[[Project Information:template Code Crawler|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
'''Project Deliveries & Objectives'''
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Code_Crawler|CodeCrawler's Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Code Crawler|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"| The application is easy to use and setup.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Code Crawler|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|Stable (100%)
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"| Would be helpful to have the community to work on improving the database of Code Crawler. Doing so will improve the accuracy of the engine and consequently the value of the tool
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|None
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|None
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"| No installation package, Not much documentation. (I'm working on these aspects and plan to do release them very soon).
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"| Database improvements (it's the database setup that makes the difference. The more accure and detailed descriptions, the more useful it is), Feedbacks.
|}

Project Information:template Code Crawler - Final Review - Self Evaluation - B

2009-03-16T15:52:09Z

Alessio.marziali:

2008-03-15T19:49:35Z

Alessio.marziali: /* Code Crawler */

'''This page contains project Applications to the [[OWASP_Summer_of_Code_2008|OWASP Summer Of Code 2008]]'''

= A few notes =
*'''If you want to apply for a SoC 2008 sponsorship you HAVE TO USE THIS PAGE for your application.'''
** See [[OWASP Summer of Code 2008#How To Participate (To Developers)|How To Participate]] for what to do once you completed your Application.
** Please remember that projects will be selected and funded based on how well they meet the [[OWASP Summer of Code 2008#Jury and Selection Criteria| Selection Criteria]].
** Please see [[OWASP Autumn of Code 2006 - Applications|AoC 06]] and [[OWASP Spring Of Code 2007 Applications|SpoC 07]] for examples of Applications.
* '''You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include [[OWASP Summer of Code 2008 Applications - Proposal Type|this information in your proposal]].
'''
= Applications - {Fill in below} =

== The Application Security Desk Reference - ASDR ==
* Leonardo Cavallari Militelli,
* [[ASDR Table of Contents|ASDR Table of Contents]]

== OWASP Code review guide, V1.1 ==
* Eoin Keary,
'''Code Review Guide Proposal''':

'''Introduction:'''The code review guide is currently at version RC 2.0 and the second best selling OWASP book.
I have received many positive comments regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.

It has even inspired individuals to build tools based on its information and I have convinced such people (Alessio Marziali) to open source their tool and make it an OWASP project.

The combination of a book on secure code review and a tool to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.

'''Proposal:'''
I am proposing that I improve the code review guide from a number of aspects. This should place the guide as a de facto secure code review guide in the application security industry.

'''Additional and expanded Chapters:''' 

'''Transactional analysis''' 
Expand chapter. 
Examples via diagrams. 

'''Threat Modeling and Analysis''' 
The approach to examining an application to be reviewed. 
Focusing on areas of interest. 

'''Example reports and how to write one''' 
How to determine the risk level of a finding. 

'''Automated code review''' 
Code crawler documentation and usage. 

'''Rich Internet Applications''' 
Expanded chapters on Flash, Ajax. 

'''The OWASP ESAPI (Enterprise Security API)''' 
What it is, Why use it. What to review. 

'''Code review Metrics:''' 
How to compile, use and analyse metrics. 
Rolling out metrics in the Enterprise. 

'''Integrating Code review with an existing SDLC'''
Integration of Secure Code review with an existing SDLC. 
Secure Code review roadmap definition. 
Documentation requirements. 
Scope definition. 
SDLC steering comittee establishment. 
Performace criteria, benchmarks and metrics. 
Integration of SDLC results into key IT governance areas. 
Critical success factors. 

== The OWASP Testing Guide v3 ==
* Matteo Meucci
* The OWASP Testing Guide v2 was a great success, with thousand downloads and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now it's time to begin a new project that is based on v2 but improve it and complete it.

In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:

* Information Gathering
* Business logic testing
* Authentication Testing
* Session Management Testing
* Data Validation Testing
* Denial of Service Testing
* Web Services Testing
* AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode analysis
3) Infrastructural test --> new category
4) Web Services section needs improvement
5) AJAX Testing section needs improvement
6) New category: Client side Testing. AJAX and Flash Testing

* This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.

== Code Crawler ==
* Alessio Marziali aka nTze 

'''Description''' 
This tool is aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code.
The aim of the tool is to accompany the OWASP Code review Guide and to implement a total code review solution for "everyone"; Where "everyone" means a "more" companies performing a secure software activities. 
Key areas of improvement:
'''Reporting''' 
- PDF
- Microsoft Office Compatible Word Document
- HTML

'''Scanning''' 
- Multiple File scanned at the same time 
-- Open Microsoft Visual Studio's Solutions 

'''build a bigger database''' 
which will provide more information about the threats such vulnerability type (XSS,SQL Injection, Remote File Inclusion etc). 
'''Threats''' 
A feature that will let you save the threats for each project/document, so the reviewer can check how the development is going from a “security prospective” during the entire software lifecycle. 

Improvement of the code scan system. 

== The Owasp Orizon Project ==
* Paolo Perego (aka thesp0nge),
* The Owasp Orizon Project,

'''Introduction'''

The [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Owasp Orizon Project] born in 2006 in order to provide a framework to all Owasp projects developing code review services.

The project is in a quite stable stage and it is usable for Java static code review and some dynamic tests against XSS.
Owasp Orizon includes also APIs for code crawling, usable for code crawling tools.

[http://milk.sf.net Milk] project is a java code review tool I'm writing using Orizon as background engine. Its goal is to show engine capabilities.

'''Objectives and deliverables'''

* plugin architecture for static code review library: this planned feature will be announced (hopefully, if my CFP will be accepted) to next Owasp European App conf.
* starting C# support
* upgrade from Alpha quality project to Beta quality project in accord to [http://www.owasp.org/index.php/Category:OWASP_Project_Assessment Owasp Project Assessment criteria]

'''Why I should be sponsored for the project'''

Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

In the last year Owasp Orizon evolved a lot with a good static code review engine and a lot of code was written to give Owasp guys the best framework as possible to be used for writing code review tools. I hope to pursuit my goals again with SoC 2008.

== Skavenger ==
* Matthias Rohr

'''Introduction'''

Skavenger is a web application security assessment toolkit which arised from many years of professional experience in the web application assessment field and is the result of nearly one your of work.

It passively analyzes traffic logged by various MITM proxies (such as WebScarab and Burp) as well as other sources (like Firefox's LiveHTTPHeader plugin) and helps to identify various kinds of possible vulnerabilities (such as XSS, CRLF injection, an insecure session management and several kinds of information disclosure). Skavenger's modular design allows the integration of custom scanning modules without any knowledge about the tool at all.

Skavenger is completely written in Perl and can be downloaded from:
https://sourceforge.net/projects/skavenger/

'''Objectives and deliverables'''

Here are some ideas:
* A GUI to monitor and analyze scanning results
* More sophisticated scanner modules (e.g. for better backend identification and more platform specific tests)
* Database integration
* API's to integrate modules in other languages (such as Python or Java).
* Better source integration with custom Firefox, Burp or (of course) WebScarab plugins

== OWASP .NET Project Leader ==
* Mark Roxberry

'''Project Proposal'''

Assume the lead of the OWASP .NET Project. Ensure that information, materials and software are relevant to building secure .NET web applications and services. Provide deep content for all roles related to .NET web applications and services including:

* Architectural guidance
* Developer tools, information and checklists
* IT professional content (for those that deploy and maintain .NET websites)
* Penetration testing resources
* Incident response resources

The OWASP .NET Project Leader will actively recruit .NET contributors, including personnel from Microsoft, but others throughout the .NET ecosystem. Including experts from communities from large companies to ISVs, from enterprise architects to ALT.NET developers will be important for the overall reach of the OWASP .NET project. Other communities to consider include developers who use Mono (.NET for Linux), including Moonlight (Silverlight for Linux).

The OWASP .NET Project Leader will actively contribute to the OWASP projects that require .NET resources, by recruiting resources or contributing to the project.

I propose to have the project active in 1-3 months, with continuous recruitment efforts for contributors for the life of the project. Metrics for success can include number of contributors, number of articles, search engine ranks for pages and site visit counts. For the application however, I will submit that within 3 months I can provide a baseline to set site goals for each metric.

'''Why I should be sponsored for the project'''

I have previously contributed to the OWASP Test Guide v2 project, providing content and reviewed content. I care about the OWASP mission. In fact, I have used the OWASP Top 10 to teach developers about vulnerabilities in web applications.

I have 15 years of technical leadership experience using Microsoft technologies. I have lead small and large teams as a technical lead, lead developer and architect on small and large projects. I am a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker. I am on top of current trends and required to be informed regarding .NET web development and security, including, for example ASP.NET MVC, Silverlight, Unity, Entity Framework. I am personally interested in providing security resources to .NET developers globally, specific and applicable to their projects.

== OWASP Backend Security Project ==
* Full name: Carlo Pelliccioni
* Project: OWASP Backend Security Project
* Project description:
:OWASP Backend Security Project is a new project created to improve and to collect the existant information about the backend security.
:The project is composed by three sections (security development, security hardening and security testing).
:The aim is to define the guidelines for the companies and IT professionals working in the security field into processes development and back-end components management/testing in the enterprise architecture.

* Objectives:

'''Overview'''
Create a section with an introduction about the project (high-level description) explaining the main
goals.

'''Development'''
Include the writings already existant in OWASP wiki concerning PHP,
JAVA and ASP.NET and extend the projects' sections with new contents.

'''Hardening'''
Create new guidelines about the dbms hardening

'''Testing'''
Include the writings already existant in OWASP wiki about security testing.
Create new articles about security testing.

OWASP Summer of Code 2008 Applications

2008-03-15T19:44:00Z

Alessio.marziali: /* Code Crawler */

'''This page contains project Applications to the [[OWASP_Summer_of_Code_2008|OWASP Summer Of Code 2008]]'''

= A few notes =
*'''If you want to apply for a SoC 2008 sponsorship you HAVE TO USE THIS PAGE for your application.'''
** See [[OWASP Summer of Code 2008#How To Participate (To Developers)|How To Participate]] for what to do once you completed your Application.
** Please remember that projects will be selected and funded based on how well they meet the [[OWASP Summer of Code 2008#Jury and Selection Criteria| Selection Criteria]].
** Please see [[OWASP Autumn of Code 2006 - Applications|AoC 06]] and [[OWASP Spring Of Code 2007 Applications|SpoC 07]] for examples of Applications.
* '''You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include [[OWASP Summer of Code 2008 Applications - Proposal Type|this information in your proposal]].
'''
= Applications - {Fill in below} =

== The Application Security Desk Reference - ASDR ==
* Leonardo Cavallari Militelli,
* [[ASDR Table of Contents|ASDR Table of Contents]]

== OWASP Code review guide, V1.1 ==
* Eoin Keary,
'''Code Review Guide Proposal''':

'''Introduction:'''The code review guide is currently at version RC 2.0 and the second best selling OWASP book.
I have received many positive comments regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.

It has even inspired individuals to build tools based on its information and I have convinced such people (Alessio Marziali) to open source their tool and make it an OWASP project.

The combination of a book on secure code review and a tool to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.

'''Proposal:'''
I am proposing that I improve the code review guide from a number of aspects. This should place the guide as a de facto secure code review guide in the application security industry.

'''Additional and expanded Chapters:''' 

'''Transactional analysis''' 
Expand chapter. 
Examples via diagrams. 

'''Threat Modeling and Analysis''' 
The approach to examining an application to be reviewed. 
Focusing on areas of interest. 

'''Example reports and how to write one''' 
How to determine the risk level of a finding. 

'''Automated code review''' 
Code crawler documentation and usage. 

'''Rich Internet Applications''' 
Expanded chapters on Flash, Ajax. 

'''The OWASP ESAPI (Enterprise Security API)''' 
What it is, Why use it. What to review. 

'''Code review Metrics:''' 
How to compile, use and analyse metrics. 
Rolling out metrics in the Enterprise. 

'''Integrating Code review with an existing SDLC'''
Integration of Secure Code review with an existing SDLC. 
Secure Code review roadmap definition. 
Documentation requirements. 
Scope definition. 
SDLC steering comittee establishment. 
Performace criteria, benchmarks and metrics. 
Integration of SDLC results into key IT governance areas. 
Critical success factors. 

== The OWASP Testing Guide v3 ==
* Matteo Meucci
* The OWASP Testing Guide v2 was a great success, with thousand downloads and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now it's time to begin a new project that is based on v2 but improve it and complete it.

In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:

* Information Gathering
* Business logic testing
* Authentication Testing
* Session Management Testing
* Data Validation Testing
* Denial of Service Testing
* Web Services Testing
* AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode analysis
3) Infrastructural test --> new category
4) Web Services section needs improvement
5) AJAX Testing section needs improvement
6) New category: Client side Testing. AJAX and Flash Testing

* This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.

== Code Crawler ==
* '''Alessio Marziali''' 
'''Description:'''
This tool is aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code.
The aim of the tool is to accompany the OWASP Code review Guide and to implement a total code review solution for everyone. 
Key areas of improvement:
'''Reporting''' 
- PDF
- Microsoft Office Compatible Word Document
- HTML

'''Scanning''' 
- Multiple File scanned at the same time 
-- Open Microsoft Visual Studio's Solutions 

'''build a bigger database''' 
which will provide more information about the threats such vulnerability type (XSS,SQL Injection, Remote File Inclusion etc). 
'''Threats''' 
A feature that will let you save the threats for each project/document, so the reviewer can check how the development is going from a “security prospective” during the entire software lifecycle. 

Improvement of the code scan system. 

== The Owasp Orizon Project ==
* Paolo Perego (aka thesp0nge),
* The Owasp Orizon Project,

'''Introduction'''

The [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Owasp Orizon Project] born in 2006 in order to provide a framework to all Owasp projects developing code review services.

The project is in a quite stable stage and it is usable for Java static code review and some dynamic tests against XSS.
Owasp Orizon includes also APIs for code crawling, usable for code crawling tools.

[http://milk.sf.net Milk] project is a java code review tool I'm writing using Orizon as background engine. Its goal is to show engine capabilities.

'''Objectives and deliverables'''

* plugin architecture for static code review library: this planned feature will be announced (hopefully, if my CFP will be accepted) to next Owasp European App conf.
* starting C# support
* upgrade from Alpha quality project to Beta quality project in accord to [http://www.owasp.org/index.php/Category:OWASP_Project_Assessment Owasp Project Assessment criteria]

'''Why I should be sponsored for the project'''

Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

In the last year Owasp Orizon evolved a lot with a good static code review engine and a lot of code was written to give Owasp guys the best framework as possible to be used for writing code review tools. I hope to pursuit my goals again with SoC 2008.

== Skavenger ==
* Matthias Rohr

'''Introduction'''

Skavenger is a web application security assessment toolkit which arised from many years of professional experience in the web application assessment field and is the result of nearly one your of work.

It passively analyzes traffic logged by various MITM proxies (such as WebScarab and Burp) as well as other sources (like Firefox's LiveHTTPHeader plugin) and helps to identify various kinds of possible vulnerabilities (such as XSS, CRLF injection, an insecure session management and several kinds of information disclosure). Skavenger's modular design allows the integration of custom scanning modules without any knowledge about the tool at all.

Skavenger is completely written in Perl and can be downloaded from:
https://sourceforge.net/projects/skavenger/

'''Objectives and deliverables'''

Here are some ideas:
* A GUI to monitor and analyze scanning results
* More sophisticated scanner modules (e.g. for better backend identification and more platform specific tests)
* Database integration
* API's to integrate modules in other languages (such as Python or Java).
* Better source integration with custom Firefox, Burp or (of course) WebScarab plugins

== OWASP .NET Project Leader ==
* Mark Roxberry

'''Project Proposal'''

Assume the lead of the OWASP .NET Project. Ensure that information, materials and software are relevant to building secure .NET web applications and services. Provide deep content for all roles related to .NET web applications and services including:

* Architectural guidance
* Developer tools, information and checklists
* IT professional content (for those that deploy and maintain .NET websites)
* Penetration testing resources
* Incident response resources

The OWASP .NET Project Leader will actively recruit .NET contributors, including personnel from Microsoft, but others throughout the .NET ecosystem. Including experts from communities from large companies to ISVs, from enterprise architects to ALT.NET developers will be important for the overall reach of the OWASP .NET project. Other communities to consider include developers who use Mono (.NET for Linux), including Moonlight (Silverlight for Linux).

The OWASP .NET Project Leader will actively contribute to the OWASP projects that require .NET resources, by recruiting resources or contributing to the project.

I propose to have the project active in 1-3 months, with continuous recruitment efforts for contributors for the life of the project. Metrics for success can include number of contributors, number of articles, search engine ranks for pages and site visit counts. For the application however, I will submit that within 3 months I can provide a baseline to set site goals for each metric.

'''Why I should be sponsored for the project'''

I have previously contributed to the OWASP Test Guide v2 project, providing content and reviewed content. I care about the OWASP mission. In fact, I have used the OWASP Top 10 to teach developers about vulnerabilities in web applications.

I have 15 years of technical leadership experience using Microsoft technologies. I have lead small and large teams as a technical lead, lead developer and architect on small and large projects. I am a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker. I am on top of current trends and required to be informed regarding .NET web development and security, including, for example ASP.NET MVC, Silverlight, Unity, Entity Framework. I am personally interested in providing security resources to .NET developers globally, specific and applicable to their projects.

== OWASP Backend Security Project ==
* Full name: Carlo Pelliccioni
* Project: OWASP Backend Security Project
* Project description:
:OWASP Backend Security Project is a new project created to improve and to collect the existant information about the backend security.
:The project is composed by three sections (security development, security hardening and security testing).
:The aim is to define the guidelines for the companies and IT professionals working in the security field into processes development and back-end components management/testing in the enterprise architecture.

* Objectives:

'''Overview'''
Create a section with an introduction about the project (high-level description) explaining the main
goals.

'''Development'''
Include the writings already existant in OWASP wiki concerning PHP,
JAVA and ASP.NET and extend the projects' sections with new contents.

'''Hardening'''
Create new guidelines about the dbms hardening

'''Testing'''
Include the writings already existant in OWASP wiki about security testing.
Create new articles about security testing.