OpenWAVES stood for Open Web Application Vulnerability and Error Scanner. I started OpenWAVES back in 2001, together with some colleagues and friends from all over the world. We first started WAVES, a blackbox Web scanning tool that identifies both Web application vulnerabilities and drive-by-downloads, and then WebSSARI (Web Security via Static Analysis and Runtime Inspection), a whitebox static analysis (or source code analysis) tool. Over the years, we had many well-cited, award winning publications; particularly, our first WAVES paper was published in WWW 2003 (ACM & W3C) and was nominated for Best Paper Award, while our first WebSSARI paper was published in WWW 2004 and was also nominated for Best Paper Award.
Because many requests came to express interest in brining our research projects to commercial use, we started Armorize Technologies in Jan 2006, and friends relocated together to become colleagues. Today, WAVES has been commercialized into HackAlert, and WebSSARI has been commercialized into CodeSecure.
When establishing Armorize (end of 2005), we got too busy and forgot to renew the openwaves.net domain, and it was taken from us. We were able to finally buy the domain back in April, 2008.
Today, CodeSecure supports popular Web languages such as PHP, J2EE, Javascript, traditional ASP and .NET (ASP.NET, C# and VB.NET). We do miss the good old days when we can focus all of our time on research, but now with Armorize, the we still get to do a fair amount of research, while being backed up by a whole engineering team when it comes to implementation.
As you know, in order to have a precise representation of a piece of code, it's preferable to implement your own parsers for a language, versus integrating with existing compilers and relying on their public interfaces and the limited amount of datastructures they are willing to expose. Moreover, many popular Web languages (e.g., PHP, Perl, and Python) are scripting (interpreted) languages by nature, and no "official" compilers exist. But writing a parser and handling file inclusion, object orientation, polymorphism, scoping, pointer aliasing, etc., is a lot of effort. At Armorize, there is a big team that takes care of all of these, which allows the founders to be very focused on advancing the actual verification algorithms.
Based on experiences learned from scanned billion pieces of real-world, customer code, we've advanced our algorithms far beyond what has been published in our WWW 2003 / 2004 and subsequent papers. We regret we've not had time to publish more, but we look forward to doing so once we have spare time.
We're all big fans of the Web and the software-as-a-service (SaaS) delivery model. Therefore, both CodeSecure and HackAlert are fully Web-based; you can trial them directly online.
So, we will maintain this website just like the past, and will regularly publish our research here. Thank you folks who have cited our papers in your publications!
CodeSecure is free for all open source projects. If you're involved in an open source project and would like to use CodeSecure, feel free to email me.
Wayne and the OpenWAVES team
April 21, 2008.
A list of all of our publications:
[WebSSARI] (Static analysis / source code analysis / whitebox)
Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo. "Securing Web Application Code by Static Analysis and Runtime Protection." In Proceedings of the Thirteenth International World Wide Web Conference (WWW2004), pages 40-52, New York, May 17-22, 2004. (Acceptance rate 14.6%) [PDF] [ACM DOI ] [BibTex]
Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo. "Verifying Web Applications Using Bounded Model Checking." In Proceedings of the 2004 International Conference on Dependable Systems and Networks (DSN2004), pages 199-208, Florence, Italy, Jun 28-Jul 1, 2004. (Acceptance rate 22.8%) [PDF] [IEEE DOI] [BibTex]
[WAVES] (Dynamic analysis / blackbox PLUS drive-by-download detection)
Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, Chung-Hung Tsai. "Web Application Security Assessment by Fault Injection and Behavior Monitoring." In Proceedings of the Twelfth International Conference on World Wide Web (WWW2003), pages 148-159, May 21-25, Budapest, Hungary, 2003. (Acceptance rate 12.8%) [PDF] [ACM DOI] [BibTex]
Yao-Wen Huang, Chung-Hung Tsai, Tsung-Po Lin, Shih-Kun Huang, D. T. Lee, Sy-Yen Kuo. "A Testing Framework for Web Application Security Assessment." Journal of Computer Networks, 48(5), Aug 2005. [PDF] [COMNET DOI] [BibTex]
Yao-Wen Huang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo. "Non-Detrimental Web Application Security Scanning." In Proceedings of the Fifteenth IEEE International Symposium on Software Reliability Engineering (ISSRE2004), Nov 2-5, Rennes and Saint-Malo, France, 2004. [PDF] [IEEE DOI] [BibTex]
[Other security papers]
Yao-Wen Huang, Shih-Kun Huang. "A Survey on Current Approaches to Active
Content Protection." In Proceedings of the 2002 Conference on Internet
Security. Chinese Open Systems Association, Taipei, Nov 2002.
Yao-Wen Huang and Shih-Kun Huang. "A Comparison of Current Network Mapping
Methods and Techniques." Information Security Newsletter, 7(2), pp 52-75,
March 2001.
[Other papers]
Fang Yu, Bow-Yaw Wang, Yao-Wen Huang. "Bounded Model Checking for Region
Automata." In Proceedings of the Joint Conference on Formal Modeling and
Analysis of Timed Systems / Formal Techniques in Real-Time and Fault Tolerant
System (FORMATS-FTRTFT 2004), Grenoble, France, Sep 22-24, 2004. LNCS, Springer.
Der-Tsai Lee, Gen-Cher Lee, Yao-Wen Huang. "Knowledge Management for Computational
Problem Solving." Journal of Universal Computer Science (JUCS), 9(6):563-570,
2003.
Fang Yu, Chung-Hung Tsai, Yao-Wen Huang, Hung-Yau Lin, Der-Tsai Lee, Sy-Yen
Kuo. "Efficient Exact Spare Allocation via Boolean Satisfiability."
In Proceedings of the 20th IEEE International Symposium on Defect and Fault
Tolerance in VLSI Systems (DFT 2005)