

 - Conference style presentation describing the project in at least 3 slides
-
http://globalprojectscommittee.wordpress.com/2009/07/27/what-is-the-3x-slide
-presentation-thing/

 

Fifthly, as work on your project progresses and you are ready to create a
new release, please let the Global Projects Committee (GPC) know of the
change in status so that we can create the needed template to support it.  

 

The GPC can work with you to get your project assessed and moved up the
OWASP quality ladder from Alpha to Beta to Stable.  Not every release
requires an assessment - feel free to email the GPC if you are unsure about
your project's requirements.  

 

http://www.owasp.org/index.php/Assessment_Criteria_v2.0 

 

That is all for now - I wish you and your project great success.  Thank you
for supporting OWASP's mission.

Should you have any questions or require any further information, please do
not hesitate to contact me. 

 

Many thanks, best regards,

 

Thanks,

- Paulo

 

* Please fill in your username wiki page with your Resume/Curriculum Vitae,
Wiki Contributions and Email Address. Those elements will help us with
building a proper idea of your technical profile and will facilitate the
contact within OWASP contributors. See
http://www.owasp.org/index.php/User:Mtesauro
<http://www.owasp.org/index.php/User:Mtesauro>  for an example.

 

Paulo Coimbra,

 <http://www.owasp.org/index.php/User:Paulo_Coimbra> OWASP Project Manager

 

From: global-projects-committee-bounces at lists.owasp.org
[mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf Of
Jason Li
Sent: quarta-feira, 2 de Março de 2011 14:54
To: Pablo Martín Pérez
Cc: Global Projects Committee
Subject: Re: [GPC] OWASP LAPSE Project

 

Pablo,

 

That's great! Sorry for the confusion.

 

You can start whenever you are ready!

 

-Jason

 

 

2011/3/2 Pablo Martín Pérez <pmperez at di.uc3m.es>

Dear Jason,

we have all we need to begin with the project. We have the code of LAPSE
2.5.6 to develop an enhanced version of the plugin. If it's okay we can
start with it.

Regards.

Pablo Martín Pérez.

2011/3/1 Jason Li <jli at owasp.org>

 

Pablo,

 

I'm confused - does that mean you have everything you need to begin working
on your project?

 

I was not able to find the source code to the LAPSE project anywhere on the
SUIF Group website. However, if you have the original source code LAPSE, I
don't see any reason why can't proceed forward.

 

Likewise, if you plan on rebuilding a brand new plugin from scratch, you can
certainly start right away.

 

Please let me know if you are waiting on anything to proceed.

 

GPC - I have not gotten any reply from Ben Livshits (original LAPSE author)
regarding a project update or addressing the lack of source code. I believe
we should follow up on this situation as part of our lifecycle discussion
during the next GPC meeting.

 

-Jason

2011/3/1 Pablo Martín Pérez <pmperez at di.uc3m.es>

 

Dear Jason,

we consider the GNU General Public License of LAPSE to develop our new
version. We have the latest stable version, LAPSE 2.5.6, which we downloaded
from the website of SUIF Group of Stanford University
<http://suif.stanford.edu/%7Elivshits/work/lapse/download.html>  in which we
had to fill a form to download it.

Best Regards.

Pablo.

2011/2/24 Jason Li <jli at owasp.org>

 

All,

 

As I mentioned in my original reply, there's no reason why Pablo couldn't
begin working on the project immediately. We welcome anyone that wants to
work on an project and donate that project to OWASP; as such there isn't an
"approval" process to start working.

 

Looking more into the LAPSE's project details, I think I see the reason for
the confusion though.

 

Although the LAPSE project is listed on the OWASP website, it is not
*hosted* on by OWASP. The project is hosted on the original author's site
and the source is *NOT* available.

 

Pablo - if you are waiting for OWASP to provide access to the source code so
that you can begin work, unfortunately we do not have the source. As an open
volunteer organization, we welcome anyone to participate and add content. It
seems that while LAPSE was added to the collection of OWASP tools, it does
not follow OWASP principles of being open sourced. This situation is one of
the many project lifecycle questions we are trying to address within OWASP.
This exact scenario is why the Summit session focused on standing up a
centralized project repository for all OWASP projects.

 

We can certainly reach out to the project author to see if he will open the
source so that Pablo can fork it and continue development and wait for the
author's response.

 

-Jason

 

2011/2/23 Jeff Williams <jeff.williams at aspectsecurity.com>

 

All,

 

I think we should approve this project and get it underway as soon as
possible.  Paulo and the GPC can help you get the existing OWASP project
rebooted. 

 

Thanks for the hard work!

 

--Jeff

 

 

From: pablomartinmail at gmail.com [mailto:pablomartinmail at gmail.com] On Behalf
Of Pablo Martín Pérez
Sent: Wednesday, February 23, 2011 5:49 PM
To: Jeff Williams; jason.li at owasp.org; dinis.cruz at owasp.org


Subject: Re: [GPC] OWASP LAPSE Project

 

Dear All,

how did the Global Summit go? I have seen in the website that your calendar
is quite full of events and I suppose you are a bit busy.

I write to speak about the proposal of our lab Evalues - IT Security
Evaluation <http://www.evalues.es/>  to take over the orphaned OWASP LAPSE
Project. We are interested in this project because one of our main fields of
research is the White Box Analysis of Java J2EE Applications.
Currently we are researching on vulnerabilities over Java Web Applications
that use XML Databases. These kind of applications, just to give an example,
can have some vulnerabilities that are not detected by the current version
of LAPSE.

We want to develop an enhanced version of LAPSE Plugin to have an updated
catalog of vulnerabilities. Also, we aim to add new features to analyze the
code and make the back-propagation in the Provenance Tracker View. We want
to make the plugin work on the last version of Eclipse because we have
checked that the current version of LAPSE doesn't work properly on it. 

A future work we have in mind is the development of a LAPSE console mode
version. We want to make the analysis of the code independent of Eclipse,
generating, for example, an XML output file with the results of the
vulnerabilities detected.

We hope to assume the lead of OWASP LAPSE Project because we think it is
important for OWASP to have an updated tool for auditing Java J2EE
Applications and it is a good opportunity for our research on white box
analysis of Java J2EE Applications.

Best regards,

Pablo Martín Pérez




 

---------- Forwarded message ----------
From: Pablo Martín Pérez <pmperez at di.uc3m.es>
Date: 2011/2/17
Subject: Re: [GPC] OWASP LAPSE Project

To: dinis cruz <dinis.cruz at owasp.org>
Cc: Jeff Williams <jeff.williams at aspectsecurity.com>, Jason Li
<jason.li at owasp.org>, sierra at inf.uc3m.es


Dear Dinis,

 

we are willing to swap some ideas on how we are focusing our project on
improving Lapse. We want to develop a new version of the plugin for Eclipse
Helios, including more potential vulnerabilities in the catalog. We aim to
have an updated catalog of vulnerabilities, trying to cover all the possible
vulnerabilities. Also, we want to develop a version of Lapse in console
mode. With this, we try to make Lapse independent of Eclipse Interface,
having the option of analysing the source code without running Eclipse, and
offering an output, for example, in XML language, showing all the
information related to the vulnerability detected. We spoke in our last
email about the idea of making a version of Lapse plugin for .NET. We
suggested it as a future development but for now we have first in mind the
improvement of Lapse, to develop a Lapse Plus version and integrate it in
console mode.

 

Best regards,

Pablo Martín Pérez.




On 5 February 2011 01:54, dinis cruz <dinis.cruz at owasp.org> wrote:

Hi Pablo, I would like to swap some ideas with you on how to Implement such
static analysis engine.

 

I have created a static analysis engine for .NET (on the OWASP O2 Platform
project) and am currently trying to port it for Java

Dinis Cruz


On 4 Feb 2011, at 19:37, Jeff Williams <jeff.williams at aspectsecurity.com>
wrote:

Hi Pablo – this is an amazing idea that is long overdue.  The world really
needs some better open source static analysis tools for security!  Jason is
right that we’re all a little crazy right now before our big summit in
Portugal, but I fully support this idea and can’t wait to see what you all
have done.

 

Thank you so much for your efforts!

 

--Jeff

 

 

From: global-projects-committee-bounces at lists.owasp.org
[mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf Of
Jason Li
Sent: Friday, February 04, 2011 2:21 PM
To: Pablo Martín Pérez
Cc: Global Projects Committee
Subject: Re: [GPC] OWASP LAPSE Project

 

Pablo,

 

OWASP welcomes anyone with the time and energy to contribute to our
projects.

 

We are currently attending the OWASP Summit so you may have to forgive me if
our responses are delayed.

 

We are happy to discuss ideas with you but you should also feel free to
begin working on this effort now.

 

In the meantime, we will work on the logistics of transferring the project.

 

Please let me know if you have any questions.

 

-Jason

 

2011/2/4 Pablo Martín Pérez <pmperez at di.uc3m.es>

Dear Jason,

 

my name is Pablo Martín, Computer Engineer of Evalues Security Lab
<http://www.evalues.es/>  in Spain. Regarding to OWASP LAPSE Project, we
have noticed that this project is orphaned. Since we are experienced in
static white box testing of J2EE applications, we have been working since
2008 on Standford University LAPSE version 2.5.5, analyzing the application
to improve it. 

 

For this reason, we offer to take over this project to develop a new version
of LAPSE for detecting more vulnerability categories. Also, we have taking
into account the possibility of integrating LAPSE in other platforms and
developing a console mode version.

 

In case you are interested in our proposal we can speak about the duties we
had to take and the goals of the project in more detail.

 

Best regards,

Pablo Martín Pérez.

 

_______________________________________________
Global-projects-committee mailing list
Global-projects-committee at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/global-projects-committee

 

 

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20110302/c0ba68dc/attachment-0001.html 


More information about the Global-projects-committee mailing list