[GPC] OWASP LAPSE Project

Jason Li jli at owasp.org
Wed Mar 2 17:42:13 EST 2011


Pablo,

While the Global Projects Committee does what it can to support projects,
projects at OWASP are run entirely by the project leader. That includes
creating/updating the content for the project wiki, answering questions
about the project on the mailing list, etc. As an organization of
volunteers, how you decide your level of contribution to OWASP is up to you.

We are happy to make announcements about project status to OWASP leaders,
but you should also feel free to make those announcements yourself.

Let us know if you have any questions!

-Jason

2011/3/2 Pablo Martín Pérez <pmperez at di.uc3m.es>

> Perfect Jason,
>
> we will keep you informed on any progress. Also, we would like to know the
> way we are going to carry out OWASP LAPSE Project. I mean, the way our lab Evalues
> - IT Security Evaluation <http://evalues.es/> is going to participate in
> OWASP as collaborator, promoting the new version of LAPSE, updating the wiki
> of the project, etc.
>
> Pablo.
>
> 2011/3/2 Jason Li <jli at owasp.org>
>
> Pablo,
>>
>> That's great! Sorry for the confusion.
>>
>> You can start whenever you are ready!
>>
>> -Jason
>>
>>
>> 2011/3/2 Pablo Martín Pérez <pmperez at di.uc3m.es>
>>
>> Dear Jason,
>>>
>>> we have all we need to begin with the project. We have the code of LAPSE
>>> 2.5.6 to develop an enhanced version of the plugin. If it's okay we can
>>> start with it.
>>>
>>> Regards.
>>>
>>> Pablo Martín Pérez.
>>>
>>> 2011/3/1 Jason Li <jli at owasp.org>
>>>
>>> Pablo,
>>>>
>>>> I'm confused - does that mean you have everything you need to begin
>>>> working on your project?
>>>>
>>>> I was not able to find the source code to the LAPSE project anywhere on
>>>> the SUIF Group website. However, if you have the original source code LAPSE,
>>>> I don't see any reason why can't proceed forward.
>>>>
>>>> Likewise, if you plan on rebuilding a brand new plugin from scratch, you
>>>> can certainly start right away.
>>>>
>>>> Please let me know if you are waiting on anything to proceed.
>>>>
>>>> GPC - I have not gotten any reply from Ben Livshits (original LAPSE
>>>> author) regarding a project update or addressing the lack of source code. I
>>>> believe we should follow up on this situation as part of our lifecycle
>>>> discussion during the next GPC meeting.
>>>>
>>>> -Jason
>>>>
>>>> 2011/3/1 Pablo Martín Pérez <pmperez at di.uc3m.es>
>>>>
>>>> Dear Jason,
>>>>>
>>>>> we consider the GNU General Public License of LAPSE to develop our new
>>>>> version. We have the latest stable version, LAPSE 2.5.6, which we downloaded
>>>>> from the website of SUIF Group of Stanford University<http://suif.stanford.edu/%7Elivshits/work/lapse/download.html>in which we had to fill a form to download it.
>>>>>
>>>>> Best Regards.
>>>>>
>>>>> Pablo.
>>>>>
>>>>> 2011/2/24 Jason Li <jli at owasp.org>
>>>>>
>>>>> All,
>>>>>>
>>>>>> As I mentioned in my original reply, there's no reason why Pablo
>>>>>> couldn't begin working on the project immediately. We welcome anyone that
>>>>>> wants to work on an project and donate that project to OWASP; as such there
>>>>>> isn't an "approval" process to start working.
>>>>>>
>>>>>> Looking more into the LAPSE's project details, I think I see the
>>>>>> reason for the confusion though.
>>>>>>
>>>>>> Although the LAPSE project is listed on the OWASP website, it is not
>>>>>> *hosted* on by OWASP. The project is hosted on the original author's site
>>>>>> and the source is *NOT* available.
>>>>>>
>>>>>> Pablo - if you are waiting for OWASP to provide access to the source
>>>>>> code so that you can begin work, unfortunately we do not have the source. As
>>>>>> an open volunteer organization, we welcome anyone to participate and add
>>>>>> content. It seems that while LAPSE was added to the collection of OWASP
>>>>>> tools, it does not follow OWASP principles of being open sourced. This
>>>>>> situation is one of the many project lifecycle questions we are trying to
>>>>>> address within OWASP.  This exact scenario is why the Summit session focused
>>>>>> on standing up a centralized project repository for all OWASP projects.
>>>>>>
>>>>>> We can certainly reach out to the project author to see if he will
>>>>>> open the source so that Pablo can fork it and continue development and wait
>>>>>> for the author's response.
>>>>>>
>>>>>> -Jason
>>>>>>
>>>>>> 2011/2/23 Jeff Williams <jeff.williams at aspectsecurity.com>
>>>>>>
>>>>>> All,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I think we should approve this project and get it underway as soon as
>>>>>>> possible.  Paulo and the GPC can help you get the existing OWASP project
>>>>>>> rebooted.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks for the hard work!
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --Jeff
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:* pablomartinmail at gmail.com [mailto:pablomartinmail at gmail.com]
>>>>>>> *On Behalf Of *Pablo Martín Pérez
>>>>>>> *Sent:* Wednesday, February 23, 2011 5:49 PM
>>>>>>> *To:* Jeff Williams; jason.li at owasp.org; dinis.cruz at owasp.org
>>>>>>>
>>>>>>> *Subject:* Re: [GPC] OWASP LAPSE Project
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Dear All,
>>>>>>>
>>>>>>> how did the Global Summit go? I have seen in the website that your
>>>>>>> calendar is quite full of events and I suppose you are a bit busy.
>>>>>>>
>>>>>>> I write to speak about the proposal of our lab Evalues - IT Security
>>>>>>> Evaluation <http://www.evalues.es/> to take over the orphaned OWASP
>>>>>>> LAPSE Project. We are interested in this project because one of our main
>>>>>>> fields of research is the White Box Analysis of Java J2EE Applications.
>>>>>>> Currently we are researching on vulnerabilities over Java Web
>>>>>>> Applications that use XML Databases. These kind of applications, just to
>>>>>>> give an example, can have some vulnerabilities that are not detected by the
>>>>>>> current version of LAPSE.
>>>>>>>
>>>>>>> We want to develop an enhanced version of LAPSE Plugin to have an
>>>>>>> updated catalog of vulnerabilities. Also, we aim to add new features to
>>>>>>> analyze the code and make the back-propagation in the Provenance Tracker
>>>>>>> View. We want to make the plugin work on the last version of Eclipse because
>>>>>>> we have checked that the current version of LAPSE doesn't work properly on
>>>>>>> it.
>>>>>>>
>>>>>>> A future work we have in mind is the development of a LAPSE console
>>>>>>> mode version. We want to make the analysis of the code independent of
>>>>>>> Eclipse, generating, for example, an XML output file with the results of the
>>>>>>> vulnerabilities detected.
>>>>>>>
>>>>>>> We hope to assume the lead of OWASP LAPSE Project because we think it
>>>>>>> is important for OWASP to have an updated tool for auditing Java J2EE
>>>>>>> Applications and it is a good opportunity for our research on white box
>>>>>>> analysis of Java J2EE Applications.
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Pablo Martín Pérez
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---------- Forwarded message ----------
>>>>>>> From: *Pablo Martín Pérez* <pmperez at di.uc3m.es>
>>>>>>> Date: 2011/2/17
>>>>>>> Subject: Re: [GPC] OWASP LAPSE Project
>>>>>>>
>>>>>>> To: dinis cruz <dinis.cruz at owasp.org>
>>>>>>> Cc: Jeff Williams <jeff.williams at aspectsecurity.com>, Jason Li <
>>>>>>> jason.li at owasp.org>, sierra at inf.uc3m.es
>>>>>>>
>>>>>>>
>>>>>>> Dear Dinis,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> we are willing to swap some ideas on how we are focusing our project
>>>>>>> on improving Lapse. We want to develop a new version of the plugin for
>>>>>>> Eclipse Helios, including more potential vulnerabilities in the catalog. We
>>>>>>> aim to have an updated catalog of vulnerabilities, trying to cover all the
>>>>>>> possible vulnerabilities. Also, we want to develop a version of Lapse in
>>>>>>> console mode. With this, we try to make Lapse independent of Eclipse
>>>>>>> Interface, having the option of analysing the source code without running
>>>>>>> Eclipse, and offering an output, for example, in XML language, showing all
>>>>>>> the information related to the vulnerability detected. We spoke in our last
>>>>>>> email about the idea of making a version of Lapse plugin for .NET. We
>>>>>>> suggested it as a future development but for now we have first in mind the
>>>>>>> improvement of Lapse, to develop a Lapse Plus version and integrate it in
>>>>>>> console mode.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Pablo Martín Pérez.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 5 February 2011 01:54, dinis cruz <dinis.cruz at owasp.org> wrote:
>>>>>>>
>>>>>>> Hi Pablo, I would like to swap some ideas with you on how to
>>>>>>> Implement such static analysis engine.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I have created a static analysis engine for .NET (on the OWASP O2
>>>>>>> Platform project) and am currently trying to port it for Java
>>>>>>>
>>>>>>> Dinis Cruz
>>>>>>>
>>>>>>>
>>>>>>> On 4 Feb 2011, at 19:37, Jeff Williams <
>>>>>>> jeff.williams at aspectsecurity.com> wrote:
>>>>>>>
>>>>>>> Hi Pablo – this is an amazing idea that is long overdue.  The world
>>>>>>> really needs some better open source static analysis tools for security!
>>>>>>> Jason is right that we’re all a little crazy right now before our big summit
>>>>>>> in Portugal, but I fully support this idea and can’t wait to see what you
>>>>>>> all have done.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thank you so much for your efforts!
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --Jeff
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:* global-projects-committee-bounces at lists.owasp.org [mailto:
>>>>>>> global-projects-committee-bounces at lists.owasp.org] *On Behalf Of *Jason
>>>>>>> Li
>>>>>>> *Sent:* Friday, February 04, 2011 2:21 PM
>>>>>>> *To:* Pablo Martín Pérez
>>>>>>> *Cc:* Global Projects Committee
>>>>>>> *Subject:* Re: [GPC] OWASP LAPSE Project
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Pablo,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> OWASP welcomes anyone with the time and energy to contribute to our
>>>>>>> projects.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> We are currently attending the OWASP Summit so you may have to
>>>>>>> forgive me if our responses are delayed.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> We are happy to discuss ideas with you but you should also feel free
>>>>>>> to begin working on this effort now.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> In the meantime, we will work on the logistics of transferring the
>>>>>>> project.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Please let me know if you have any questions.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -Jason
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2011/2/4 Pablo Martín Pérez <pmperez at di.uc3m.es>
>>>>>>>
>>>>>>> Dear Jason,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> my name is Pablo Martín, Computer Engineer of Evalues Security Lab<http://www.evalues.es/>in Spain. Regarding to OWASP LAPSE Project, we have noticed that this
>>>>>>> project is orphaned. Since we are experienced in static white box testing of
>>>>>>> J2EE applications, we have been working since 2008 on Standford University
>>>>>>> LAPSE version 2.5.5, analyzing the application to improve it.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> For this reason, we offer to take over this project to develop a new
>>>>>>> version of LAPSE for detecting more vulnerability categories. Also, we have
>>>>>>> taking into account the possibility of integrating LAPSE in other platforms
>>>>>>> and developing a console mode version.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> In case you are interested in our proposal we can speak about the
>>>>>>> duties we had to take and the goals of the project in more detail.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Pablo Martín Pérez.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Global-projects-committee mailing list
>>>>>>> Global-projects-committee at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20110302/68d58f96/attachment-0001.html 


More information about the Global-projects-committee mailing list