[Owasp-board] Fwd: Re: Checkmarx scan of OWASP ESAPI Legacy

Karen Staley karen.staley at owasp.org
Thu Apr 5 12:52:19 UTC 2018


Dear All,
my apologies for the late reply.
I think this is something I will share with Harold our new Technical
Director.
Thanks for providing this information.  Any  help we can get is welcome.
I am sure Harold will come back to you soon.


Best,
Karen

On Thu, Feb 22, 2018 at 4:22 AM, psiinon <psiinon at gmail.com> wrote:

> For info we also use a closed source installer (Install4J).
> We've been given a free license for this on the basis that we've included
> a link to them from https://www.owasp.org/index.
> php/OWASP_Zed_Attack_Proxy_Project#tab=Features (the 'multi-platform
> installer builder' link).
> I think this sounds equivalent to the  support of ESAPI.
>
> Cheers,
>
> Simon
>
> On Thu, Feb 22, 2018 at 8:41 AM, Sherif Mansour <sherif.mansour at owasp.org>
> wrote:
>
>> Hello Kevin,
>>
>> You can put Checkmarx as a project sponsor
>> https://www.owasp.org/index.php/Project_Sponsorship_Operatio
>> nal_Guidelines
>> That way you avoid the conflict of interest.
>>
>> @Karen/Martin this is actually good Kevin brought this up; the project
>> sponsorship guidlines focuses on financial contributions, while other
>> resources such as licensing/software/development time is equally as
>> important. ZAP is an example, its biggest supporters are Linux & Mozilla,
>> and both are providing developer time.
>>
>> While I think the sponsorship guidlines are all encompassing it’s
>> important to emphasise that. Let’s see if it can be improved
>>
>> -Sherif
>>
>> On Thu, 22 Feb 2018 at 5:06 am, Kevin W. Wall <kevin.w.wall at gmail.com>
>> wrote:
>>
>>> ​OWASP Board,
>>>
>>> Someone from Checkmarx has offered to use their SAST engine (CxSAST) to
>>> scan ESAPI as long as we will allow them to mention Checkmarx helped OWASP
>>> on ESAPI in their blog
>>>
>>> I have no problem with this as long it doesn't come off as OWASP
>>> endorsing Checkmarx. However I wanted to check with all of you first to
>>> ensure that this wouldn't violate any by-laws of OWASP or be perceived as a
>>> potential conflict of interest.
>>>
>>> The relevant parts of the thread is included below for context.
>>>
>>> Please advise. Thanks,
>>>
>>> -kevin
>>> P.S.- Matt has no objections to this either.​
>>> --
>>> Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:
>>> @KevinWWall
>>> NSA: All your crypto bit are belong to us.
>>> ---------- Forwarded message ----------
>>> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
>>> Date: Feb 21, 2018 22:48
>>> Subject: Re: Checkmarx scan of OWAP ESAPI Legacy
>>> To: "Sean Matthiesen" <Sean.Matthiesen at checkmarx.com>
>>> Cc: "Matt Seil" <xeno6696 at gmail.com>
>>>
>>> Sean, that is fine with me personally as long as it doesn't come across
>>> as an endorsement of OWASP for Checkmarx, but let me run it across the
>>> OWASP board just to be 100% certain that it's not in violation of some
>>> obscure OWASP policy. Will get back to you in a few days.
>>>
>>> Thanks again.
>>> -kevin
>>> P.S.- Matt, if you have any personal objections, please speak up. I
>>> don't mean to speak for both of us.
>>> --
>>> Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:
>>> @KevinWWall
>>> NSA: All your crypto bit are belong to us.
>>>
>>> On Feb 21, 2018 10:02 PM, "Sean Matthiesen" <
>>> Sean.Matthiesen at checkmarx.com> wrote:
>>>
>>> Hi Kevin,
>>>
>>>
>>>
>>> I know it has been a long time since we have exchanged emails.
>>> Recently, I heard back from my management that I can move forward with
>>> scanning the Java ESAPI Legacy code base.
>>> ​​
>>> The only thing Checkmarx requires is that a mention we helped OWASP on
>>> this project can be made in our blog.  Once you confirm that is acceptable,
>>> I will work with my colleagues to scan the latest code, triage the results,
>>> and hold a results readout with you and Matt to review any findings.  Does
>>> that work for you and OWASP?
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Sean
>>>
>>>
>>>
>>> *From:* Kevin W. Wall [mailto:kevin.w.wall at gmail.com]
>>> *Sent:* Friday, December 15, 2017 6:50 PM
>>> *To:* Sean Matthiesen <Sean.Matthiesen at checkmarx.com>
>>> *Cc:* Zachary.Matthiesen at principia.edu; Matt Seil <xeno6696 at gmail.com>
>>> *Subject:* RE: Why is ESAPI for PHP no longer supported?
>>>
>>>
>>>
>>> Sean,
>>>
>>>
>>>
>>> I am sure that OWASP in general, and myself in particular, are okay with
>>> Checkmarx sharing any scan results. The only thing that we would ask is
>>> that if any actual vulnerabilities are found the are reported privately
>>> first to give us reasonable time to get a fix out. That is more to protect
>>> clients using ESAPI than it is to protect Matt, myself, or OWASP. So in
>>> that regard, Checkmarx can report scan results in any manner that you wish.
>>> Their is no intent on my part to compare tool results to Fortify, Coverity,
>>> or anything else. I am simply trying to get better analysis of it. (In
>>> fact, once I get this crypto code finished, I hope to get a manual review
>>> with someone who has significant experience with cryptography. Last time,
>>> we had the NSA review it, but in retrospect, post-Snowden, it seems that
>>> they were not totally forthcoming with us as some rather obvious things
>>> were missed.) But, yeah, if Checkmarx wants to put some T&C on the scan
>>> results or even have me sign an NDA, I'm personally okay with that. My main
>>> goal is just to get any security weaknesses fixed.
>>>
>>>
>>>
>>> -kevin
>>> --
>>> Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:
>>> @KevinWWall
>>> NSA: All your crypto bit are belong to us.
>>>
>>>
>>>
>>>
>>>
>>> On Dec 15, 2017 18:31, "Sean Matthiesen" <Sean.Matthiesen at checkmarx.com>
>>> wrote:
>>>
>>> Hi Kevin,
>>>
>>> Thank you for the quick response!  This evening, I started the process
>>> of getting authorization to scan ESAPI.  My boss wants me to write up a
>>> request.  My feeling is the result are for ESAPI internal use and are not
>>> to be compared to other tool results or used by other vendors to sell more
>>> product.  If the scan is for the sole purpose of improving ESAPI as I
>>> believe it is, then approval should not be a problem.  Our research team
>>> may also get involved in the effort.
>>>
>>> Great feedback on my LinkedIn profile!  I did not realize it does not
>>> show that I have been a developer since 1989 and lead several major
>>> development projects.  Most of my time has been spent writing code in Java
>>> and C++ .  In addition to Java and C++, I have written code in C, Pascal,
>>> PHP, Python, Lisp, Modula II, Fortran, COBOL, C#, Visual Basic, 8086
>>> assembly and ASP.  In my security consultant role, I have contributed code
>>> to Cigital, IBM, and Checkmarx.  One of my priorities over break will be to
>>> make my profile reflect development my experience better.  There is a "See
>>> more positions" link that shows my work history, but it does not emphasize
>>> my development side as well as it should.
>>>
>>> This weekend I'll take a look at the information you provided.  I look
>>> forward to contributing to the project and working with yourself, Matt and
>>> other contributors.
>>>
>>> Thanks,
>>>
>>> Sean
>>>
>>>
>>> -----Original Message-----
>>> From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com]
>>>
>>> Sent: Friday, December 15, 2017 5:12 PM
>>> To: Sean Matthiesen <Sean.Matthiesen at checkmarx.com>;
>>> Zachary.Matthiesen at principia.edu
>>> Cc: Matt Seil <xeno6696 at gmail.com>
>>> Subject: Re: Why is ESAPI for PHP no longer supported?
>>>
>>> Sean and Zachary,
>>>
>>> I am glad you are both eager to help with ESAPI.
>>>
>>> As far as contributing codes, the only ESAPI project that currently as
>>> much life is 'ESAPI for Java'.
>>> (Okay, maybe that's not 100% accurate; I have heard rumors that
>>> SalesForce has a 'ESAPI for SalesForce' somewhere, but I am not aware of it
>>> at all. I would presume it is written in Apex, but am not sure.)
>>>
>>> Anyway, I don't know what / how much Java experience either of you have.
>>> (Sean: Your LinkedIn page didn't mention any programming languages that I
>>> could see.) But if you are up to helping out on the 'ESAPI for Java'
>>> project, take a look at the section 'Contributing to ESAPI legacy' at
>>>
>>>       https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md
>>>
>>> Then jump in, find a bug, fix it, make a PR.
>>>
>>> @Sean: Note that there is one other area where might be able to make a
>>> contribution that most other folks can't. One thing you may be able to do
>>> is to pull down the latest from the 'develop' branch on GitHub at
>>> https://github.com/ESAPI/esapi-java-legacy.git and run a Checkmarx scan
>>> against it and report anything suspicious, share the report with Matt Seil
>>> (CC'd) and I, etc. Or even create a PR if you see anything clearly wrong in
>>> the scan results.  We have an (older) Coverity scan and I recently had Dan
>>> Cornell (Denim Group) run a Fortify scan for us, but would be interested if
>>> Checkmarx finds anything they did not.
>>>
>>> As always, if you have any questions, please don't hesitate to reach out
>>> and ask either Matt or myself.
>>>
>>> Thanks again in your interest in assisting,
>>>
>>> -kevin
>>> P.S.- If you become regular contributors, I will give make you an
>>> official contributor on GitHub so you can commit directly and approve PRs,
>>> etc.
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>> --
>>
>> Sherif Mansour
>> OWASP Global Board Member & OWASP London Chapter Leader
>> Site: https://www.owasp.org/index.php/London
>> Email: sherif.mansour at owasp.org
>> Follow OWASP London Chapter on Twitter: @owasplondon  <https://twitter.com/OWASPLondon>
>> "Like" us on Facebook: https://www.facebook.com/OWASPLondon
>> Subscribe to our (lightweight) mailing list: https://lists.owasp.org/mailman/listinfo/owasp-london
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
*OWASP Foundation*
Karen Staley
Executive Director

karen.staley at owasp.org <kelly.santalucia at owasp.org>
Direct: +1 240.446.2951


*Consider giving back, and supporting the open source community by becoming
a member <https://www.owasp.org/index.php/Membership> or making a donation
<https://www.owasp.org/index.php/Donate> today! *

*Join us at AppSec Eu 2018 <https://2018.appsec.eu/> 2-6 July in London, UK
and at AppSec USA 2018 <https://2018.appsecusa.org/> 8-12 October in San
Jose, CA!*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20180405/5c80636b/attachment-0001.html>


More information about the Owasp-board mailing list