[Owasp-board] Fwd: Re: Checkmarx scan of OWASP ESAPI Legacy

Kevin W. Wall kevin.w.wall at gmail.com
Thu Feb 22 05:06:14 UTC 2018

​OWASP Board,

Someone from Checkmarx has offered to use their SAST engine (CxSAST) to
scan ESAPI as long as we will allow them to mention Checkmarx helped OWASP
on ESAPI in their blog

I have no problem with this as long it doesn't come off as OWASP endorsing
Checkmarx. However I wanted to check with all of you first to ensure that
this wouldn't violate any by-laws of OWASP or be perceived as a potential
conflict of interest.

The relevant parts of the thread is included below for context.

Please advise. Thanks,

P.S.- Matt has no objections to this either.​
Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:  @KevinWWall
NSA: All your crypto bit are belong to us.
---------- Forwarded message ----------
From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
Date: Feb 21, 2018 22:48
Subject: Re: Checkmarx scan of OWAP ESAPI Legacy
To: "Sean Matthiesen" <Sean.Matthiesen at checkmarx.com>
Cc: "Matt Seil" <xeno6696 at gmail.com>

Sean, that is fine with me personally as long as it doesn't come across as
an endorsement of OWASP for Checkmarx, but let me run it across the OWASP
board just to be 100% certain that it's not in violation of some obscure
OWASP policy. Will get back to you in a few days.

Thanks again.
P.S.- Matt, if you have any personal objections, please speak up. I don't
mean to speak for both of us.
Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:  @KevinWWall
NSA: All your crypto bit are belong to us.

On Feb 21, 2018 10:02 PM, "Sean Matthiesen" <Sean.Matthiesen at checkmarx.com>

Hi Kevin,

I know it has been a long time since we have exchanged emails.  Recently, I
heard back from my management that I can move forward with scanning the
Java ESAPI Legacy code base.
The only thing Checkmarx requires is that a mention we helped OWASP on this
project can be made in our blog.  Once you confirm that is acceptable, I
will work with my colleagues to scan the latest code, triage the results,
and hold a results readout with you and Matt to review any findings.  Does
that work for you and OWASP?



*From:* Kevin W. Wall [mailto:kevin.w.wall at gmail.com]
*Sent:* Friday, December 15, 2017 6:50 PM
*To:* Sean Matthiesen <Sean.Matthiesen at checkmarx.com>
*Cc:* Zachary.Matthiesen at principia.edu; Matt Seil <xeno6696 at gmail.com>
*Subject:* RE: Why is ESAPI for PHP no longer supported?


I am sure that OWASP in general, and myself in particular, are okay with
Checkmarx sharing any scan results. The only thing that we would ask is
that if any actual vulnerabilities are found the are reported privately
first to give us reasonable time to get a fix out. That is more to protect
clients using ESAPI than it is to protect Matt, myself, or OWASP. So in
that regard, Checkmarx can report scan results in any manner that you wish.
Their is no intent on my part to compare tool results to Fortify, Coverity,
or anything else. I am simply trying to get better analysis of it. (In
fact, once I get this crypto code finished, I hope to get a manual review
with someone who has significant experience with cryptography. Last time,
we had the NSA review it, but in retrospect, post-Snowden, it seems that
they were not totally forthcoming with us as some rather obvious things
were missed.) But, yeah, if Checkmarx wants to put some T&C on the scan
results or even have me sign an NDA, I'm personally okay with that. My main
goal is just to get any security weaknesses fixed.

Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:  @KevinWWall
NSA: All your crypto bit are belong to us.

On Dec 15, 2017 18:31, "Sean Matthiesen" <Sean.Matthiesen at checkmarx.com>

Hi Kevin,

Thank you for the quick response!  This evening, I started the process of
getting authorization to scan ESAPI.  My boss wants me to write up a
request.  My feeling is the result are for ESAPI internal use and are not
to be compared to other tool results or used by other vendors to sell more
product.  If the scan is for the sole purpose of improving ESAPI as I
believe it is, then approval should not be a problem.  Our research team
may also get involved in the effort.

Great feedback on my LinkedIn profile!  I did not realize it does not show
that I have been a developer since 1989 and lead several major development
projects.  Most of my time has been spent writing code in Java and C++ .
In addition to Java and C++, I have written code in C, Pascal, PHP, Python,
Lisp, Modula II, Fortran, COBOL, C#, Visual Basic, 8086 assembly and ASP.
In my security consultant role, I have contributed code to Cigital, IBM,
and Checkmarx.  One of my priorities over break will be to make my profile
reflect development my experience better.  There is a "See more positions"
link that shows my work history, but it does not emphasize my development
side as well as it should.

This weekend I'll take a look at the information you provided.  I look
forward to contributing to the project and working with yourself, Matt and
other contributors.



-----Original Message-----
From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com]

Sent: Friday, December 15, 2017 5:12 PM
To: Sean Matthiesen <Sean.Matthiesen at checkmarx.com>;
Zachary.Matthiesen at principia.edu
Cc: Matt Seil <xeno6696 at gmail.com>
Subject: Re: Why is ESAPI for PHP no longer supported?

Sean and Zachary,

I am glad you are both eager to help with ESAPI.

As far as contributing codes, the only ESAPI project that currently as much
life is 'ESAPI for Java'.
(Okay, maybe that's not 100% accurate; I have heard rumors that SalesForce
has a 'ESAPI for SalesForce' somewhere, but I am not aware of it at all. I
would presume it is written in Apex, but am not sure.)

Anyway, I don't know what / how much Java experience either of you have.
(Sean: Your LinkedIn page didn't mention any programming languages that I
could see.) But if you are up to helping out on the 'ESAPI for Java'
project, take a look at the section 'Contributing to ESAPI legacy' at


Then jump in, find a bug, fix it, make a PR.

@Sean: Note that there is one other area where might be able to make a
contribution that most other folks can't. One thing you may be able to do
is to pull down the latest from the 'develop' branch on GitHub at
https://github.com/ESAPI/esapi-java-legacy.git and run a Checkmarx scan
against it and report anything suspicious, share the report with Matt Seil
(CC'd) and I, etc. Or even create a PR if you see anything clearly wrong in
the scan results.  We have an (older) Coverity scan and I recently had Dan
Cornell (Denim Group) run a Fortify scan for us, but would be interested if
Checkmarx finds anything they did not.

As always, if you have any questions, please don't hesitate to reach out
and ask either Matt or myself.

Thanks again in your interest in assisting,

P.S.- If you become regular contributors, I will give make you an official
contributor on GitHub so you can commit directly and approve PRs, etc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20180222/789b0b72/attachment.html>

More information about the Owasp-board mailing list