[Owasp-board] Fwd: Re: Checkmarx scan of OWASP ESAPI Legacy

psiinon psiinon at gmail.com
Thu Feb 22 09:22:06 UTC 2018


For info we also use a closed source installer (Install4J).
We've been given a free license for this on the basis that we've included a
link to them from
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Features
(the 'multi-platform installer builder' link).
I think this sounds equivalent to the  support of ESAPI.

Cheers,

Simon

On Thu, Feb 22, 2018 at 8:41 AM, Sherif Mansour <sherif.mansour at owasp.org>
wrote:

> Hello Kevin,
>
> You can put Checkmarx as a project sponsor
> https://www.owasp.org/index.php/Project_Sponsorship_Operational_Guidelines
> That way you avoid the conflict of interest.
>
> @Karen/Martin this is actually good Kevin brought this up; the project
> sponsorship guidlines focuses on financial contributions, while other
> resources such as licensing/software/development time is equally as
> important. ZAP is an example, its biggest supporters are Linux & Mozilla,
> and both are providing developer time.
>
> While I think the sponsorship guidlines are all encompassing it’s
> important to emphasise that. Let’s see if it can be improved
>
> -Sherif
>
> On Thu, 22 Feb 2018 at 5:06 am, Kevin W. Wall <kevin.w.wall at gmail.com>
> wrote:
>
>> ​OWASP Board,
>>
>> Someone from Checkmarx has offered to use their SAST engine (CxSAST) to
>> scan ESAPI as long as we will allow them to mention Checkmarx helped OWASP
>> on ESAPI in their blog
>>
>> I have no problem with this as long it doesn't come off as OWASP
>> endorsing Checkmarx. However I wanted to check with all of you first to
>> ensure that this wouldn't violate any by-laws of OWASP or be perceived as a
>> potential conflict of interest.
>>
>> The relevant parts of the thread is included below for context.
>>
>> Please advise. Thanks,
>>
>> -kevin
>> P.S.- Matt has no objections to this either.​
>> --
>> Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:
>> @KevinWWall
>> NSA: All your crypto bit are belong to us.
>> ---------- Forwarded message ----------
>> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
>> Date: Feb 21, 2018 22:48
>> Subject: Re: Checkmarx scan of OWAP ESAPI Legacy
>> To: "Sean Matthiesen" <Sean.Matthiesen at checkmarx.com>
>> Cc: "Matt Seil" <xeno6696 at gmail.com>
>>
>> Sean, that is fine with me personally as long as it doesn't come across
>> as an endorsement of OWASP for Checkmarx, but let me run it across the
>> OWASP board just to be 100% certain that it's not in violation of some
>> obscure OWASP policy. Will get back to you in a few days.
>>
>> Thanks again.
>> -kevin
>> P.S.- Matt, if you have any personal objections, please speak up. I don't
>> mean to speak for both of us.
>> --
>> Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:
>> @KevinWWall
>> NSA: All your crypto bit are belong to us.
>>
>> On Feb 21, 2018 10:02 PM, "Sean Matthiesen" <
>> Sean.Matthiesen at checkmarx.com> wrote:
>>
>> Hi Kevin,
>>
>>
>>
>> I know it has been a long time since we have exchanged emails.  Recently,
>> I heard back from my management that I can move forward with scanning the
>> Java ESAPI Legacy code base.
>> ​​
>> The only thing Checkmarx requires is that a mention we helped OWASP on
>> this project can be made in our blog.  Once you confirm that is acceptable,
>> I will work with my colleagues to scan the latest code, triage the results,
>> and hold a results readout with you and Matt to review any findings.  Does
>> that work for you and OWASP?
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Sean
>>
>>
>>
>> *From:* Kevin W. Wall [mailto:kevin.w.wall at gmail.com]
>> *Sent:* Friday, December 15, 2017 6:50 PM
>> *To:* Sean Matthiesen <Sean.Matthiesen at checkmarx.com>
>> *Cc:* Zachary.Matthiesen at principia.edu; Matt Seil <xeno6696 at gmail.com>
>> *Subject:* RE: Why is ESAPI for PHP no longer supported?
>>
>>
>>
>> Sean,
>>
>>
>>
>> I am sure that OWASP in general, and myself in particular, are okay with
>> Checkmarx sharing any scan results. The only thing that we would ask is
>> that if any actual vulnerabilities are found the are reported privately
>> first to give us reasonable time to get a fix out. That is more to protect
>> clients using ESAPI than it is to protect Matt, myself, or OWASP. So in
>> that regard, Checkmarx can report scan results in any manner that you wish.
>> Their is no intent on my part to compare tool results to Fortify, Coverity,
>> or anything else. I am simply trying to get better analysis of it. (In
>> fact, once I get this crypto code finished, I hope to get a manual review
>> with someone who has significant experience with cryptography. Last time,
>> we had the NSA review it, but in retrospect, post-Snowden, it seems that
>> they were not totally forthcoming with us as some rather obvious things
>> were missed.) But, yeah, if Checkmarx wants to put some T&C on the scan
>> results or even have me sign an NDA, I'm personally okay with that. My main
>> goal is just to get any security weaknesses fixed.
>>
>>
>>
>> -kevin
>> --
>> Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:
>> @KevinWWall
>> NSA: All your crypto bit are belong to us.
>>
>>
>>
>>
>>
>> On Dec 15, 2017 18:31, "Sean Matthiesen" <Sean.Matthiesen at checkmarx.com>
>> wrote:
>>
>> Hi Kevin,
>>
>> Thank you for the quick response!  This evening, I started the process of
>> getting authorization to scan ESAPI.  My boss wants me to write up a
>> request.  My feeling is the result are for ESAPI internal use and are not
>> to be compared to other tool results or used by other vendors to sell more
>> product.  If the scan is for the sole purpose of improving ESAPI as I
>> believe it is, then approval should not be a problem.  Our research team
>> may also get involved in the effort.
>>
>> Great feedback on my LinkedIn profile!  I did not realize it does not
>> show that I have been a developer since 1989 and lead several major
>> development projects.  Most of my time has been spent writing code in Java
>> and C++ .  In addition to Java and C++, I have written code in C, Pascal,
>> PHP, Python, Lisp, Modula II, Fortran, COBOL, C#, Visual Basic, 8086
>> assembly and ASP.  In my security consultant role, I have contributed code
>> to Cigital, IBM, and Checkmarx.  One of my priorities over break will be to
>> make my profile reflect development my experience better.  There is a "See
>> more positions" link that shows my work history, but it does not emphasize
>> my development side as well as it should.
>>
>> This weekend I'll take a look at the information you provided.  I look
>> forward to contributing to the project and working with yourself, Matt and
>> other contributors.
>>
>> Thanks,
>>
>> Sean
>>
>>
>> -----Original Message-----
>> From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com]
>>
>> Sent: Friday, December 15, 2017 5:12 PM
>> To: Sean Matthiesen <Sean.Matthiesen at checkmarx.com>;
>> Zachary.Matthiesen at principia.edu
>> Cc: Matt Seil <xeno6696 at gmail.com>
>> Subject: Re: Why is ESAPI for PHP no longer supported?
>>
>> Sean and Zachary,
>>
>> I am glad you are both eager to help with ESAPI.
>>
>> As far as contributing codes, the only ESAPI project that currently as
>> much life is 'ESAPI for Java'.
>> (Okay, maybe that's not 100% accurate; I have heard rumors that
>> SalesForce has a 'ESAPI for SalesForce' somewhere, but I am not aware of it
>> at all. I would presume it is written in Apex, but am not sure.)
>>
>> Anyway, I don't know what / how much Java experience either of you have.
>> (Sean: Your LinkedIn page didn't mention any programming languages that I
>> could see.) But if you are up to helping out on the 'ESAPI for Java'
>> project, take a look at the section 'Contributing to ESAPI legacy' at
>>
>>       https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md
>>
>> Then jump in, find a bug, fix it, make a PR.
>>
>> @Sean: Note that there is one other area where might be able to make a
>> contribution that most other folks can't. One thing you may be able to do
>> is to pull down the latest from the 'develop' branch on GitHub at
>> https://github.com/ESAPI/esapi-java-legacy.git and run a Checkmarx scan
>> against it and report anything suspicious, share the report with Matt Seil
>> (CC'd) and I, etc. Or even create a PR if you see anything clearly wrong in
>> the scan results.  We have an (older) Coverity scan and I recently had Dan
>> Cornell (Denim Group) run a Fortify scan for us, but would be interested if
>> Checkmarx finds anything they did not.
>>
>> As always, if you have any questions, please don't hesitate to reach out
>> and ask either Matt or myself.
>>
>> Thanks again in your interest in assisting,
>>
>> -kevin
>> P.S.- If you become regular contributors, I will give make you an
>> official contributor on GitHub so you can commit directly and approve PRs,
>> etc.
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
> --
>
> Sherif Mansour
> OWASP Global Board Member & OWASP London Chapter Leader
> Site: https://www.owasp.org/index.php/London
> Email: sherif.mansour at owasp.org
> Follow OWASP London Chapter on Twitter: @owasplondon  <https://twitter.com/OWASPLondon>
> "Like" us on Facebook: https://www.facebook.com/OWASPLondon
> Subscribe to our (lightweight) mailing list: https://lists.owasp.org/mailman/listinfo/owasp-london
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20180222/ae1c4082/attachment-0001.html>


More information about the Owasp-board mailing list