[Owasp-board] Fwd: Re: Checkmarx scan of OWASP ESAPI Legacy

Sherif Mansour sherif.mansour at owasp.org
Thu Feb 22 08:41:06 UTC 2018


Hello Kevin,

You can put Checkmarx as a project sponsor
https://www.owasp.org/index.php/Project_Sponsorship_Operational_Guidelines
That way you avoid the conflict of interest.

@Karen/Martin this is actually good Kevin brought this up; the project
sponsorship guidlines focuses on financial contributions, while other
resources such as licensing/software/development time is equally as
important. ZAP is an example, its biggest supporters are Linux & Mozilla,
and both are providing developer time.

While I think the sponsorship guidlines are all encompassing it’s important
to emphasise that. Let’s see if it can be improved

-Sherif

On Thu, 22 Feb 2018 at 5:06 am, Kevin W. Wall <kevin.w.wall at gmail.com>
wrote:

> ​OWASP Board,
>
> Someone from Checkmarx has offered to use their SAST engine (CxSAST) to
> scan ESAPI as long as we will allow them to mention Checkmarx helped OWASP
> on ESAPI in their blog
>
> I have no problem with this as long it doesn't come off as OWASP endorsing
> Checkmarx. However I wanted to check with all of you first to ensure that
> this wouldn't violate any by-laws of OWASP or be perceived as a potential
> conflict of interest.
>
> The relevant parts of the thread is included below for context.
>
> Please advise. Thanks,
>
> -kevin
> P.S.- Matt has no objections to this either.​
> --
> Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:  @KevinWWall
> NSA: All your crypto bit are belong to us.
> ---------- Forwarded message ----------
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Date: Feb 21, 2018 22:48
> Subject: Re: Checkmarx scan of OWAP ESAPI Legacy
> To: "Sean Matthiesen" <Sean.Matthiesen at checkmarx.com>
> Cc: "Matt Seil" <xeno6696 at gmail.com>
>
> Sean, that is fine with me personally as long as it doesn't come across as
> an endorsement of OWASP for Checkmarx, but let me run it across the OWASP
> board just to be 100% certain that it's not in violation of some obscure
> OWASP policy. Will get back to you in a few days.
>
> Thanks again.
> -kevin
> P.S.- Matt, if you have any personal objections, please speak up. I don't
> mean to speak for both of us.
> --
> Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:  @KevinWWall
> NSA: All your crypto bit are belong to us.
>
> On Feb 21, 2018 10:02 PM, "Sean Matthiesen" <Sean.Matthiesen at checkmarx.com>
> wrote:
>
> Hi Kevin,
>
>
>
> I know it has been a long time since we have exchanged emails.  Recently,
> I heard back from my management that I can move forward with scanning the
> Java ESAPI Legacy code base.
> ​​
> The only thing Checkmarx requires is that a mention we helped OWASP on
> this project can be made in our blog.  Once you confirm that is acceptable,
> I will work with my colleagues to scan the latest code, triage the results,
> and hold a results readout with you and Matt to review any findings.  Does
> that work for you and OWASP?
>
>
>
> Thanks,
>
>
>
> Sean
>
>
>
> *From:* Kevin W. Wall [mailto:kevin.w.wall at gmail.com]
> *Sent:* Friday, December 15, 2017 6:50 PM
> *To:* Sean Matthiesen <Sean.Matthiesen at checkmarx.com>
> *Cc:* Zachary.Matthiesen at principia.edu; Matt Seil <xeno6696 at gmail.com>
> *Subject:* RE: Why is ESAPI for PHP no longer supported?
>
>
>
> Sean,
>
>
>
> I am sure that OWASP in general, and myself in particular, are okay with
> Checkmarx sharing any scan results. The only thing that we would ask is
> that if any actual vulnerabilities are found the are reported privately
> first to give us reasonable time to get a fix out. That is more to protect
> clients using ESAPI than it is to protect Matt, myself, or OWASP. So in
> that regard, Checkmarx can report scan results in any manner that you wish.
> Their is no intent on my part to compare tool results to Fortify, Coverity,
> or anything else. I am simply trying to get better analysis of it. (In
> fact, once I get this crypto code finished, I hope to get a manual review
> with someone who has significant experience with cryptography. Last time,
> we had the NSA review it, but in retrospect, post-Snowden, it seems that
> they were not totally forthcoming with us as some rather obvious things
> were missed.) But, yeah, if Checkmarx wants to put some T&C on the scan
> results or even have me sign an NDA, I'm personally okay with that. My main
> goal is just to get any security weaknesses fixed.
>
>
>
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:  @KevinWWall
> NSA: All your crypto bit are belong to us.
>
>
>
>
>
> On Dec 15, 2017 18:31, "Sean Matthiesen" <Sean.Matthiesen at checkmarx.com>
> wrote:
>
> Hi Kevin,
>
> Thank you for the quick response!  This evening, I started the process of
> getting authorization to scan ESAPI.  My boss wants me to write up a
> request.  My feeling is the result are for ESAPI internal use and are not
> to be compared to other tool results or used by other vendors to sell more
> product.  If the scan is for the sole purpose of improving ESAPI as I
> believe it is, then approval should not be a problem.  Our research team
> may also get involved in the effort.
>
> Great feedback on my LinkedIn profile!  I did not realize it does not show
> that I have been a developer since 1989 and lead several major development
> projects.  Most of my time has been spent writing code in Java and C++ .
> In addition to Java and C++, I have written code in C, Pascal, PHP, Python,
> Lisp, Modula II, Fortran, COBOL, C#, Visual Basic, 8086 assembly and ASP.
> In my security consultant role, I have contributed code to Cigital, IBM,
> and Checkmarx.  One of my priorities over break will be to make my profile
> reflect development my experience better.  There is a "See more positions"
> link that shows my work history, but it does not emphasize my development
> side as well as it should.
>
> This weekend I'll take a look at the information you provided.  I look
> forward to contributing to the project and working with yourself, Matt and
> other contributors.
>
> Thanks,
>
> Sean
>
>
> -----Original Message-----
> From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com]
>
> Sent: Friday, December 15, 2017 5:12 PM
> To: Sean Matthiesen <Sean.Matthiesen at checkmarx.com>;
> Zachary.Matthiesen at principia.edu
> Cc: Matt Seil <xeno6696 at gmail.com>
> Subject: Re: Why is ESAPI for PHP no longer supported?
>
> Sean and Zachary,
>
> I am glad you are both eager to help with ESAPI.
>
> As far as contributing codes, the only ESAPI project that currently as
> much life is 'ESAPI for Java'.
> (Okay, maybe that's not 100% accurate; I have heard rumors that SalesForce
> has a 'ESAPI for SalesForce' somewhere, but I am not aware of it at all. I
> would presume it is written in Apex, but am not sure.)
>
> Anyway, I don't know what / how much Java experience either of you have.
> (Sean: Your LinkedIn page didn't mention any programming languages that I
> could see.) But if you are up to helping out on the 'ESAPI for Java'
> project, take a look at the section 'Contributing to ESAPI legacy' at
>
>       https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md
>
> Then jump in, find a bug, fix it, make a PR.
>
> @Sean: Note that there is one other area where might be able to make a
> contribution that most other folks can't. One thing you may be able to do
> is to pull down the latest from the 'develop' branch on GitHub at
> https://github.com/ESAPI/esapi-java-legacy.git and run a Checkmarx scan
> against it and report anything suspicious, share the report with Matt Seil
> (CC'd) and I, etc. Or even create a PR if you see anything clearly wrong in
> the scan results.  We have an (older) Coverity scan and I recently had Dan
> Cornell (Denim Group) run a Fortify scan for us, but would be interested if
> Checkmarx finds anything they did not.
>
> As always, if you have any questions, please don't hesitate to reach out
> and ask either Matt or myself.
>
> Thanks again in your interest in assisting,
>
> -kevin
> P.S.- If you become regular contributors, I will give make you an official
> contributor on GitHub so you can commit directly and approve PRs, etc.
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
-- 

Sherif Mansour
OWASP Global Board Member & OWASP London Chapter Leader
Site: https://www.owasp.org/index.php/London
Email: sherif.mansour at owasp.org
Follow OWASP London Chapter on Twitter: @owasplondon
<https://twitter.com/OWASPLondon>
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Subscribe to our (lightweight) mailing list:
https://lists.owasp.org/mailman/listinfo/owasp-london
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20180222/167082b4/attachment-0001.html>


More information about the Owasp-board mailing list