OWASP - User contributions [en]

Category:OWASP Web Application Security Put Into Practice

2008-11-23T12:08:02Z

Hawe:

{{OWASP Book|1412042}}

== About ==

This project is about web application security put into practice, because I understand that clear examples in the specific programming language and best practices with explanation educate the best.

The Ruby on Rails Security project [http://www.rorsecurity.info/] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [http://www.tiobe.com/tpci.htm], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [http://en.wikipedia.org/wiki/Cargo_cult_programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

== Objectives ==
* Create a security guide to the most popular web server software, Apache
* Create a security guide to the popular database software, MySQL
* Ruby on Rails security guide and code examples for each of the OWASP Top Ten

== Spring Of Code 007 ==
This project was selected for the spring of code 007 [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Heiko_-_Web_Application_Security_put_into_practice].

'''Progress'''
* Apache Guide (done)
* MySQL Guide (done)
* Ruby On Rails Guide (done)

== Resources ==
* The final output [http://www.owasp.org/index.php/Image:Owasp-rails-security.pdf]
* The Ruby on Rails Security project [http://www.rorsecurity.info/]

Category:OWASP Web Application Security Put Into Practice

2008-11-23T12:07:41Z

Hawe:

{{OWASP Book|1412042}}

== About ==

This project is about web application security put into practice, because I understand that clear examples in the specific programming language and best practices with explanation educate the best.

The Ruby on Rails Security project [http://www.rorsecurity.info/] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [http://www.tiobe.com/tpci.htm], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [http://en.wikipedia.org/wiki/Cargo_cult_programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

== Objectives ==
* Create a security guide to the most popular web server software, Apache
* Create a security guide to the popular database software, MySQL
* Ruby on Rails security guide and code examples for each of the OWASP Top Ten

== Spring Of Code 007 ==
This project was selected for the spring of code 007 [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Heiko_-_Web_Application_Security_put_into_practice].

'''Progress'''
* Apache Guide (done)
* MySQL Guide (done)
* Ruby On Rails Guide (on the way)

== Resources ==
* The final output [http://www.owasp.org/index.php/Image:Owasp-rails-security.pdf]
* The Ruby on Rails Security project [http://www.rorsecurity.info/]

Project Information:template Ruby on Rails Security Guide V2

2008-10-26T21:22:17Z

Hawe:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Ruby on Rails Security Guide V2'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The last security guide for [[:Category:OWASP Web Application Security Put Into Practice|Rails]] was a great success, with a lot of more secure web applications and continued awareness in the community of security issues. The [http://www.rorsecurity.info/ Ruby on Rails Security Project] is the one and only source of information about Rails security topics, and I keep the community up-to-date with blog posts and conference talks in Europe. The Guide and the Project has been mentioned in several Rails books and web-sites.

Version 1 of the Ruby on Rails Security Guide was sponsored by the SpoC 07, set the standard for OWASP programming language specific guides in terms of the topic outline and has been published as a [http://www.lulu.com/content/1412042 book]. Nevertheless I'm convinced that a more compact design and a "question-and-answer" style of writing will reach an even larger audience. Of course the new Guide will still include answers to the OWASP Top Ten security vulnerabilities.

A lot has changed since the publishing of the first Guide. Some new security holes have been found, there are new advises and most importantly Rails version 2.0 has been released. The new Ruby on Rails Security Guide aims at providing an up-to-date coding and configuration guide for the Rails community.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:heikowebers(at)gmx.net '''Heiko Webers''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-ruby-on-rails-v2 '''Mailing List/Subscribe'''] [mailto:OWASP-Ruby-on-Rails-V2(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:mendrel-a-gmail.com '''Anthony Shireman'''] [[:OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Anthony Shireman Background|Bio]]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:jons0022-at-unf.edu '''Steve Jones'''] [[:OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Steve Jones Background|Bio]]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://www.owasp.org/index.php/Image:Owasp_rails_security2.pdf '''Download The Ruby on Rails Security Guide version 2''']
* (If appropriate, links to be added)
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
[[:Category:OWASP Web Application Security Put Into Practice|OWASP Web Application Security Put Into Practice]]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes, completed by 80%''' --------- [[Project Information:template Ruby on Rails Security Guide V2 - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes, updating formatting for final''' --------- [[Project Information:template Ruby on Rails Security Guide V2 - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Ruby on Rails Security Guide V2 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? Yes, 100%. --------- Which status has been reached? Release --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Beta''' '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

Project Information:template Ruby on Rails Security Guide V2 - Final Review - Self Evaluation - B

2008-10-24T16:04:04Z

Hawe:

[[Project Information:template Ruby on Rails Security Guide V2|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|OWASP The Ruby on Rails Security Guide V2 Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|Everything is done, including the all-new fast-reading support (by highlights), yeah.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|100%
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|Comments? Send me an e-mail!
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|The presentation is still missing, will be ready for the EU Summit.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template Ruby on Rails Security Guide V2

2008-10-24T15:54:56Z

Hawe:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Ruby on Rails Security Guide V2'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The last security guide for [[:Category:OWASP Web Application Security Put Into Practice|Rails]] was a great success, with a lot of more secure web applications and continued awareness in the community of security issues. The [http://www.rorsecurity.info/ Ruby on Rails Security Project] is the one and only source of information about Rails security topics, and I keep the community up-to-date with blog posts and conference talks in Europe. The Guide and the Project has been mentioned in several Rails books and web-sites.

Version 1 of the Ruby on Rails Security Guide was sponsored by the SpoC 07, set the standard for OWASP programming language specific guides in terms of the topic outline and has been published as a [http://www.lulu.com/content/1412042 book]. Nevertheless I'm convinced that a more compact design and a "question-and-answer" style of writing will reach an even larger audience. Of course the new Guide will still include answers to the OWASP Top Ten security vulnerabilities.

A lot has changed since the publishing of the first Guide. Some new security holes have been found, there are new advises and most importantly Rails version 2.0 has been released. The new Ruby on Rails Security Guide aims at providing an up-to-date coding and configuration guide for the Rails community.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:heikowebers(at)gmx.net '''Heiko Webers''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-ruby-on-rails-v2 '''Mailing List/Subscribe'''] [mailto:OWASP-Ruby-on-Rails-V2(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:mendrel-a-gmail.com '''Anthony Shireman'''] [[:OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Anthony Shireman Background|Bio]]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:jons0022-at-unf.edu '''Steve Jones'''] [[:OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Steve Jones Background|Bio]]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://www.owasp.org/index.php/Image:Owasp_rails_security2.pdf '''Download The Ruby on Rails Security Guide version 2''']
* (If appropriate, links to be added)
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
[[:Category:OWASP Web Application Security Put Into Practice|OWASP Web Application Security Put Into Practice]]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes, completed by 80%''' --------- [[Project Information:template Ruby on Rails Security Guide V2 - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes, updating formatting for final''' --------- [[Project Information:template Ruby on Rails Security Guide V2 - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Ruby on Rails Security Guide V2 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

File:Owasp-rails-security.pdf

2008-10-24T15:52:08Z

Hawe: uploaded a new version of "Image:Owasp-rails-security.pdf": The all new version 2 by Heiko Webers.

Web Application Security Put Into Practice - Ruby On Rails Security

File:Owasp rails security2.pdf

2008-10-24T15:50:54Z

Hawe: The new version 2 of the Ruby on Rails Security Guide covers the OWASP Top Ten, Rails version 2 and has a better and more compact writing style.

The new version 2 of the Ruby on Rails Security Guide covers the OWASP Top Ten, Rails version 2 and has a better and more compact writing style.

OWASP EU Summit 2008

2008-08-20T14:50:49Z

Hawe:

(WORK IN PROGRESS /UNDER DISCUSSION)
== UPDATES ==
*[[OWASP EU Summit 2008 - updates|'''OWASP EU Summit 2008 - updates''']]

== What: OWASP Summit, a conference about OWASP and for OWASP's community ==
=== When: 4 to 7 Nov 2008 (4 & 5: Meetings and Training, 6 & 7: Conference) ===
=== Where: Portugal ===
Faro or Lisbon
=== Organization===
Dinis Cruz, Paulo Coimbra and the OWASP Summit Team - Eduardo Neves, Leonardo Cavallari Militelli, Mark Roxberry, Michael Coates, Arturo 'Buanzo' Busleiman.

== Agenda ==
Theme: Present OWASP's projects, community and activities ..... '....Connecting the dots.... "

'''Day 1 & 2'''
*Training sessions (similar to what happens at the moment at the other OWASP conferences)
*OWASP Working Group sessions (1/2 day each) on:
** OWASP Governance, "What is OWASP's position on ...." & Action Plan for 2009
** ESAPI
** Browser Security
** OWASP Top 10 2009

'''Day 3 & 4 Agenda:'''
* Presentations from AoC, SpoC and SoC Participants
* Presentations from 'Release' Quality OWASP projects (not included in the list above) or Key OWASP projects (like ESAPI)
* Presentations about OWASP : How it works, Financial reports, OotM (OWASP on the Move), new project management guidelines, local chapter finances, OWASP governance
* Presentation from Chapter leaders on the activities developed on their project
* Discussion on next steps for OWASP and focus of next OWASP financial investment plans

Other ideas:

* vote on 6th OWASP board member (Candidates to Apply)

== other details==

'''Projected Attendees:450 '''
* 200 with some (or all) expenses covered by OWASP
** 33 SoC participants
** 70 SoC reviewers
** 10 SoC Collaborators
** 15 AoC & SpoC participants
** 15 Chapter Leaders
** 8 OWASP Board & Employees
** 49 OWASP non-individual members (2x per 9k Corporate? 1x for the others?)

=== Financial details ===
'''Expenses'''
* Accommodation & meals: 80,000 USD = 400 USD per person (200x) for 3 nights accommodation and 5 meals (3 dinners and 2 lunches)
* Flights & Trains : 70,000 USD

'''Revenue sources'''
* Tickets (for the 250 non 'OWASP invited' attendees)
* Training Sessions
* Conference sponsors

== Provisory list of 'expenses paid' participants ==

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECTED CONFERENCE PAID ATTENDEES AND/OR SPEAKERS - NEEDS OWASP BOARD CONFIRMATION'''
|-
| style="width:20%; background:#b3b3b3" align="center"|'''NAME'''
| style="width:40%; background:#b3b3b3" align="center"|'''POSITION/REASON OF ATTENDANCE'''
| style="width:20%; background:#b3b3b3" align="center"|'''COUNTRY'''
| style="width:20%; background:#b3b3b3" align="center"|'''DEPARTURE (AIRPORT/CITY)'''
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP BOARD MEMBERS & EMPLOYEES'''
|-
| style="width:20%; background:#cccccc" align="center"|Williams
| style="width:40%; background:#cccccc" align="center"|Board, Chair, Wiki, Management
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Dave Wichers
| style="width:40%; background:#cccccc" align="center"|Board, Conferences, Financials
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Dinis Cruz
| style="width:40%; background:#cccccc" align="center"|Board, Firehose of Ideas and Money spender
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Tom Brennan
| style="width:40%; background:#cccccc" align="center"|Board, OWASP Governance
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Sebastien Deleersnyder
| style="width:40%; background:#cccccc" align="center"|Board, OWASP Chapters and Projects
| style="width:20%; background:#cccccc" align="center"|Belgium
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Paulo Coimbra
| style="width:40%; background:#cccccc" align="center"|Employee, Project Manager
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Kate Hartmann
| style="width:40%; background:#cccccc" align="center"|Employee, Operations Director
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Alison McNamee
| style="width:40%; background:#cccccc" align="center"|Employee, Accounting
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Larry Casey
| style="width:40%; background:#cccccc" align="center"|Employee, Director of Information Technology
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Alexander Fry
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Source Code Review OWASP Projects OWASP Teachable Static Analysis Workbench OWASP WeBekci Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Andrew Petukhov
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Access Control Rules Tester Project
| style="width:20%; background:#cccccc" align="center"|Russia
| style="width:20%; background:#cccccc" align="center"|Moscow
|-
| style="width:20%; background:#cccccc" align="center"|Arturo Alberto Busleiman
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Enigform and mod_Openpgp
| style="width:20%; background:#cccccc" align="center"|Argentina
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Carlo Pelliccioni
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Backend Security Project
| style="width:20%; background:#cccccc" align="center"|Italy
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Eduardo Vianna de Camargo Neves
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Positive Security
| style="width:20%; background:#cccccc" align="center"|Brazil
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Eoin Keary
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Code Review Guide
| style="width:20%; background:#cccccc" align="center"|Ireland
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Esteban Ribicic
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Backend Security Project OWASP Classic ASP Security Project OWASP AntiSamy .NET OWASP Interceptor Project - 2008 Update
| style="width:20%; background:#cccccc" align="center"|Croatia
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Fabio Cerullo
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Internationalization Guidelines Project OWASP Spanish Project
| style="width:20%; background:#cccccc" align="center"|Ireland
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Frederick Donovan
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Application Security Desk Reference (ASDR)
| style="width:20%; background:#cccccc" align="center"|United States
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Heiko Webers
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Ruby on Rails Security Project
| style="width:20%; background:#cccccc" align="center"|Germany
| style="width:20%; background:#cccccc" align="center"|Frankfurt
|-
| style="width:20%; background:#cccccc" align="center"|Juan Carlos Calderon
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Internationalization Guidelines OWASP Spanish Project OWASP Classic ASP Security Project
| style="width:20%; background:#cccccc" align="center"|Mexico
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Kevin Fuller
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Testing Guide v3 OWASP SQL Injector Benchmarking Project (SQLiBENCH)
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Sacramento Ca
|-
| style="width:20%; background:#cccccc" align="center"|Leonardo Cavallari Militelli
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Application Security Desk Reference (ASDR)
| style="width:20%; background:#cccccc" align="center"|Brazil
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Mark Roxberry
| style="width:40%; background:#cccccc" align="center"|Leader, OWASP .NET Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Matt Tesauro
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Live CD 2008
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Austin
|-
| style="width:20%; background:#cccccc" align="center"|Matthias Rohr
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Skavenger Project
| style="width:20%; background:#cccccc" align="center"|Germany
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Michael Coates
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP AppSensor
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Paolo Perego
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Orizon Project
| style="width:20%; background:#cccccc" align="center"|Italy
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Parvathy Iyer
| style="width:40%; background:#cccccc" align="center"|OWASP Corporate Application Security Guide
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Pierre Parrend
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP OpenSign Server Project OWASP Application Security Verification Standard
| style="width:20%; background:#cccccc" align="center"|France
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Stephen Craig Evans
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Securing WebGoat using ModSecurity
| style="width:20%; background:#cccccc" align="center"|Singapore
| style="width:20%; background:#cccccc" align="center"|Singapore
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008/LOGISTICS'''
|-
| style="width:20%; background:#cccccc" align="center"|Sarah Cruz
| style="width:40%; background:#cccccc" align="center"|Project leader, Graphic Design
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SRING OF CODE 2007 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Przemyslaw Skowron
| style="width:40%; background:#cccccc" align="center"|Project Leader, Refresh Attacks List
| style="width:20%; background:#cccccc" align="center"|Poland
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP AUTUMN OF CODE 2006 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Rogan Dawes
| style="width:40%; background:#cccccc" align="center"|Project leader, WebScarab-NG
| style="width:20%; background:#cccccc" align="center"|South Africa
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Simon Roses Femerling
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Pantera
| style="width:20%; background:#cccccc" align="center"|Spain
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''ACTIVE PROJECT LEADERS (NOT CURRENTLY PARTICIPATING ON SOC 08)'''
|-
| style="width:20%; background:#cccccc" align="center"|Alex Smolen
| style="width:40%; background:#cccccc" align="center"| Project leader, .NET ESAPI
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''ACTIVE CHAPTER LEADERS (NOT CURRENTLY PARTICIPATING ON SOC 08)'''
|-
| style="width:20%; background:#cccccc" align="center"|Antti Laulajainen
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Helsinki
| style="width:20%; background:#cccccc" align="center"|Finland
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Steve Antoniewicz
| style="width:40%; background:#cccccc" align="center"|Chapter Board Member, NY/NJ Metro
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Kuai Hinojosa
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Twin-Cities
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Jim Manico
| style="width:40%; background:#cccccc" align="center"|Chapter leader/founder, Hawaii
| style="width:20%; background:#cccccc" align="center"|Hawaii, USA
| style="width:20%; background:#cccccc" align="center"|Anahola, Island of Kauai
|-
| style="width:20%; background:#cccccc" align="center"|Rex Booth
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Washington DC
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''SIGNIFICANT PAST OWASP CONTRIBUTOR (THAT IS NOT ALREADY COVERED BY ONE OF THE ABOVE CATEGORIES)'''
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP NON-INDIVIDUAL MEMBERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
|}

==Agenda and Presentations - November 4-7 ==

Under development. Please contact michael.coates{at}aspectsecurity.com with any questions or feedback.

The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing pannel discussions back in the main auditorium both days.

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 3 - November 6, 2008
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Track 1: <Room 1>
| style="width:40%; background:#BCA57A" | Track 2: Council Room
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Coffee <Diamond Sponsor>
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:05 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to OWASP Summit Europe 2008
''speaker, company''
|-
| style="width:10%; background:#7B8ABD" | 09:05-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: text [https://www.owasp.org/ link]
''speaker, company''
|-
| style="width:10%; background:#7B8ABD" | 09:45-10:20 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union
''Dinis Cruz''
|-
| style="width:10%; background:#7B8ABD" | 10:20-10:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF
|-
| style="width:10%; background:#7B8ABD" | 10:40-10:55 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:15 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 11:20-11:35 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 11:40-11:55 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:15 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 12:20-12:35 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 12:35-14:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:15 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 14:20-14:35 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 14:40-14:55 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:15 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 15:20-15:35 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 15:35-15:55 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:15 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 15:20-15:35 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | [[SummitEU08_link | Event Title ]] Organized by
|-
|-
| style="width:10%; background:#7B8ABD" | 19:00-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks at ...
|-
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 4 - November 7, 2008
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Track 1: <Room 1>
| style="width:40%; background:#BCA57A" | Track 2: Council Room
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Coffee <Diamond Sponsor>
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:05 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to OWASP Summit Europe 2008
''speaker, company''
|-
| style="width:10%; background:#7B8ABD" | 09:05-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: text [https://www.owasp.org/ link]
''speaker, company''
|-
| style="width:10%; background:#7B8ABD" | 09:45-10:20 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union
''Dinis Cruz''
|-
| style="width:10%; background:#7B8ABD" | 10:20-10:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF
|-
| style="width:10%; background:#7B8ABD" | 10:40-11:20 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 10:40-11:20 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 10:40-11:20 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 12:30-14:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF
|-
| style="width:10%; background:#7B8ABD" | 10:40-11:20 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 10:40-11:20 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 10:40-11:20 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 15:50-16:10 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF
|-
| style="width:10%; background:#7B8ABD" | 10:40-11:20 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 10:40-11:20 || style="width:40%; background:#BC857A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
| style="width:40%; background:#BCA57A" align="left" | [[SummitEU08_link | title]] ([http://www.owasp.org/location.ppt ppt])
''[[user link | Speaker]], Company''
|-
| style="width:10%; background:#7B8ABD" | 18:00-19:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | [[SummitEU08_link | Event Title ]] Organized by
|-
| style="width:10%; background:#7B8ABD" | 19:00-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks at ...}
|-
|}

Venue: <address> [http://owasp.org Google Maps Link]

Registration is available via the OWASP Conference Cvent site at: [http://owasp.org Cvent link]

OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers

2008-07-15T08:48:11Z

Hawe:

This page contains Projects, Authors, Status Target and Reviewers of the sponsored programme [[OWASP Summer of Code 2008]]. 
'''* Please note: The reference ‘Confirmed’ means reviewers' approval by both projects’ authors and OWASP Board.'''

== DOCUMENTATION PROJECTS ==
{| class="wikitable" style="text-align:center"
! width="600" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="220" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]'''
| align="CENTER" | Mike Boberski
| align="CENTER" | Beta
| align="CENTER" | [mailto:jeff.williams(at)owasp.org Jeff Williams] (Confirmed)
| align="CENTER" | [mailto:pierre.parrend(at)insa-lyon.fr Pierre Parrend] [http://www.rzo.free.fr Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP AppSensor Project|OWASP AppSensor - Detect and Respond to Attacks from Within the Application]]'''
| align="CENTER" | [mailto:michael.coates(at)aspectsecurity.com Michael Coates]
| align="CENTER" | Beta
| align="CENTER" | [mailto:eric.sheridan(at)aspectsecurity.com Eric Sheridan] (Confirmed)
| align="CENTER" | [mailto:rjaninda(at)silverknightsecurity.com Randy Janinda] [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers_Randy_Janinda_Curriculum Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Backend Security Project|OWASP Backend Security Project]]'''
| align="CENTER" | Carlo Pelliccioni
| align="CENTER" | Beta
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (Confirmed)
| align="CENTER" | [mailto:spyroinc(at)gmail.com Josh Sweeney] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Classic ASP Security Project|OWASP Classic ASP Security Project]]'''
| align="CENTER" | Juan Carlos Calderon
| align="CENTER" | Beta
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (Confirmed)
| align="CENTER" | [mailto:andres(at)neurofuzz.com Andres Andreu] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Code Review Project|OWASP Code review guide, V1.1]]'''
| align="CENTER" | Eoin Keary
| align="CENTER" | Quality
| align="CENTER" | [mailto:rahim.jina@ie.ey.com Rahim Jina] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Rahim Jina Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | [mailto:psatishkumar(at)gmail.com P.Satish Kumar] [https://www.owasp.org/index.php/User:Satishkumar Curriculum] (Confirmed)
| align="CENTER" | Jeff Williams
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:OWASP Corporate Application Security Rating Guide|OWASP Corporate Application Security Rating Guide]]'''
| align="CENTER" | Parvathy Iyer
| align="CENTER" | Quality
| align="CENTER" | [mailto:nkirschner@eisnerllp.com Neal Kirschner] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Neal Kirschner Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | [mailto:Omar.Sherin(at)infosec2.com Omar Sherin] [http://www.infosec2.com/aboutme/about_me.html Curriculum] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Education Project|OWASP Education Project]]'''
| align="CENTER" | Martin Knobloch
| align="CENTER" | Quality
| align="CENTER" | [mailto:sebastien.gioria@owasp.fr Sebastien Gioria] [http://www.linkedin.com/in/gioria Curriculum] (Confirmed)
| align="CENTER" | [mailto:namn(at)bluemoon.com.vn Nam Nguyen] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | Sebastien Deleersnyder
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:OWASP Internationalization|OWASP Internationalization Guidelines Project]]'''
| align="CENTER" | Juan Carlos Calderon
| align="CENTER" | Beta
| align="CENTER" | [mailto:fabio.e.cerullo(at)aib.ie Fabio Cerullo] [https://www.owasp.org/index.php/User:Fabio.e.cerullo Curriculum] (Confirmed)
| align="CENTER" | [mailto:rodrigo(at)rmarcos.com Rodrigo Marcos] [https://www.owasp.org/index.php/User:Rodrigo.marcos Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP .NET Project#OWASP .NET Project Leader|OWASP .NET Project Leader]]'''
| align="CENTER" | Mark Roxberry
| align="CENTER" | Quality
| align="CENTER" | [mailto:eoinkeary(at)gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:dennis.hurst(at)LifeCycleSecurity.com Dennis Hurst] [http://www.linkedin.com/pub/0/636/2a3 Profile] (Confirmed)
| align="CENTER" | Dinis Cruz
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Positive Security Project|OWASP Positive Security Project]]'''
| align="CENTER" | Eduardo Vianna de Camargo Neves
| align="CENTER" | Beta
| align="CENTER" | [mailto:welias(at)conviso.com.br Wagner Elias] [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers_Wagner_Elias#.27.27.27Wagner_Elias.2C_CBCP.2C_SANS_GIAC.2C_CobiTc.2C_ITILc.27.27.27 Curriculum] (Confirmed)
| align="CENTER" | [mailto:ken(at)krvw.com Kenneth Wyk] [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers_Kenneth_R._Wyk Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Ruby on Rails Security Guide V2|OWASP Ruby on Rails Security Guide v2]]'''
| align="CENTER" | Heiko Webers
| align="CENTER" | Quality
| align="CENTER" | [mailto:mendrel-a-gmail.com Anthony Shireman] [[:OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Anthony Shireman Background|Bio]] (Confirmed)
| align="CENTER" | [mailto:jons0022-at-unf.edu Steve Jones] [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers_Steve_Jones_Background Profile] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Securing WebGoat using ModSecurity Project|OWASP Securing WebGoat using ModSecurity]]'''
| align="CENTER" | Stephen Evans
| align="CENTER" | Beta
| align="CENTER" | [mailto:ivan.ristic(at)breach.com Ivan Ristic] ([https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers_Ivan_Ristic Curriculum]) & Breach Research Labs (Confirmed)
| align="CENTER" | [mailto:christian.folini(at)netnea.com Christian Folini] [http://www.netnea.com/cms/?q=christian_folini Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE"|'''[[:Category:OWASP Source Code Review OWASP Projects Project|OWASP Source Code Review OWASP Projects]]'''
| align="CENTER" | James Walden
| align="CENTER" | Quality
| align="CENTER" | [mailto:afry(at)strongcrypto.biz Alexander Fry] [http://www.linkedin.com/in/alexanderfry Profile] (Confirmed)
| align="CENTER" | [mailto:marco.m.morana(at)gmail.com Marco M. Morana] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Marco M Morana Curriculum|Curriculum]] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:OWASP Spanish|OWASP Spanish Project]]'''
| align="CENTER" | Juan Carlos Calderon
| align="CENTER" | Beta
| align="CENTER" | [mailto:fabio.e.cerullo(at)aib.ie Fabio Cerullo] [https://www.owasp.org/index.php/User:Fabio.e.cerullo Curriculum] (Confirmed)
| align="CENTER" | [mailto:rodrigo(at)rmarcos.com Rodrigo Marcos] [https://www.owasp.org/index.php/User:Rodrigo.marcos Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Testing Project|OWASP Testing Guide v3]]'''
| align="CENTER" | Matteo Meucci
| align="CENTER" | Quality
| align="CENTER" | [mailto:namn@bluemoon.com.vn Nam Nguyen] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | [mailto:KFuller@dmv.ca.gov Kevin Fuller] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Fuller Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | Sebastien Deleersnyder
|}

{| class="wikitable" style="text-align:center"
! width="400" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="120" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''3rd Reviewer '''
! width="108" align="CENTER" | '''4th Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP ASDR Project|OWASP Application Security Desk Reference (ASDR)]]'''
| align="CENTER" | Leonardo Cavallari Militelli
| align="CENTER" | Quality
| align="CENTER" | [mailto:williamtsmith(at)gmail.com William Smith] [[OWASP SoC 2008 ASDR Reviewers#William Smith | Bio]] (Confirmed)
| align="CENTER" | [mailto:ken(at)krvw.com Kenneth Wyk] [[OWASP SoC 2008 ASDR Reviewers#Kenneth R. van Wyk| Bio]] (Confirmed)
| align="CENTER" | [mailto:kcfredman(at)gmail.com Frederick Donovan] [[OWASP SoC 2008 ASDR Reviewers#Frederick Donovan | Bio]] (Confirmed)
| align="CENTER" | [mailto:Darren.Challey(at)ge.com Darren W. Challey] [[OWASP SoC 2008 ASDR Reviewers#Darren W. Challey | Bio]] (Confirmed)
| align="CENTER" | Jeff Williams (Confirmed)
|}

== TOOLS PROJECTS ==
{| class="wikitable" style="text-align:center"
! width="600" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="220" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:GTK plus GUI for w3af Project|GTK+ GUI for w3af project]]'''
| align="CENTER" | Facundo Batista
| align="CENTER" | Beta
| align="CENTER" | [mailto:andres.riancho(at)gmail.com Andres Riancho] [http://www.linkedin.com/in/ariancho Profile] (Confirmed)
| align="CENTER" | [mailto:ah(at)securenet(dot)de Achim Hoffmann] [https://www.owasp.org/index.php/User:Achim Profile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Access Control Rules Tester Project|OWASP Access Control Rules Tester]]'''
| align="CENTER" | Andrew Petukhov
| align="CENTER" | Beta
| align="CENTER" | [mailto:caughron(at)gmail.com Mat Caughron] [http://www.linkedin.com/pub/1/A84/998 Profile] (Confirmed)
| align="CENTER" | [mailto:mg_chen(at)yahoo.com Min Chen] [http://www.linkedin.com/in/mgchen Profile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP AntiSamy Project .NET| OWASP AntiSamy .NET]]'''
| align="CENTER" | Arshan Dabirsiaghi
| align="CENTER" | Quality
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (Confirmed)
| align="CENTER" | [mailto:yiannis@owasp.org Yiannis Pavlosoglou] [[OWASP NYC AppSec 2008 Conference-SPEAKER-Yiannis Pavlosoglou|Short Bio]] (Confirmed)
| align="CENTER" | Jeff Williams
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project|OWASP Application Security Tool Benchmarking Environment and Site Generator refresh]]'''
| align="CENTER" | Dmitry Kozlov
| align="CENTER" | Quality
| align="CENTER" | [mailto:mark.roxberry(at)owasp.org Mark Roxberry] [http://www.linkedin.com/in/roxberry Profile] (Confirmed)
| align="CENTER" | [mailto:medelibero(at)gmail.com Mike de Libero] (Confirmed)
| align="CENTER" | Dinis Cruz
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Code Crawler|OWASP Code Crawler ]]'''
| align="CENTER" | Alessio Marziali
| align="CENTER" | Beta
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:dinis.cruz(at)owasp.org Dinis Cruz] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Interceptor Project|OWASP Interceptor Project - 2008 Update]]'''
| align="CENTER" | Justin Derry
| align="CENTER" | Quality
| align="CENTER" | [mailto:ngreen16(at)yahoo.com Nathan Green] [https://www.owasp.org/index.php/User:Ngreen16 Profile] (Confirmed)
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP JSP Testing Tool Project|OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool)]]'''
| align="CENTER" | Jason Li
| align="CENTER" | Beta
| align="CENTER" | [mailto:markkerzner(at)gmail.com Mark Kerzner] [http://www.linkedin.com/in/markkerzner Profile] (Confirmed)
| align="CENTER" | [mailto:fabricio.fujikawa(at)infoglobo.com.br Fabrício Fujikawa] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Live CD 2008 Project|OWASP Live CD 2008 Project]]'''
| align="CENTER" | Matt Tesauro
| align="CENTER" | Quality
| align="CENTER" | [mailto:admin@wirefall.com Dustin Dykes] [http://www.linkedin.com/pub/1/607/6b1 Curriculum] (Confirmed)
| align="CENTER" | [mailto:jkpoots(at)rogers.com Kent Poots] [http://www.linkedin.com/pub/5/25B/114 Curriculum] (Confirmed)
| align="CENTER" | Sebastien Deleersnyder
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP OpenSign Server Project|OWASP Online code signing and integrity verification service for open source community (OpenSign Server)]]'''
| align="CENTER" | Phil Potisk and Richard Conway
| align="CENTER" | Beta
| align="CENTER" | [mailto:pierre.parrend@insa-lyon.fr Pierre Parrend] [http://www.rzo.free.fr Curriculum] (Confirmed)
| align="CENTER" | [mailto:mark.roxberry(at)owasp.org Mark Roxberry] [http://www.linkedin.com/in/roxberry Profile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP OpenPGP Extensions for HTTP - Enigform and mod openpgp|OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp]]'''
| align="CENTER" | Arturo 'Buanzo' Busleiman
| align="CENTER" | Beta
| align="CENTER" | [mailto:mark.roxberry(at)owasp.org Mark Roxberry] [http://www.linkedin.com/in/roxberry Profile] (Confirmed)
| align="CENTER" | [mailto:dinis.cruz(at)owasp.org Dinis Cruz] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Orizon Project|OWASP Orizon Project]]'''
| align="CENTER" | Paolo Perego
| align="CENTER" | Quality
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:seba@deleersnyder.eu Sebastien Deleersnyder] (Confirmed)
| align="CENTER" | [mailto:dinis.cruz@owasp.org Dinis Cruz] (Confirmed)
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Python Static Analysis Project|OWASP Python Static Analysis]]'''
| align="CENTER" | Georgy Klimov
| align="CENTER" | Beta
| align="CENTER" | [mailto:namn@bluemoon.com.vn Nam Nguyen] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | [mailto:diepvien00thayh@gmail.com P.Q.Huy] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Huy Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Skavenger Project|OWASP Skavenger]]'''
| align="CENTER" | [mailto:mro(at)securenet.de Matthias Rohr]
| align="CENTER" | Beta
| align="CENTER" | [mailto:rogan(at)dawes.za.net Rogan Dawes] (Confirmed)
| align="CENTER" | [mailto:ah(at)securenet(dot)de Achim Hoffmann] [https://www.owasp.org/index.php/User:Achim Profile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Sqlibench Project|OWASP SQL Injector Benchmarking Project (SQLiBENCH)]]'''
| align="CENTER" | [mailto:urgunb@hotmail.com Bedirhan Urgun] [mailto:mesut@h-labs.org Mesut Timur]
| align="CENTER" | Beta
| align="CENTER" | [mailto:ferruh@mavituna.com Ferruh Mavituna] [[Project Information:Sqlibench:Ferruh|background info]] (Confirmed)
| align="CENTER" | [mailto:kfuller@dmv.ca.gov Kevin Fuller] [[Project Information:Sqlibench:Kevin|background info]] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Teachable Static Analysis Workbench Project|OWASP Teachable Static Analysis Workbench]]'''
| align="CENTER" | [mailto:ddk(at)cs.msu.su Dmitry Kozlov] Igor Konnov
| align="CENTER" | Beta
| align="CENTER" | [mailto:afry(at)strongcrypto.biz Alexander Fry] [http://www.linkedin.com/in/alexanderfry Profile] (Confirmed)
| align="CENTER" | [mailto:mwcoates(at)gmail.com Michael Coates] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP WeBekci Project|OWASP WeBekci Project]]'''
| align="CENTER" | [mailto:bunyamin@owasp.org Bunyamin Demir]
| align="CENTER" | Beta
| align="CENTER" | [mailto:afry(at)strongcrypto.biz Alexander Fry] [http://www.linkedin.com/in/alexanderfry Profile] (Confirmed)
| align="CENTER" | [mailto:stefano.dipaola(at)wisec.it Stefano Di Paola] [[User:Wisec|Profile]] (Confirmed)
| align="CENTER" | Not applicable
|}

== DESIGN/CORPORATE PROJECTS ==
{| class="wikitable" style="text-align:center"
! width="600" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="220" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Book Cover & Sleeve Design|OWASP Book Cover & Sleeve Design]]'''
| align="CENTER" | LXstudios, [mailto:deb@lxstudios.com Deb Brewer]
| align="CENTER" | Quality
| align="CENTER" | [mailto:yiannis@owasp.org Yiannis Pavlosoglou] [[OWASP NYC AppSec 2008 Conference-SPEAKER-Yiannis Pavlosoglou|Short Bio]] (Confirmed)
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | Dinis Cruz
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Individual and Corporate Member Packs plus Conference Attendee Packs Brief|OWASP Individual & Corporate Member Packs, Conference Attendee Packs Brief]]'''
| align="CENTER" | LXstudios, [mailto:deb@lxstudios.com Deb Brewer]
| align="CENTER" | Quality
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:yiannis@owasp.org Yiannis Pavlosoglou] [[OWASP NYC AppSec 2008 Conference-SPEAKER-Yiannis Pavlosoglou|Short Bio]] (Confirmed)
| align="CENTER" | Dinis Cruz
|-

OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers

2008-07-08T21:23:37Z

Hawe:

This page contains Projects, Authors, Status Target and Reviewers of the sponsored programme [[OWASP Summer of Code 2008]]. 
'''* Please note: The reviewers with the reference ‘Confirmed’ were only confirmed by projects’ authors and are still waiting for OWASP Board confirmation.'''

== DOCUMENTATION PROJECTS ==
{| class="wikitable" style="text-align:center"
! width="600" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="220" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]'''
| align="CENTER" | Mike Boberski
| align="CENTER" | Beta
| align="CENTER" | [mailto:jeff.williams(at)owasp.org Jeff Williams] (Confirmed)
| align="CENTER" | [mailto:pierre.parrend(at)insa-lyon.fr Pierre Parrend] [http://www.rzo.free.fr Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP AppSensor Project|OWASP AppSensor - Detect and Respond to Attacks from Within the Application]]'''
| align="CENTER" | [mailto:michael.coates(at)aspectsecurity.com Michael Coates]
| align="CENTER" | Beta
| align="CENTER" | [mailto:eric.sheridan(at)aspectsecurity.com Eric Sheridan] (Confirmed)
| align="CENTER" | [mailto:rjaninda(at)silverknightsecurity.com Randy Janinda] [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers_Randy_Janinda_Curriculum Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Backend Security Project|OWASP Backend Security Project]]'''
| align="CENTER" | Carlo Pelliccioni
| align="CENTER" | Beta
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (Confirmed)
| align="CENTER" | [mailto:spyroinc(at)gmail.com Josh Sweeney] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Classic ASP Security Project|OWASP Classic ASP Security Project]]'''
| align="CENTER" | Juan Carlos Calderon
| align="CENTER" | Beta
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (Confirmed)
| align="CENTER" | [mailto:andres(at)neurofuzz.com Andres Andreu] (TBC)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Code Review Project|OWASP Code review guide, V1.1]]'''
| align="CENTER" | Eoin Keary
| align="CENTER" | Quality
| align="CENTER" | [mailto:rahim.jina@ie.ey.com Rahim Jina] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Rahim Jina Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | [mailto:psatishkumar(at)gmail.com P.Satish Kumar] [https://www.owasp.org/index.php/User:Satishkumar Curriculum] (Confirmed)
| align="CENTER" | Jeff Williams
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:OWASP Corporate Application Security Rating Guide|OWASP Corporate Application Security Rating Guide]]'''
| align="CENTER" | Parvathy Iyer
| align="CENTER" | Quality
| align="CENTER" | [mailto:nkirschner@eisnerllp.com Neal Kirschner] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Neal Kirschner Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | [mailto:Omar.Sherin(at)infosec2.com Omar Sherin] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Education Project|OWASP Education Project]]'''
| align="CENTER" | Martin Knobloch
| align="CENTER" | Quality
| align="CENTER" | [mailto:sebastien.gioria@owasp.fr Sebastien Gioria] [http://www.linkedin.com/in/gioria Curriculum] (Confirmed)
| align="CENTER" | [mailto:namn(at)bluemoon.com.vn Nam Nguyen] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:OWASP Internationalization|OWASP Internationalization Guidelines Project]]'''
| align="CENTER" | Juan Carlos Calderon
| align="CENTER" | Beta
| align="CENTER" | [mailto:fabio.e.cerullo(at)aib.ie Fabio Cerullo] [https://www.owasp.org/index.php/User:Fabio.e.cerullo Curriculum] (Confirmed)
| align="CENTER" | [mailto:rodrigo(at)rmarcos.com Rodrigo Marcos] [https://www.owasp.org/index.php/User:Rodrigo.marcos Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP .NET Project#OWASP .NET Project Leader|OWASP .NET Project Leader]]'''
| align="CENTER" | Mark Roxberry
| align="CENTER" | Quality
| align="CENTER" | [mailto:eoinkeary(at)gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:dennis.hurst(at)LifeCycleSecurity.com Dennis Hurst] [http://www.linkedin.com/pub/0/636/2a3 Profile] (Confirmed)
| align="CENTER" | Dinis Cruz
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Positive Security Project|OWASP Positive Security Project]]'''
| align="CENTER" | Eduardo Vianna de Camargo Neves
| align="CENTER" | Beta
| align="CENTER" | [mailto:welias(at)conviso.com.br Wagner Elias] [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers_Wagner_Elias#.27.27.27Wagner_Elias.2C_CBCP.2C_SANS_GIAC.2C_CobiTc.2C_ITILc.27.27.27 Curriculum] (Confirmed)
| align="CENTER" | [mailto:ken(at)krvw.com Kenneth Wyk] [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers_Kenneth_R._Wyk Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Ruby on Rails Security Guide V2|OWASP Ruby on Rails Security Guide v2]]'''
| align="CENTER" | Heiko Webers
| align="CENTER" | Quality
| align="CENTER" | [mailto:mendrel-a-gmail.com Anthony Shireman]
| align="CENTER" | [mailto:jons0022-at-unf.edu Steve Jones] [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers_Steve_Jones_Background Profile] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Securing WebGoat using ModSecurity Project|OWASP Securing WebGoat using ModSecurity]]'''
| align="CENTER" | Stephen Evans
| align="CENTER" | Beta
| align="CENTER" | [mailto:ivan.ristic(at)breach.com Ivan Ristic] & Breach Group (Confirmed)
| align="CENTER" | [mailto:christian.folini(at)netnea.com Christian Folini] [http://www.netnea.com/cms/?q=christian_folini Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE"|'''[[:Category:OWASP Source Code Review OWASP Projects Project|OWASP Source Code Review OWASP Projects]]'''
| align="CENTER" | James Walden
| align="CENTER" | Quality
| align="CENTER" | [mailto:afry(at)strongcrypto.biz Alexander Fry] [http://www.linkedin.com/in/alexanderfry Profile] (Confirmed)
| align="CENTER" | [mailto:marco.m.morana(at)gmail.com Marco M. Morana] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Marco M Morana Curriculum|Curriculum]] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:OWASP Spanish|OWASP Spanish Project]]'''
| align="CENTER" | Juan Carlos Calderon
| align="CENTER" | Beta
| align="CENTER" | [mailto:fabio.e.cerullo(at)aib.ie Fabio Cerullo] [https://www.owasp.org/index.php/User:Fabio.e.cerullo Curriculum] (Confirmed)
| align="CENTER" | [mailto:rodrigo(at)rmarcos.com Rodrigo Marcos] [https://www.owasp.org/index.php/User:Rodrigo.marcos Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Testing Project|OWASP Testing Guide v3]]'''
| align="CENTER" | Matteo Meucci
| align="CENTER" | Quality
| align="CENTER" | [mailto:namn@bluemoon.com.vn Nam Nguyen] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | [mailto:KFuller@dmv.ca.gov Kevin Fuller] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Fuller Curriculum|Curriculum]] (Confirmed)
| align="CENTER" |
|}

{| class="wikitable" style="text-align:center"
! width="400" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="120" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''3rd Reviewer '''
! width="108" align="CENTER" | '''4th Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP ASDR Project|OWASP Application Security Desk Reference (ASDR)]]'''
| align="CENTER" | Leonardo Cavallari Militelli
| align="CENTER" | Quality
| align="CENTER" | [mailto:williamtsmith(at)gmail.com William Smith] [[OWASP SoC 2008 ASDR Reviewers#William Smith | Bio]] (Confirmed)
| align="CENTER" | [mailto:ken(at)krvw.com Kenneth Wyk] [[OWASP SoC 2008 ASDR Reviewers#Kenneth R. van Wyk| Bio]] (Confirmed)
| align="CENTER" | [mailto:kcfredman(at)gmail.com Frederick Donovan] [[OWASP SoC 2008 ASDR Reviewers#Frederick Donovan | Bio]] (Confirmed)
| align="CENTER" | [mailto:Darren.Challey(at)ge.com Darren W. Challey] [[OWASP SoC 2008 ASDR Reviewers#Darren W. Challey | Bio]] (Confirmed)
| align="CENTER" | Jeff Williams (Confirmed)
|}

== TOOLS PROJECTS ==
{| class="wikitable" style="text-align:center"
! width="600" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="220" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:GTK plus GUI for w3af Project|GTK+ GUI for w3af project]]'''
| align="CENTER" | Facundo Batista
| align="CENTER" | Beta
| align="CENTER" | [mailto:andres.riancho(at)gmail.com Andres Riancho] [http://www.linkedin.com/in/ariancho Profile] (Confirmed)
| align="CENTER" | [mailto:ah(at)securenet(dot)de Achim Hoffmann] [https://www.owasp.org/index.php/User:Achim Profile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Access Control Rules Tester Project|OWASP Access Control Rules Tester]]'''
| align="CENTER" | Andrew Petukhov
| align="CENTER" | Beta
| align="CENTER" | [mailto:caughron(at)gmail.com Mat Caughron] [http://www.linkedin.com/pub/1/A84/998 Profile] (Confirmed)
| align="CENTER" | [mailto:mg_chen(at)yahoo.com Min Chen] [http://www.linkedin.com/in/mgchen Profile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP AntiSamy Project .NET| OWASP AntiSamy .NET]]'''
| align="CENTER" | Arshan Dabirsiaghi
| align="CENTER" | Quality
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (Confirmed)
| align="CENTER" | [mailto:yiannis@owasp.org Yiannis Pavlosoglou] [[OWASP NYC AppSec 2008 Conference-SPEAKER-Yiannis Pavlosoglou|Short Bio]] (Confirmed)
| align="CENTER" | Jeff Williams
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project|OWASP Application Security Tool Benchmarking Environment and Site Generator refresh]]'''
| align="CENTER" | Dmitry Kozlov
| align="CENTER" | Quality
| align="CENTER" | [mailto:mark.roxberry(at)owasp.org Mark Roxberry] [http://www.linkedin.com/in/roxberry Profile] (Confirmed)
| align="CENTER" | [mailto:medelibero(at)gmail.com Mike de Libero] (Confirmed)
| align="CENTER" | Dinis Cruz
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Code Crawler|OWASP Code Crawler ]]'''
| align="CENTER" | Alessio Marziali
| align="CENTER" | Beta
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:dinis.cruz(at)owasp.org Dinis Cruz] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Interceptor Project|OWASP Interceptor Project - 2008 Update]]'''
| align="CENTER" | Justin Derry
| align="CENTER" | Quality
| align="CENTER" | [mailto:ngreen16(at)yahoo.com Nathan Green] [https://www.owasp.org/index.php/User:Ngreen16 Profile] (Confirmed)
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP JSP Testing Tool Project|OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool)]]'''
| align="CENTER" | Jason Li
| align="CENTER" | Beta
| align="CENTER" | [mailto:markkerzner(at)gmail.com Mark Kerzner] [http://www.linkedin.com/in/markkerzner Profile] (Confirmed)
| align="CENTER" | [mailto:fabricio.fujikawa(at)infoglobo.com.br Fabrício Fujikawa] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Live CD 2008 Project|OWASP Live CD 2008 Project]]'''
| align="CENTER" | Matt Tesauro
| align="CENTER" | Quality
| align="CENTER" | [mailto:admin@wirefall.com Dustin Dykes] [http://www.linkedin.com/pub/1/607/6b1 Curriculum] (Confirmed)
| align="CENTER" | [mailto:jkpoots(at)rogers.com Kent Poots] [http://www.linkedin.com/pub/5/25B/114 Curriculum] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP OpenSign Server Project|OWASP Online code signing and integrity verification service for open source community (OpenSign Server)]]'''
| align="CENTER" | Phil Potisk and Richard Conway
| align="CENTER" | Beta
| align="CENTER" | [mailto:pierre.parrend@insa-lyon.fr Pierre Parrend] [http://www.rzo.free.fr Curriculum] (Confirmed)
| align="CENTER" | [mailto:mark.roxberry(at)owasp.org Mark Roxberry] [http://www.linkedin.com/in/roxberry Profile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP OpenPGP Extensions for HTTP - Enigform and mod openpgp|OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp]]'''
| align="CENTER" | Arturo 'Buanzo' Busleiman
| align="CENTER" | Beta
| align="CENTER" | [mailto:mark.roxberry(at)owasp.org Mark Roxberry] [http://www.linkedin.com/in/roxberry Profile] (Confirmed)
| align="CENTER" | [mailto:dinis.cruz(at)owasp.org Dinis Cruz]
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Orizon Project|OWASP Orizon Project]]'''
| align="CENTER" | Paolo Perego
| align="CENTER" | Quality
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:seba@deleersnyder.eu Sebastien Deleersnyder] (Confirmed)
| align="CENTER" | [mailto:dinis.cruz@owasp.org Dinis Cruz] (Confirmed)
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Python Static Analysis Project|OWASP Python Static Analysis]]'''
| align="CENTER" | Georgy Klimov
| align="CENTER" | Beta
| align="CENTER" | [mailto:namn@bluemoon.com.vn Nam Nguyen] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | [mailto:diepvien00thayh@gmail.com P.Q.Huy] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Huy Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Skavenger Project|OWASP Skavenger]]'''
| align="CENTER" | [mailto:mro(at)securenet.de Matthias Rohr]
| align="CENTER" | Beta
| align="CENTER" | [mailto:rogan(at)dawes.za.net Rogan Dawes] (Confirmed)
| align="CENTER" | [mailto:ah(at)securenet(dot)de Achim Hoffmann] [https://www.owasp.org/index.php/User:Achim Profile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Sqlibench Project|OWASP SQL Injector Benchmarking Project (SQLiBENCH)]]'''
| align="CENTER" | [mailto:urgunb@hotmail.com Bedirhan Urgun] [mailto:mesut@h-labs.org Mesut Timur]
| align="CENTER" | Beta
| align="CENTER" | [mailto:ferruh@mavituna.com Ferruh Mavituna] [[Project Information:Sqlibench:Ferruh|background info]] (Confirmed)
| align="CENTER" | [mailto:kfuller@dmv.ca.gov Kevin Fuller] [[Project Information:Sqlibench:Kevin|background info]] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Teachable Static Analysis Workbench Project|OWASP Teachable Static Analysis Workbench]]'''
| align="CENTER" | [mailto:ddk(at)cs.msu.su Dmitry Kozlov] Igor Konnov
| align="CENTER" | Beta
| align="CENTER" | [mailto:afry(at)strongcrypto.biz Alex Fry] [http://www.linkedin.com/in/alexanderfry Profile] (Confirmed)
| align="CENTER" | [mailto:mwcoates(at)gmail.com Michael Coates] TBC
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP WeBekci Project|OWASP WeBekci Project]]'''
| align="CENTER" | [mailto:bunyamin@owasp.org Bunyamin Demir]
| align="CENTER" | Beta
| align="CENTER" | [mailto:afry(at)strongcrypto.biz Alexander Fry] [http://www.linkedin.com/in/alexanderfry Profile] (Confirmed)
| align="CENTER" | [mailto:stefano.dipaola(at)wisec.it Stefano Di Paola] [[User:Wisec|Profile]] (Confirmed)
| align="CENTER" | Not applicable
|}

== DESIGN/CORPORATE PROJECTS ==
{| class="wikitable" style="text-align:center"
! width="600" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="220" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Book Cover & Sleeve Design|OWASP Book Cover & Sleeve Design]]'''
| align="CENTER" | LXstudios, [mailto:deb@lxstudios.com Deb Brewer]
| align="CENTER" | Quality
| align="CENTER" | [mailto:yiannis@owasp.org Yiannis Pavlosoglou] [[OWASP NYC AppSec 2008 Conference-SPEAKER-Yiannis Pavlosoglou|Short Bio]] (Confirmed)
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | Dinis Cruz
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Individual and Corporate Member Packs plus Conference Attendee Packs Brief|OWASP Individual & Corporate Member Packs, Conference Attendee Packs Brief]]'''
| align="CENTER" | LXstudios, [mailto:deb@lxstudios.com Deb Brewer]
| align="CENTER" | Quality
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:yiannis@owasp.org Yiannis Pavlosoglou] [[OWASP NYC AppSec 2008 Conference-SPEAKER-Yiannis Pavlosoglou|Short Bio]] (Confirmed)
| align="CENTER" | Dinis Cruz
|-

Project Information:template Ruby on Rails Security Guide V2

2008-07-05T18:32:39Z

Hawe:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Ruby on Rails Security Guide V2'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The last security guide for [[:Category:OWASP Web Application Security Put Into Practice|Rails]] was a great success, with a lot of more secure web applications and continued awareness in the community of security issues. The [http://www.rorsecurity.info/ Ruby on Rails Security Project] is the one and only source of information about Rails security topics, and I keep the community up-to-date with blog posts and conference talks in Europe. The Guide and the Project has been mentioned in several Rails books and web-sites.

Version 1 of the Ruby on Rails Security Guide was sponsored by the SpoC 07, set the standard for OWASP programming language specific guides in terms of the topic outline and has been published as a [http://www.lulu.com/content/1412042 book]. Nevertheless I'm convinced that a more compact design and a "question-and-answer" style of writing will reach an even larger audience. Of course the new Guide will still include answers to the OWASP Top Ten security vulnerabilities.

A lot has changed since the publishing of the first Guide. Some new security holes have been found, there are new advises and most importantly Rails version 2.0 has been released. The new Ruby on Rails Security Guide aims at providing an up-to-date coding and configuration guide for the Rails community.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:heikowebers(at)gmx.net '''Heiko Webers''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-ruby-on-rails-v2 '''Mailing List/Subscribe'''] [mailto:OWASP-Ruby-on-Rails-V2(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:jons0022-at-unf.edu '''Steve Jones''']
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:jeff.cabaniss(at)gmail.com '''Jeff Cabaniss''']
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* (If appropriate, links to be added)
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
[[:Category:OWASP Web Application Security Put Into Practice|OWASP Web Application Security Put Into Practice]]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? Yes, completed by 80% --------- [[Project Information:template Ruby on Rails Security Guide V2 - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

Project Information:template Ruby on Rails Security Guide V2 - 50 Review - Self Evaluation - A

2008-07-05T18:28:50Z

Hawe:

[[Project Information:template Ruby on Rails Security Guide V2|Click here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''50% REVIEW PROCESS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|OWASP Ruby on Rails Security Guide v2 Project's Deliveries & Objectives]]
|-
| style="width:25x%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"| The project deliveries have nearly been completed. The following topics have not been covered, yet: Introduction, denial-of-service attacks and phishing. Also, the presentation, which is required for Release Quality, is not ready, yet.
|-
| style="width:25%; background:#7B8ABD" align="center"|

2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"| The deliveries have been accomplished by 80%.
|-
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"| I'd like to have a professional and good looking design for my guide. I planned to hire someone for this, but then I found the "Book Cover & Sleeve Design" project in this year's Soc. Will that be for everyone, so we have a good corp. design? Otherwise this is my suggestion, to have a general, professional design (I've got a designer, I could ask him).
|}

Project Information:template Ruby on Rails Security Guide V2 - 50 Review - Self Evaluation - A

2008-07-05T18:20:05Z

Hawe:

[[Project Information:template Ruby on Rails Security Guide V2|Click here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''50% REVIEW PROCESS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|OWASP Ruby on Rails Security Guide v2 Project's Deliveries & Objectives]]
|-
| style="width:25x%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"| sdfsdsd
|-
| style="width:25%; background:#7B8ABD" align="center"|

2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template Ruby on Rails Security Guide V2 - 50 Review - Self Evaluation - A

2008-07-05T18:19:33Z

Hawe:

[[Project Information:template Ruby on Rails Security Guide V2|Click here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''50% REVIEW PROCESS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|OWASP Ruby on Rails Security Guide v2 Project's Deliveries & Objectives]]
|-
| style="width:25x%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|

2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template Ruby on Rails Security Guide V2 - 50 Review - Self Evaluation - A

2008-07-05T18:17:50Z

Hawe:

[[Project Information:template Ruby on Rails Security Guide V2|Click here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''50% REVIEW PROCESS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|OWASP Ruby on Rails Security Guide v2 Project's Deliveries & Objectives]]
|-
| style="width:25x%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
| -
| style="width:25%; background:#7B8ABD" align="center"|

2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template Ruby on Rails Security Guide V2 - 50 Review - Self Evaluation - A

2008-07-05T18:17:33Z

Hawe:

[[Project Information:template Ruby on Rails Security Guide V2|Click here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''50% REVIEW PROCESS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|OWASP Ruby on Rails Security Guide v2 Project's Deliveries & Objectives]]
|-
| style="width:25x%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
| hello
| style="width:25%; background:#7B8ABD" align="center"|

2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template Ruby on Rails Security Guide V2

2008-07-03T18:58:13Z

Hawe:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Ruby on Rails Security Guide V2'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The last security guide for [[:Category:OWASP Web Application Security Put Into Practice|Rails]] was a great success, with a lot of more secure web applications and continued awareness in the community of security issues. The [http://www.rorsecurity.info/ Ruby on Rails Security Project] is the one and only source of information about Rails security topics, and I keep the community up-to-date with blog posts and conference talks in Europe. The Guide and the Project has been mentioned in several Rails books and web-sites.

Version 1 of the Ruby on Rails Security Guide was sponsored by the SpoC 07, set the standard for OWASP programming language specific guides in terms of the topic outline and has been published as a [http://www.lulu.com/content/1412042 book]. Nevertheless I'm convinced that a more compact design and a "question-and-answer" style of writing will reach an even larger audience. Of course the new Guide will still include answers to the OWASP Top Ten security vulnerabilities.

A lot has changed since the publishing of the first Guide. Some new security holes have been found, there are new advises and most importantly Rails version 2.0 has been released. The new Ruby on Rails Security Guide aims at providing an up-to-date coding and configuration guide for the Rails community.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:heikowebers(at)gmx.net '''Heiko Webers''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:to(at)change '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-ruby-on-rails-v2 '''Mailing List/Subscribe'''] [mailto:OWASP-Ruby-on-Rails-V2(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:jons0022-at-unf.edu '''Steve Jones''']
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:jeff.cabaniss(at)gmail.com '''Jeff Cabaniss''']
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* (If appropriate, links to be added)
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
[[:Category:OWASP Web Application Security Put Into Practice|OWASP Web Application Security Put Into Practice]]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#The Ruby on Rails Security Guide v2|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Ruby on Rails Security Guide V2 - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers

2008-07-02T18:15:06Z

Hawe:

This page contains Projects, Authors, Status Target and Reviewers of the sponsored programme [[OWASP Summer of Code 2008]]. 
'''* Please note: The reviewers with the reference ‘Confirmed’ were only confirmed by projects’ authors and are still waiting for OWASP Board confirmation.'''

== DOCUMENTATION PROJECTS ==
{| class="wikitable" style="text-align:center"
! width="600" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="220" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]'''
| align="CENTER" | Mike Boberski
| align="CENTER" | Beta
| align="CENTER" | [mailto:jeff.williams(at)owasp.org Jeff Williams] (Confirmed)
| align="CENTER" | [mailto:pierre.parrend(at)insa-lyon.fr Pierre Parrend] [http://www.rzo.free.fr Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP AppSensor Project|OWASP AppSensor - Detect and Respond to Attacks from Within the Application]]'''
| align="CENTER" | [mailto:michael.coates(at)aspectsecurity.com Michael Coates]
| align="CENTER" | Beta
| align="CENTER" | [mailto:eric.sheridan(at)aspectsecurity.com Eric Sheridan] (Confirmed)
| align="CENTER" | [mailto:thrynn404(at)gmail.com Randy Janinda] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Backend Security Project|OWASP Backend Security Project]]'''
| align="CENTER" | Carlo Pelliccioni
| align="CENTER" | Beta
| align="CENTER" |
| align="CENTER" |
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Classic ASP Security Project|OWASP Classic ASP Security Project]]'''
| align="CENTER" | Juan Carlos Calderon
| align="CENTER" | Beta
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (Confirmed)
| align="CENTER" |
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Code Review Project|OWASP Code review guide, V1.1]]'''
| align="CENTER" | Eoin Keary
| align="CENTER" | Quality
| align="CENTER" |
| align="CENTER" | [mailto:psatishkumar(at)gmail.com P.Satish Kumar] [https://www.owasp.org/index.php/User:Satishkumar Curriculum]
| align="CENTER" | Jeff Williams
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:OWASP Corporate Application Security Rating Guide|OWASP Corporate Application Security Rating Guide]]'''
| align="CENTER" | Parvathy Iyer
| align="CENTER" | Quality
| align="CENTER" | Neal Kirschner Email address? (Confirmed)
| align="CENTER" | [mailto:Omar.Sherin(at)infosec2.com Omar Sherin] TBC
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Education Project|OWASP Education Project]]'''
| align="CENTER" | Martin Knobloch
| align="CENTER" | Quality
| align="CENTER" | [mailto:sebastien.gioria@owasp.fr Sebastien Gioria] [http://www.linkedin.com/in/gioria Curriculum] (Confirmed)
| align="CENTER" | [mailto:namn(at)bluemoon.com.vn Nam Nguyen] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:OWASP Internationalization|OWASP Internationalization Guidelines Project]]'''
| align="CENTER" | Juan Carlos Calderon
| align="CENTER" | Beta
| align="CENTER" | [mailto:fabio.e.cerullo(at)aib.ie Fabio Cerullo] [https://www.owasp.org/index.php/User:Fabio.e.cerullo Curriculum] (Confirmed)
| align="CENTER" | [mailto:rodrigo(at)rmarcos.com Rodrigo Marcos] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP .NET Project#OWASP .NET Project Leader|OWASP .NET Project Leader]]'''
| align="CENTER" | Mark Roxberry
| align="CENTER" | Quality
| align="CENTER" | [mailto:eoinkeary(at)gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:dennis.hurst(at)hp.com Dennis Hurst] TBC
| align="CENTER" | Dinis Cruz
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Positive Security Project|OWASP Positive Security Project]]'''
| align="CENTER" | Eduardo Vianna de Camargo Neves
| align="CENTER" | Beta
| align="CENTER" | [mailto:welias(at)conviso.com.br Wagner Elias] (Confirmed)
| align="CENTER" | [mailto:ken(at)krvw.com Kenneth Wyk] TBC
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Ruby on Rails Security Guide V2|OWASP Ruby on Rails Security Guide v2]]'''
| align="CENTER" | Heiko Webers
| align="CENTER" | Quality
| align="CENTER" | [mailto:jons0022-at-unf.edu Steve Jones] (Confirmed)
| align="CENTER" | [mailto:jeff.cabaniss(at)gmail.com Jeff Cabaniss] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Securing WebGoat using ModSecurity Project|OWASP Securing WebGoat using ModSecurity]]'''
| align="CENTER" | Stephen Evans
| align="CENTER" | Beta
| align="CENTER" | [mailto:ivan.ristic(at)breach.com Ivan Ristic] & Breach Group (Confirmed)
| align="CENTER" | [mailto:christian.folini(at)netnea.com Christian Folini] [http://www.netnea.com/cms/?q=christian_folini Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE"|'''[[:Category:OWASP Source Code Review OWASP Projects Project|OWASP Source Code Review OWASP Projects]]'''
| align="CENTER" | James Walden
| align="CENTER" | Quality
| align="CENTER" | [mailto:afry(at)strongcrypto.biz Alexander Fry] [http://www.linkedin.com/in/alexanderfry Profile] (Confirmed)
| align="CENTER" | [mailto:marco.m.morana(at)gmail.com Marco M. Morana] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Marco M Morana Curriculum|Curriculum]] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:OWASP Spanish|OWASP Spanish Project]]'''
| align="CENTER" | Juan Carlos Calderon
| align="CENTER" | Beta
| align="CENTER" | [mailto:fabio.e.cerullo(at)aib.ie Fabio Cerullo] [https://www.owasp.org/index.php/User:Fabio.e.cerullo Curriculum] (Confirmed)
| align="CENTER" | [mailto:rodrigo(at)rmarcos.com Rodrigo Marcos] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Testing Project|OWASP Testing Guide v3]]'''
| align="CENTER" | Matteo Meucci
| align="CENTER" | Quality
| align="CENTER" | [mailto:namn@bluemoon.com.vn Nam Nguyen] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | [mailto:KFuller@dmv.ca.gov Kevin Fuller] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Fuller Curriculum|Curriculum]] (Confirmed)
| align="CENTER" |
|}

{| class="wikitable" style="text-align:center"
! width="400" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="120" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''3rd Reviewer '''
! width="108" align="CENTER" | '''4th Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP ASDR Project|OWASP Application Security Desk Reference (ASDR)]]'''
| align="CENTER" | Leonardo Cavallari Militelli
| align="CENTER" | Quality
| align="CENTER" | [mailto:williamtsmith(at)gmail.com William Smith] [[OWASP SoC 2008 ASDR Reviewers#William Smith | Bio]] (Confirmed)
| align="CENTER" | [mailto:ken(at)krvw.com Kenneth Wyk] [[OWASP SoC 2008 ASDR Reviewers#Kenneth R. van Wyk| Bio]] (Confirmed)
| align="CENTER" | [mailto:kcfredman(at)gmail.com Frederick Donovan] [[OWASP SoC 2008 ASDR Reviewers#Frederick Donovan | Bio]] (Confirmed)
| align="CENTER" | [mailto:Darren.Challey(at)ge.com Darren W. Challey] [[OWASP SoC 2008 ASDR Reviewers#Darren W. Challey | Bio]] (Confirmed)
| align="CENTER" | Jeff Williams (Confirmed)
|}

== TOOLS PROJECTS ==
{| class="wikitable" style="text-align:center"
! width="600" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="220" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:GTK plus GUI for w3af Project|GTK+ GUI for w3af project]]'''
| align="CENTER" | Facundo Batista
| align="CENTER" | Beta
| align="CENTER" | [mailto:andres.riancho(at)gmail.com Andres Riancho] [http://www.linkedin.com/in/ariancho Profile] (Confirmed)
| align="CENTER" | [mailto:ah(at)securenet(dot)de Achim Hoffmann] [https://www.owasp.org/index.php/User:Achim Profile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Access Control Rules Tester Project|OWASP Access Control Rules Tester]]'''
| align="CENTER" | Andrew Petukhov
| align="CENTER" | Beta
| align="CENTER" | [mailto:caughron(at)gmail.com Mat Caughron] [http://www.linkedin.com/pub/1/A84/998 Profile] (Confirmed)
| align="CENTER" | [mailto:mg_chen(at)yahoo.com Min Chen] [http://www.linkedin.com/in/mgchen Profile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP AntiSamy Project .NET| OWASP AntiSamy .NET]]'''
| align="CENTER" | Arshan Dabirsiaghi
| align="CENTER" | Quality
| align="CENTER" | [mailto:dallasspohn(at)sbcglobal.net Dallas Spohn] TBC
| align="CENTER" |
| align="CENTER" | Jeff Williams
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project|OWASP Application Security Tool Benchmarking Environment and Site Generator refresh]]'''
| align="CENTER" | Dmitry Kozlov
| align="CENTER" | Quality
| align="CENTER" | [mailto:mark.roxberry(at)owasp.org Mark Roxberry] [http://www.linkedin.com/in/roxberry Profile] (Confirmed)
| align="CENTER" | [mailto:medelibero(at)gmail.com Mike de Libero] (Confirmed)
| align="CENTER" | Dinis Cruz
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Code Crawler|OWASP Code Crawler ]]'''
| align="CENTER" | Alessio Marziali
| align="CENTER" | Beta
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:dinis.cruz(at)owasp.org Dinis Cruz] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Interceptor Project|OWASP Interceptor Project - 2008 Update]]'''
| align="CENTER" | Justin Derry
| align="CENTER" | Quality
| align="CENTER" | [mailto:Nathan.Green(at)ge.com Nathan.Green] TBC
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (TBC)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP JSP Testing Tool Project|OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool)]]'''
| align="CENTER" | Jason Li
| align="CENTER" | Beta
| align="CENTER" | [mailto:markkerzner(at)gmail.com Mark Kerzner] [http://www.linkedin.com/in/markkerzner Profile] (Confirmed)
| align="CENTER" | [mailto:fabricio.fujikawa(at)infoglobo.com.br Fabrício Fujikawa] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Live CD 2008 Project|OWASP Live CD 2008 Project]]'''
| align="CENTER" | Matt Tesauro
| align="CENTER" | Quality
| align="CENTER" | [mailto:admin@wirefall.com Dustin Dykes] [http://www.linkedin.com/pub/1/607/6b1 Curriculum] (Confirmed)
| align="CENTER" | [mailto:jkpoots(at)rogers.com Kent Poots] [http://www.linkedin.com/pub/5/25B/114 Curriculum] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP OpenSign Server Project|OWASP Online code signing and integrity verification service for open source community (OpenSign Server)]]'''
| align="CENTER" | Phil Potisk and Richard Conway
| align="CENTER" | Beta
| align="CENTER" | [mailto:pierre.parrend@insa-lyon.fr Pierre Parrend] [http://www.rzo.free.fr Curriculum] (Confirmed)
| align="CENTER" | [mailto:a_campani@yahoo.fr Antonio Campanile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP OpenPGP Extensions for HTTP - Enigform and mod openpgp|OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp]]'''
| align="CENTER" | Arturo 'Buanzo' Busleiman
| align="CENTER" | Beta
| align="CENTER" | [mailto:mark.roxberry(at)owasp.org Mark Roxberry] [http://www.linkedin.com/in/roxberry Profile] (Confirmed)
| align="CENTER" | [mailto:dinis.cruz(at)owasp.org Dinis Cruz]
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Orizon Project|OWASP Orizon Project]]'''
| align="CENTER" | Paolo Perego
| align="CENTER" | Quality
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:seba@deleersnyder.eu Sebastien Deleersnyder] (Confirmed)
| align="CENTER" | [mailto:dinis.cruz@owasp.org Dinis Cruz] (Confirmed)
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Python Static Analysis Project|OWASP Python Static Analysis]]'''
| align="CENTER" | Georgy Klimov
| align="CENTER" | Beta
| align="CENTER" | [mailto:namn@bluemoon.com.vn Nam Nguyen] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | [mailto:diepvien00thayh@gmail.com P.Q.Huy] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Skavenger Project|OWASP Skavenger]]'''
| align="CENTER" | [mailto:mro(at)securenet.de Matthias Rohr]
| align="CENTER" | Beta
| align="CENTER" | Rogan Dawes Email address? (Confirmed)
| align="CENTER" | [mailto:ah(at)securenet(dot)de Achim Hoffmann] [https://www.owasp.org/index.php/User:Achim Profile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Sqlibench Project|OWASP SQL Injector Benchmarking Project (SQLiBENCH)]]'''
| align="CENTER" | [mailto:urgunb@hotmail.com Bedirhan Urgun] [mailto:mesut@h-labs.org Mesut Timur]
| align="CENTER" | Beta
| align="CENTER" | [mailto:ferruh@mavituna.com Ferruh Mavituna] [[Project Information:Sqlibench:Ferruh|background info]] (Confirmed)
| align="CENTER" | [mailto:kfuller@dmv.ca.gov Kevin Fuller] [[Project Information:Sqlibench:Kevin|background info]] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Teachable Static Analysis Workbench Project|OWASP Teachable Static Analysis Workbench]]'''
| align="CENTER" | [mailto:ddk(at)cs.msu.su Dmitry Kozlov] Igor Konnov
| align="CENTER" | Beta
| align="CENTER" | [mailto:afry(at)strongcrypto.biz Alex Fry] TBC
| align="CENTER" |
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP WeBekci Project|OWASP WeBekci Project]]'''
| align="CENTER" | [mailto:bunyamin@owasp.org Bunyamin Demir]
| align="CENTER" | Beta
| align="CENTER" | [mailto:afry(at)strongcrypto.biz Alexander Fry] [http://www.linkedin.com/in/alexanderfry Profile] (Confirmed)
| align="CENTER" | [mailto:stefano.dipaola(at)wisec.it Stefano Di Paola] (Confirmed)
| align="CENTER" | Not applicable
|}

== DESIGN/CORPORATE PROJECTS ==
{| class="wikitable" style="text-align:center"
! width="600" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="220" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Book Cover & Sleeve Design|OWASP Book Cover & Sleeve Design]]'''
| align="CENTER" | LXstudios, [mailto:deb@lxstudios.com Deb Brewer]
| align="CENTER" | Quality
| align="CENTER" | [mailto:yiannis@owasp.org Yiannis Pavlosoglou] [[OWASP NYC AppSec 2008 Conference-SPEAKER-Yiannis Pavlosoglou|Short Bio]] (Confirmed)
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | Dinis Cruz
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Individual and Corporate Member Packs plus Conference Attendee Packs Brief|OWASP Individual & Corporate Member Packs, Conference Attendee Packs Brief]]'''
| align="CENTER" | LXstudios, [mailto:deb@lxstudios.com Deb Brewer]
| align="CENTER" | Quality
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:yiannis@owasp.org Yiannis Pavlosoglou] [[OWASP NYC AppSec 2008 Conference-SPEAKER-Yiannis Pavlosoglou|Short Bio]] (Confirmed)
| align="CENTER" | Dinis Cruz
|-

OWASP EU Summit 2008

2008-07-02T09:53:01Z

Hawe:

(WORK IN PROGRESS /UNDER DISCUSSION)

== What: OWASP Summit, a conference about OWASP and for OWASP's community ==
=== When: 4 to 7 Nov 2008 (4 & 5: Meetings and Training, 6 & 7: Conference) ===
=== Where: Portugal ===
Faro or Lisbon
=== Organization===
Paulo Coimbra and Dinis Cruz
== Agenda ==
Theme: Present OWASP's projects, community and activities ..... '....Connecting the dots.... "

'''Day 1 & 2'''
*Training sessions (similar to what happens at the moment at the other OWASP conferences)
*OWASP Working Group sessions (1/2 day each) on:
** OWASP Governance, "What is OWASP's position on ...." & Action Plan for 2009
** ESAPI
** Browser Security
** OWASP Top 10 2009

'''Day 3 & 4 Agenda:'''
* Presentations from AoC, SpoC and SoC Participants
* Presentations from 'Release' Quality OWASP projects (not included in the list above) or Key OWASP projects (like ESAPI)
* Presentations about OWASP : How it works, Financial reports, OotM (OWASP on the Move), new project management guidelines, local chapter finances, OWASP governance
* Presentation from Chapter leaders on the activities developed on their project
* Discussion on next steps for OWASP and focus of next OWASP financial investment plans

Other ideas:

* vote on 6th OWASP board member (Candidates to Apply)

== other details==

'''Projected Attendees:450 '''
* 200 with some (or all) expenses covered by OWASP
** 33 SoC participants
** 70 SoC reviewers
** 10 SoC Collaborators
** 15 AoC & SpoC participants
** 15 Chapter Leaders
** 8 OWASP Board & Employees
** 49 OWASP non-individual members (2x per 9k Corporate? 1x for the others?)

=== Financial details ===
'''Expenses'''
* Accommodation & meals: 80,000 USD = 400 USD per person (200x) for 3 nights accommodation and 5 meals (3 dinners and 2 lunches)
* Flights & Trains : 70,000 USD

'''Revenue sources'''
* Tickets (for the 250 non 'OWASP invited' attendees)
* Training Sessions
* Conference sponsors

== Participants ==
=== OWASP Board members & employees ===
* Jeff Williams
* Dave Wichers
* Dinis Cruz
* Tom Brennan
* Sebastien Deleersnyder
* Paulo Coimbra
* Kate Hartmann (to be confirmed)
* Alison McNamee (to be confirmed)
* Larry Casey (to be confirmed)

=== Summer of Code 08 Participants & Reviewers ===
* (please add your name in the following format)
* OWASP Classic ASP Security Project Reviewer Esteban Ribicic Argentina -living in Croatia/Wien-
* OWASP Internationalization Guidelines Reviewer Project Esteban Ribicic
* OWASP Spanish Project Reviewer Esteban Ribicic
* OWASP Ruby on Rails Security Project Leader Heiko Webers from Germany

=== Winter of Code 07 Participants (Completed Projects) ===
* (please add your name)
* {Project} {Name} {Origin Country}

=== Autumn of Code 06 Participants ===
* (please add your name)
* {Project} {Name} {Origin Country}

* OWASP Pantera, Simon Roses Femerling, Spain

=== Active Chapter Leaders ===
* (please add your name in the following format)
* {Chapter} {Role} {Name} {Origin Country}

=== Active Project Leaders (not currently participating on SoC 08)===
* (please add your name in the following format)
* {Project} {Role} {Name} {Origin Country}

=== Significant Past OWASP contributor (that is not already covered by one of the above categories) ===
* (please add your name in the following format)
* {Project/Chapter} {Role} {Name} {Origin Country}

=== Logistic and Support team ===
* Summit Graphic Design + Summit organization + on-site logistics support, Sarah Cruz, UK (London)

OWASP Summer of Code 2008 Applications

2008-03-17T09:58:59Z

Hawe: Heiko Webers' application

'''This page contains project Applications to the [[OWASP_Summer_of_Code_2008|OWASP Summer Of Code 2008]]'''

= A few notes =
*'''If you want to apply for a SoC 2008 sponsorship you HAVE TO USE THIS PAGE for your application.'''
** See [[OWASP Summer of Code 2008#How To Participate (To Developers)|How To Participate]] for what to do once you completed your Application.
** Please remember that projects will be selected and funded based on how well they meet the [[OWASP Summer of Code 2008#Jury and Selection Criteria| Selection Criteria]].
** Please see [[OWASP Autumn of Code 2006 - Applications|AoC 06]] and [[OWASP Spring Of Code 2007 Applications|SpoC 07]] for examples of Applications.
* '''You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include [[OWASP Summer of Code 2008 Applications - Proposal Type|this information in your proposal]].
'''
= Applications - {Fill in below} =

== The Application Security Desk Reference - ASDR ==
* Leonardo Cavallari Militelli,
* [[ASDR Table of Contents|ASDR Table of Contents]]

== OWASP Code review guide, V1.1 ==
* Eoin Keary,
'''Code Review Guide Proposal''':

'''Introduction:'''The code review guide is currently at version RC 2.0 and the second best selling OWASP book.
I have received many positive comments regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.

It has even inspired individuals to build tools based on its information and I have convinced such people (Alessio Marziali) to open source their tool and make it an OWASP project.

The combination of a book on secure code review and a tool to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.

'''Proposal:'''
I am proposing that I improve the code review guide from a number of aspects. This should place the guide as a de facto secure code review guide in the application security industry.

'''Additional and expanded Chapters:''' 

'''Transactional analysis''' 
Expand chapter. 
Examples via diagrams. 

'''Threat Modeling and Analysis''' 
The approach to examining an application to be reviewed. 
Focusing on areas of interest. 

'''Example reports and how to write one''' 
How to determine the risk level of a finding. 

'''Automated code review''' 
Code crawler documentation and usage. 

'''Rich Internet Applications''' 
Expanded chapters on Flash, Ajax. 

'''The OWASP ESAPI (Enterprise Security API)''' 
What it is, Why use it. What to review. 

'''Code review Metrics:''' 
How to compile, use and analyse metrics. 
Rolling out metrics in the Enterprise. 

'''Integrating Code review with an existing SDLC'''
Integration of Secure Code review with an existing SDLC. 
Secure Code review roadmap definition. 
Documentation requirements. 
Scope definition. 
SDLC steering comittee establishment. 
Performace criteria, benchmarks and metrics. 
Integration of SDLC results into key IT governance areas. 
Critical success factors. 

== The OWASP Testing Guide v3 ==
* Matteo Meucci
* The OWASP Testing Guide v2 was a great success, with thousand downloads and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now it's time to begin a new project that is based on v2 but improve it and complete it.

In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:

* Information Gathering
* Business logic testing
* Authentication Testing
* Session Management Testing
* Data Validation Testing
* Denial of Service Testing
* Web Services Testing
* AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode analysis
3) Infrastructural test --> new category
4) Web Services section needs improvement
5) AJAX Testing section needs improvement
6) New category: Client side Testing. AJAX and Flash Testing

* This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.

== Code Crawler ==
* Alessio Marziali (aka nTze) 

'''Description''' 
This tool is aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code.
The aim of the tool is to accompany the OWASP Code review Guide and to implement a total code review solution for "everyone"; Where "everyone" means "more" companies performing secure software activities. 
Key areas of improvement: 
'''Reporting''' 
- PDF
- Microsoft Office Compatible Word Document
- HTML

'''Scanning''' 
- Multiple File scanned at the same time 
-- Open Microsoft Visual Studio's Solutions 

'''Bigger Database''' 
Which will provide more information about the threats such vulnerability type (XSS,SQL Injection, Remote File Inclusion etc). 
'''Security Software Life Cycle''' 
A feature that will let you save the threats for each project/document, so the reviewer can check how the development is going from a “security prospective” during the entire software lifecycle. 

Improvement of the code scan system. 

== The Owasp Orizon Project ==
* Paolo Perego (aka thesp0nge),
* The Owasp Orizon Project,

'''Introduction'''

The [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Owasp Orizon Project] born in 2006 in order to provide a framework to all Owasp projects developing code review services.

The project is in a quite stable stage and it is usable for Java static code review and some dynamic tests against XSS.
Owasp Orizon includes also APIs for code crawling, usable for code crawling tools.

[http://milk.sf.net Milk] project is a java code review tool I'm writing using Orizon as background engine. Its goal is to show engine capabilities.

'''Objectives and deliverables'''

* plugin architecture for static code review library: this planned feature will be announced (hopefully, if my CFP will be accepted) to next Owasp European App conf.
* starting C# support
* upgrade from Alpha quality project to Beta quality project in accord to [http://www.owasp.org/index.php/Category:OWASP_Project_Assessment Owasp Project Assessment criteria]

'''Why I should be sponsored for the project'''

Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

In the last year Owasp Orizon evolved a lot with a good static code review engine and a lot of code was written to give Owasp guys the best framework as possible to be used for writing code review tools. I hope to pursuit my goals again with SoC 2008.

== Skavenger ==
* Matthias Rohr

'''Introduction'''

Skavenger is a web application security assessment toolkit which arised from many years of professional experience in the web application assessment field and is the result of nearly one your of work.

It passively analyzes traffic logged by various MITM proxies (such as WebScarab and Burp) as well as other sources (like Firefox's LiveHTTPHeader plugin) and helps to identify various kinds of possible vulnerabilities (such as XSS, CRLF injection, an insecure session management and several kinds of information disclosure). Skavenger's modular design allows the integration of custom scanning modules without any knowledge about the tool at all.

Skavenger is completely written in Perl and can be downloaded from:
https://sourceforge.net/projects/skavenger/

'''Objectives and deliverables'''

Here are some ideas:
* A GUI to monitor and analyze scanning results
* More sophisticated scanner modules (e.g. for better backend identification and more platform specific tests)
* Database integration
* API's to integrate modules in other languages (such as Python or Java).
* Better source integration with custom Firefox, Burp or (of course) WebScarab plugins

== OWASP .NET Project Leader ==
* Mark Roxberry

'''Project Proposal'''

Assume the lead of the OWASP .NET Project. Ensure that information, materials and software are relevant to building secure .NET web applications and services. Provide deep content for all roles related to .NET web applications and services including:

* Architectural guidance
* Developer tools, information and checklists
* IT professional content (for those that deploy and maintain .NET websites)
* Penetration testing resources
* Incident response resources

The OWASP .NET Project Leader will actively recruit .NET contributors, including personnel from Microsoft, but others throughout the .NET ecosystem. Including experts from communities from large companies to ISVs, from enterprise architects to ALT.NET developers will be important for the overall reach of the OWASP .NET project. Other communities to consider include developers who use Mono (.NET for Linux), including Moonlight (Silverlight for Linux).

The OWASP .NET Project Leader will actively contribute to the OWASP projects that require .NET resources, by recruiting resources or contributing to the project.

I propose to have the project active in 1-3 months, with continuous recruitment efforts for contributors for the life of the project. Metrics for success can include number of contributors, number of articles, search engine ranks for pages and site visit counts. For the application however, I will submit that within 3 months I can provide a baseline to set site goals for each metric.

'''Why I should be sponsored for the project'''

I have previously contributed to the OWASP Test Guide v2 project, providing content and reviewed content. I care about the OWASP mission. In fact, I have used the OWASP Top 10 to teach developers about vulnerabilities in web applications.

I have 15 years of technical leadership experience using Microsoft technologies. I have lead small and large teams as a technical lead, lead developer and architect on small and large projects. I am a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker. I am on top of current trends and required to be informed regarding .NET web development and security, including, for example ASP.NET MVC, Silverlight, Unity, Entity Framework. I am personally interested in providing security resources to .NET developers globally, specific and applicable to their projects.

== OWASP Backend Security Project ==
* Full name: Carlo Pelliccioni
* Project: OWASP Backend Security Project
* Project description:
:OWASP Backend Security Project is a new project created to improve and to collect the existant information about the backend security.
:The project is composed by three sections (security development, security hardening and security testing).
:The aim is to define the guidelines for the companies and IT professionals working in the security field into processes development and back-end components management/testing in the enterprise architecture.

* Objectives:

'''Overview'''
Create a section with an introduction about the project (high-level description) explaining the main
goals.

'''Development'''
Include the writings already existant in OWASP wiki concerning PHP,
JAVA and ASP.NET and extend the projects' sections with new contents.

'''Hardening'''
Create new guidelines about the dbms hardening

'''Testing'''
Include the writings already existant in OWASP wiki about security testing.
Create new articles about security testing.

== OWASP Classic ASP Security Project ==
* Juan Carlos Calderon
'''Executive Summary''' 
I am interested in making P018 - OWASP Classic ASP Security Project happen, Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place” and continue spreading the word on security. I have always be a passionate of the technology (regardless of its inconveniences such as being old and DLL-hell prone) and I am really exited on the idea of sharing my knowledge of this area to the world and what best that though OWASP.

'''Objectives and Deliverables''' 
Create a secure framework for Classic ASP application by complementing existing OWASP projects with documentation for this particular technology and the creation of security libraries. More specifically:
* Creation of a Common Object Repository for ASP applications based on OWASP ESAPI Project including objects and/or references to libraries for security applications all this aligned with OWASP Top10 and OWASP Guide .
* Create Documentation aligned to OWASP Code Review Project Checklist providing additional technology-specific checks.
* Addition of expression for Code Review Tool to support Classic ASP applications.
* Implementation of Version 1 of Stinger for ASP either by using an installable COM library or ISAPI.
* This same module will compliment the OWASP Validation Documentation Project.

'''Why should I be sponsored for the project?''' 
I have 10 years of experience on Web technologies. During 8 years I have performed and leaded hundreds of Security Source Code Reviews and Black box testing on Web Applications. On my current job I lead 30 people in diverse locations all of them working on the Application Security arena, so I am accustomed to execute and deliver.

Also I’ve had close contact with OWASP since 2005
[https://lists.owasp.org/pipermail/owasp-spanish/2005-March/000069.html] by making possible the translation of OWASP Top 10 2004 [http://www.owasp.org/index.php/Top_10_2004] and OWASP Testing Guide V1.17 [http://www.owasp.org/docroot/owasp/misc/testing_spanish.pdf] to Spanish.

== Internationalization Guidelines and OWASP-Spanish Project ==
* Juan Carlos Calderon
'''Executive Summary''' 
The main goal of OWASP is to spread the word about security (“Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.”) and OWASP has done great work so far :). And now it’s time for a next big step.

The number of native and secondary speakers in the world for Chinese, Spanish, French, Russian, Arabic and Indi languages are estimated in similar number to English speaking or even more (Some References at [http://en.wikipedia.org/wiki/Ethnologue_list_of_most_spoken_languages Ethnologue], [http://encarta.msn.com/media_701500404/Languages_Spoken_by_More_Than_10_Million_People.html Encarta], [http://en.wikipedia.org/wiki/List_of_languages_by_number_of_native_speakers Wikipedia]). I think is a good time for OWASP to reach those that do not speak English to have full access to all the OWASP materials, not just a couple of documents.

OWASP, while open to translations, do not have clear guidelines on how to translate OWASP contents and (AFAIK) there is no multi-language support in OWASP.org site. This is understandable as there is no formal project for internationalization so far.

'''Oportunity and Effort''' 
This is great opportunity to make Spanish the first language on which the OWASP site and documentation is fully translated and at the same time share the experience with other people interested in the same objective, Bring OWASP to the world. And this is something I’ve being pushing for some time ago and that could be possible “at once” via SoC 2008.

I understand this is significant effort so to have it done I will count with the help of 6 people (friend of mine, all of them Security auditors with excellent English level) plus a few well known contributors from OWASP-Spanish effort, so the founding will be divided among the people involved in the same proportion of the work they do for the completion of this effort. This, to encourage delivery.

'''Objectives and Deliverables''' 
* Team up with Larry Casey to implement Multilanguage support in OWASP.org Mediawiki.
* General Guidelines on minimum/recommended requirements to start a new language translation for OWASP Document and Site Pages
* General Guidelines on minimum/recommended requirements to implement internationalization and localization ([http://www.w3.org/International/ i18n]) on OWASP Software
* Full translation to Spanish of all the release-level document projects. Those are:
** Top 10 2007
** Guide 2 (Already translated)
** Testing Guide (Already Translated)
** Legal
** FAQ
* Full Translation of major sections of OWASP Site
** Project Main Pages (Release, Beta and Alpha levels for both documents and tools projects)
** Principles
** References Section
** Conferences
** News (Those currently displayed in OWASP site)
** About OWASP
* Evaluation of Spanish translation approach for WebGoat and WebScarab and delivery of this document to Bruce and Rogan for possible implementation in near future.
* Leverage for deploy of es.owasp.org, the domain already exists but is not redirecting correctly.
* Create a Communication strategy to help and keep track on new pages or changes in significant pages so all the translations are in sync.

'''Out of Scope''' 
Translation of the following sections are NOT in Scope
* Local Chapters Pages
* Presentations
* Conferences
* Videos
* Blogs
* All the projects deliverables in Alpha and Beta Stages
* All the documentation “on development” like Guide Version 3.0
* Translation of Pages, documentation or tools to other language other than Spanish according to the stated in above section.

'''Why should I be sponsored for the project?''' 
I’ve being part of contributions to OWASP documents on the translation arena since 2005 [https://lists.owasp.org/pipermail/owasp-spanish/2005-March/000069.html], a few of them by making possible the translation of OWASP Top 10 2004 [http://www.owasp.org/index.php/Top_10_2004] and OWASP Testing Guide V1.17 [http://www.owasp.org/docroot/owasp/misc/testing_spanish.pdf] to Spanish. It is time to make the full job done :).

I have 10 years of experience on Web technologies. During 8 years I have performed and leaded hundreds of Security Source Code Reviews and Black box testing on Web Applications. On my current job I lead 30 people in diverse locations all of them working on the Application Security arena, so I am accustomed to execute and deliver.

== The Ruby on Rails Security Guide v2 ==
Heiko Webers

The last security guide for Rails [http://www.owasp.org/index.php/Category:OWASP_Web_Application_Security_Put_Into_Practice] was a great success, with a lot of more secure web applications and continued awareness in the community of security issues. The Ruby on Rails Security Project [http://www.rorsecurity.info/] is the one and only source of information about Rails security topics, and I keep the community up-to-date with blog posts and conference talks in Europe. The Guide and the Project has been mentioned in several Rails books and web-sites.

Version 1 of the Ruby on Rails Security Guide was sponsored by the SpoC 07, set the standard for OWASP programming language specific guides in terms of the topic outline and has been published as a book [http://www.lulu.com/content/1412042]. Nevertheless I'm convinced that a more compact design and a "question-and-answer" style of writing will reach an even larger audience. Of course the new Guide will still include answers to the OWASP Top Ten security vulnerabilities.

A lot has changed since the publishing of the first Guide. Some new security holes have been found, there are new advises and most importantly Rails version 2.0 has been released. The new Ruby on Rails Security Guide aims at providing an up-to-date coding and configuration guide for the Rails community.

In the new Rails Security Guide I'd like to
* update the entire book to match Rails 2.0
* cover new topics, including, but not limited to:
** Intranet and administration interface security,
** phishing,
** real-world attack situations,
** short excursus on server monitoring,
** the new CookieStore session management,
** vulnerabilities in popular plug-ins,
** denial-of-service attacks
* cover all OWASP Top Ten security vulnerabilities
* a more compact writing style, more examples and "questions-and-answers"
* introduce the OWASP and Rails security to a greater audience

File:Owasp-rails-security.pdf

2007-11-20T21:27:44Z

Hawe: uploaded a new version of "Image:Owasp-rails-security.pdf": Ruby on Rails Security How-To

Web Application Security Put Into Practice - Ruby On Rails Security

SpoC 007 - Web Application Security put into practice

2007-10-31T15:34:15Z

Hawe:

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Heiko

'''Project coordinator''': Dinis Cruz

'''Project Progress''': 100% Complete, [[SpoC 007 - Web Application Security put into Practice - Progress Page|Progress Page]]

== Heiko - Web Application Security put into practice ==

This project is about web application security put into practice, because I understand that clear examples in the specific programming language and best practices with explanation educate the best.

The Ruby on Rails Security project [http://www.rorsecurity.info/] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [http://www.tiobe.com/tpci.htm], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [http://en.wikipedia.org/wiki/Cargo_cult_programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

== Objectives ==
* Create a security guide to the most popular web server software, Apache
* Create a security guide to the popular database software, MySQL
* Ruby on Rails security guide and code examples for each of the OWASP Top Ten

== Spring Of Code 007 ==
This project was selected for the spring of code 007 [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Heiko_-_Web_Application_Security_put_into_practice].

== Resources ==
* The Ruby on Rails Security project [http://www.rorsecurity.info/]
* The Guide: [https://www.owasp.org/index.php/Image:Owasp-rails-security.pdf]

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

SpoC 007 - Web Application Security put into Practice - Progress Page

2007-10-31T15:33:12Z

Hawe:

* Apache Guide (done)
* MySQL Guide (done)
* Ruby On Rails Guide for the OWASP Top 10 (done)
** A1 - Cross Site Scripting (XSS)
** A2 - Injection Flaws
** A3 - Malicious File Execution
** A4 - Insecure Direct Object Reference
** A5 - Cross Site Request Forgery (CSRF)
** A6 - Information Leakage and Improper Error Handling
** A7 - Broken Authentication and Session Management
** A8 - Insecure Cryptographic Storage
** A9 - Insecure Communications
** A10 - Failure to Restrict URL Access

Web Application Put Into Practice: [https://www.owasp.org/index.php/Image:Owasp-rails-security.pdf]

File:Owasp-rails-security.pdf

2007-10-31T15:31:18Z

Hawe: uploaded a new version of "Image:Owasp-rails-security.pdf": Web Application Security Put Into Practice by Heiko Webers

Web Application Security Put Into Practice - Ruby On Rails Security

SpoC 007 - Web Application Security put into practice

2007-09-03T07:57:10Z

Hawe:

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Heiko

'''Project coordinator''': Dinis Cruz

'''Project Progress''': 60% Complete, [[SpoC 007 - Web Application Security put into Practice - Progress Page|Progress Page]]

== Heiko - Web Application Security put into practice ==

This project is about web application security put into practice, because I understand that clear examples in the specific programming language and best practices with explanation educate the best.

The Ruby on Rails Security project [http://www.rorsecurity.info/] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [http://www.tiobe.com/tpci.htm], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [http://en.wikipedia.org/wiki/Cargo_cult_programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

== Objectives ==
* Create a security guide to the most popular web server software, Apache
* Create a security guide to the popular database software, MySQL
* Ruby on Rails security guide and code examples for each of the OWASP Top Ten

== Spring Of Code 007 ==
This project was selected for the spring of code 007 [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Heiko_-_Web_Application_Security_put_into_practice].

== Resources ==
* The Ruby on Rails Security project [http://www.rorsecurity.info/]
* The Guide: [https://www.owasp.org/index.php/Image:Owasp-rails-security.pdf]

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

SpoC 007 - Web Application Security put into Practice - Progress Page

2007-08-12T09:31:00Z

Hawe:

* Apache Guide (done)
* MySQL Guide (done)
* Ruby On Rails Guide for the OWASP Top 10 (on the way)
** A1 - Cross Site Scripting (XSS)
** A2 - Injection Flaws
** A3 - Malicious File Execution
** A4 - Insecure Direct Object Reference
** A5 - Cross Site Request Forgery (CSRF)
** A6 - Information Leakage and Improper Error Handling
** A7 - Broken Authentication and Session Management
** A8 - Insecure Cryptographic Storage
** A9 - Insecure Communications
** A10 - Failure to Restrict URL Access

Web Application Put Into Practice: [https://www.owasp.org/index.php/Image:Owasp-rails-security.pdf]

File:Owasp-rails-security.pdf

2007-08-12T09:27:03Z

Hawe: Web Application Security Put Into Practice - Ruby On Rails Security

Web Application Security Put Into Practice - Ruby On Rails Security

SpoC 007 - Web Application Security put into Practice - Progress Page

2007-07-30T15:31:32Z

Hawe: New page: * Apache Guide (done) * MySQL Guide (done) * Ruby On Rails Guide for the OWASP Top 10 (on the way) ** A1 - Cross Site Scripting (XSS) ** A2 - Injection Flaws ** A3 - Malicious File Executi...

SpoC 007 - Web Application Security put into practice

2007-07-30T15:27:16Z

Hawe:

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Heiko

'''Project coordinator''': Dinis Cruz

'''Project Progress''': 60% Complete, [[SpoC 007 - Web Application Security put into Practice - Progress Page|Progress Page]]

== Heiko - Web Application Security put into practice ==

This project is about web application security put into practice, because I understand that clear examples in the specific programming language and best practices with explanation educate the best.

The Ruby on Rails Security project [http://www.rorsecurity.info/] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [http://www.tiobe.com/tpci.htm], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [http://en.wikipedia.org/wiki/Cargo_cult_programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

== Objectives ==
* Create a security guide to the most popular web server software, Apache
* Create a security guide to the popular database software, MySQL
* Ruby on Rails security guide and code examples for each of the OWASP Top Ten

== Spring Of Code 007 ==
This project was selected for the spring of code 007 [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Heiko_-_Web_Application_Security_put_into_practice].

== Resources ==
* The Ruby on Rails Security project [http://www.rorsecurity.info/]

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

OWASP Spring Of Code 2007 - Projects

2007-07-14T09:59:34Z

Hawe: /* All SpoC Projects */

== All SpoC Projects ==

{| class="wikitable" WIDTH=100%
|-
! SpoC Project Name
! Author
! Confirmed
! Status
! Coordinated by
|-

|-
! [[SpoC 007 - The OWASP Web Security Certification Framework|The OWASP Web Security Certification Framework]]
| Mark Curphey
| Yes
| 0%
| Dinis Cruz

|-
! [[SpoC 007 - SqlMap|SqlMap]]
| Bernardo Damele
| Yes
| 60%
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Site Generator|OWASP Site Generator]]
| Boris
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Report Generator]]
| Boris
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Tiger]]
| Boris
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Attacks Reference Guide|Attacks Reference Guide]]
| NSRAV Security Research Group
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - The Scholastic Application Security Assessment Project|The Scholastic Application Security Assessment Project]]
| Eric Sheridan and
Dr. Goran Trajkovski
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Inspekt|Inspekt: Input filtering and validation library for PHP]]
| Ed Finkler
| Yes
| 50%
| TBA

|-
! [[SpoC 007 - Code review Project|Code review Project]]
| Eoin Keary
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Certification Project|OWASP Certification Project]]
| Mateo Meucci
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Education Project|OWASP Education Project]]
| Sebastien Deleersnyder
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP The Anti-Samy Project|OWASP The Anti-Samy Project]]
| Arshan Dabirsiaghi
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Security throughout the SDLC|Security throughout the SDLC]]
| Keith Casey
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP WebGoat Solutions Guide|OWASP WebGoat Solutions Guide]]
| Erwin Geirnaert
| Yes
| 90%
| TBA

|-
! [[SpoC 007 - OWASP WeBekci Project|OWASP WeBekci Project]]
| Bunyamin Demir
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Python Tainted Mode|Python Tainted Mode]]
| Denis
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - WebScarab NG Security Test Automation|WebScarab NG Security Test Automation]]
| Darren Edmonds
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Refresh Attacks list|Refresh Attacks list]]
| Przemyslaw 'rezos' Skowron
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Best Practices & Countermeasures|Best Practices & Countermeasures]]
| Jim
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Brand|OWASP brand]]
| Paulo Coimbra
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Web Application Security put into practice|Web Application Security put into practice]]
| Heiko Webers
| Yes
| 60%
| TBA

|-
! [[SpoC 007 - OWASP JBroFuzz Project|OWASP JBroFuzz Project]]
| Subere
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Owasp Orizon Project|Owasp Orizon Project]]
| Paolo Perego
| Yes
| 15%
| TBA

|-
! [[SpoC 007 - Enigform: Firefox Addon for OpenPGP signing of HTTP requests|Enigform: Firefox Addon for OpenPGP signing of HTTP requests]]
| Arturo (Buanzo) Busleiman
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP LiveCD Education Project|OWASP LiveCD Education Project]]
| Josh Sweeney
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Java Project|OWASP Java Project]]
| Erwin Geirnaert
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP LiveCD Project|OWASP LiveCD Project]]
| Joshua Perrymon
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Interim @ Aspect Offices|Interim @ Aspect Offices]]
| Andy Gocke
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - 10x 1000USD to FOSS projects we all use |10x 1000USD to FOSS projects we all use ]]
| (tbd)
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Help with SpoC project management|Help with SpoC project management]]
| Paulo Coimbra
| Yes
| 0%
| TBA

|}

SpoC 007 - Web Application Security put into practice

2007-07-14T09:58:51Z

Hawe:

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Heiko

'''Project coordinator''': Dinis Cruz

'''Project Progress''': 60% Complete, [[SpoC 007 - Web Application Security put into Practice - Progress Page|Progress Page]]

== Heiko - Web Application Security put into practice ==

This project is about web application security put into practice, because I understand that clear examples in the specific programming language and best practices with explanation educate the best.

The Ruby on Rails Security project [http://www.rorsecurity.info/] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [http://www.tiobe.com/tpci.htm], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [http://en.wikipedia.org/wiki/Cargo_cult_programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

== Objectives ==
* Create a security guide to the most popular web server software, Apache
* Create a security guide to the popular database software, MySQL
* Ruby on Rails security guide and code examples for each of the OWASP Top Ten

== Spring Of Code 007 ==
This project was selected for the spring of code 007 [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Heiko_-_Web_Application_Security_put_into_practice].

'''Progress'''
* Apache Guide (done)
* MySQL Guide (done)
* Ruby On Rails Guide (on the way)

== Resources ==
* The Ruby on Rails Security project [http://www.rorsecurity.info/]

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

Category:OWASP Web Application Security Put Into Practice

2007-06-28T19:54:50Z

Hawe: New page: == About == This project is about web application security put into practice, because I understand that clear examples in the specific programming language and best practices with explana...

== About ==

This project is about web application security put into practice, because I understand that clear examples in the specific programming language and best practices with explanation educate the best.

The Ruby on Rails Security project [http://www.rorsecurity.info/] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [http://www.tiobe.com/tpci.htm], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [http://en.wikipedia.org/wiki/Cargo_cult_programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

== Objectives ==
* Create a security guide to the most popular web server software, Apache
* Create a security guide to the popular database software, MySQL
* Ruby on Rails security guide and code examples for each of the OWASP Top Ten

== Spring Of Code 007 ==
This project was selected for the spring of code 007 [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Heiko_-_Web_Application_Security_put_into_practice].

'''Progress'''
* Apache Guide (done)
* MySQL Guide (done)
* Ruby On Rails Guide (on the way)

== Resources ==
* The Ruby on Rails Security project [http://www.rorsecurity.info/]

Category:OWASP Project

2007-06-28T19:38:53Z

Hawe: /* Alpha Status Projects */

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.

To propose a new project, please send an email to [mailto:owasp@owasp.org?subject=New_OWASP_Project_idea owasp@owasp.org]

Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any of them on the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page.

==Release Quality Projects==

<table><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]]
: an online training environment for hands-on learning about application security

; [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]]
: a tool for performing all types of security testing on web applications and web services

</td><td>

; [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]]
: FAQ covering many application security topics

; [[:Category:OWASP Guide Project|OWASP Guide Project]]
: a massive document covering all aspects of web application and web service security

; [[:Category:OWASP Legal Project|OWASP Legal Project]]
: a project focused on contracting for secure software

; [[:Category:OWASP Testing Project|OWASP Testing Guide]]
: a project focused on application security testing procedures and checklists

; [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]]
: an awareness document that describes the top ten web application security vulnerabilities

</td></tr></table>

==Beta Status Projects==

<table valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]]
: a JavaScript based web application security testing suite

; [[:Category:OWASP DirBuster Project|OWASP DirBuster Project]]
:DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.

; [[:Category:OWASP Encoding Project|OWASP Encoding Project]]
: a project focused on the development of encoding best practices for web applications.

; [[:Category:OWASP LAPSE Project|OWASP LAPSE Project]]
: an Eclipse-based source-code static analysis tool for Java

; [[:Category:OWASP Live CD Project|OWASP Live CD Project]]
: a CD containing ready to use versions of application security analysis and testing tools

; [[:Category:OWASP .NET Project|OWASP .NET Research]]
: a project focused on helping .NET developers build secure applications

; [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]
: a project focused on combining automated capabilities with complete manual testing to get the best results

; [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]
: an open source black box security scanner used to assess the security of AJAX-enabled applications

; [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]]
: a project focused on the development of SQLiX, a full perl-based SQL scanner

; [[:Category:OWASP WSFuzzer Project|OWASP WSFuzzer Project]]
: a project focused on the development of WSFuzzer, a full python-based Web Services SOAP fuzzer

; [[ORG_%28Owasp_Report_Generator%29|OWASP Report Generator]]
: a project giving security professionals a way to report and keep track of their projects

; [[Owasp_SiteGenerator|OWASP Site Generator]]
: a project allowing users to create dynamic sites for use in training, web application scanner testing, etc...

; [[OWASP_Tiger|OWASP Tiger]]
: OWASP Tiger is a Windows application originally intended to be used for automating the process of testing various known ASP.NET security issues in hosted environments. However, it is much more versatile than that: it can help you construct and send a HTTP requests, receive and analyze the responses, match them against a set of conditions to produce alerts, notifications that something is wrong with the application(s) or service(s) being tested.

; [[:Category:OWASP WeBekci Project|OWASP WeBekci Project]]
: OWASP WeBekci is a web based ModSecurity 2.x management tool. WeBekci is written in PHP, Its backend is powered by MySQL and the frontend by XAJAX framework.
</td><td>

; [[:Category:OWASP CLASP Project|OWASP CLASP Project]]
: a project focused on defining process elements that reinforce application security

; [[:Category:OWASP Code Review Project|OWASP Code Review Project]]
: a project to capture best practices for reviewing code

; [[:Category:OWASP Tools Project|OWASP Tools Project]]
: The OWASP Tools Project's goal is to provide unbiased, practical information and guidance about application security tools.

</td></tr></table>

==Alpha Status Projects==

<table valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP PHP AntiXSS Library Project|OWASP PHP AntiXSS Library Project]]
: reduce cross-site scripting vulnerabilities by encoding your output

; [[:Category:OWASP Insecure Web App Project|OWASP Insecure Web App Project]]
: a web application that includes common web application vulnerabilities

; [[:Category:OWASP Interceptor Project|OWASP Interceptor Project]]
: a testing tool for XML web service and Ajax interfaces

; [[:Category:OWASP JBroFuzz|OWASP JBroFuzz Project]]
: a fuzzer application, supporting a number of automated security checks including basic cross site scripting checks (XSS) as well as basic SQL injection testing.

; [[:Category:OWASP Orizon Project|OWASP Orizon Project]]
: a project focused on the development of a flexible code review engine

; [[:Category:OWASP Stinger Project|OWASP Stinger Project]]
: a project focus on the development of a centralized input validation mechanism which can be easily applied to existing or developmental applications

</td><td>

; [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]]
: investigating the security of AJAX enabled applications

; [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]]
: establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment

; [[:Category:OWASP Application Security Requirements Project|OWASP Application Security Requirements]]

; [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]]
: identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security

; [[:Category:OWASP Career Development Project|OWASP Career Development Project]]
: The OWASP Career Development project is focused on helping application security professionals understand the job market, roles, career paths, and skills to work in the field.

; [[:Category:OWASP Certification Criteria Project|OWASP Certification Criteria Project]]

; [[:Category:OWASP Certification Project|OWASP Certification Project]]
: our challenge is to create a plan for certification: a set of OWASP Certification for Developers and Testers.

; [[:Category:OWASP Communications Project|OWASP Communications Project]]

; [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Project]]
: a comprehensive and integrated guide to the fundamental building blocks of application security

; [[:Category:OWASP Java Project|OWASP Java Project]]
: a project focused on helping Java and J2EE developers build secure applications

; [[:Category:OWASP Logging Project|OWASP Logging Guide]]
: a project to define best practices for logging and log management

; [[:Category:OWASP PHP Project|OWASP PHP Project]]
: a project focused on helping PHP developers build secure applications

; [[:Category:OWASP Validation Project|OWASP Validation Project]]
: a project that provides guidance and tools related to validation

; [[:Category:OWASP WASS Project|OWASP WASS Guide]]
: a standards project to develop more concrete criteria for secure applications

; [[:Category:OWASP Web Application Security Put Into Practice|OWASP Web Application Security Put Into Practice]]
: real-world web application security for Ruby on Rails, Apache and MySQL

; [[:Category:OWASP XML Security Gateway Evaluation Criteria Project|OWASP XML Security Gateway Evaluation Criteria]]
: a project to define evaluation criteria for XML Security Gateways

; [[:Category:OWASP Education Project|OWASP Education Project]]
: a project to build educational tracks and modules for different audiences

</td></tr></table>

__NOTOC__

OWASP Spring Of Code 2007 Applications

2007-03-29T12:55:24Z

Hawe: Heiko's application

This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]

'''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''

See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application

---------

'''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:

== {Your first name or Alias} - {Project name} ==
Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].

You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.

* Your educational and professional background

* Application security experience and accomplishments

* Participation and leadership in open communities

* The opportunity, challenges, issues or need your proposal addresses

* Objectives or ways in which you will meet the goal(s)

* Specific activities and who will carry out these activities

* Specific deliverables and a rough project schedule so we can track progress

* Long-term vision for the project

* Any other reasons why you and your project should be selected

== Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==

I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of
information systems security since 1994, when BBSes and Linux still lived together.

A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].

In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].

=== Accomplishments ===

I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed
tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing
an Internet Draft to be proposed for RFC regarding Enigform.

=== Community ===

I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio
and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,
answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].

=== My Project ===

Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [http://www.owasp.org/index.php/Category:OWASP_Validation_Project].

Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.

Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].

=== Long Term ===

Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers
and/or programming languages, and also provide OpenPGP De/Encryption support.

=== Why should I be selected ===

I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the
international security community, and I firmly believe Enigform is my greatest idea so far.

== Eoin Keary - Code review Project ==
* '''Executive Summary''':
I am proposing that I complete the OWASP Code review guide during this period.
The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners.

I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.

There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.
Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.

The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.
Code review methodologies also need to be discussed.

* '''Objectives and Deliverables''':

Update of the code review guide:
* Add additional areas relating to the code review process such as:
** Benefits and pitfalls
** Methodology
** The code review process
*** Transactional analysis
*** Managing the code review process
*** Assigning risk to findings

** Technical guides
*** Language specific best practice
*** Java
*** .NET
*** PHP
*** MySQL
*** Stored Procs
*** C/C++

** Code review by vulnerability:
*** Reviewing Code for Buffer Overruns and Overflows
*** Reviewing Code for OS Injection
*** Reviewing Code for SQL Injection
*** Reviewing Code for Data Validation
*** Reviewing code for XSS issues
*** Reviewing Code for Error Handling
*** Reviewing Code for Logging Issues
*** Reviewing The Secure Code Environment
*** Reviewing code for Authorization Issues
*** Reviewing code for Authentication Issues
*** Reviewing code for Session Integrity
*** Reviewing code for Cross Site Request Forgery
*** Reviewing code for Cryptography implementation issues
*** Reviewing code Dangerous HTTP Methods (Deployment)
*** Race Conditions

The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.

* '''Why I should be sponsored for the project''':

I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process.
I also was the lead of the Testing guide until V2 was published via the Autumn of Code.

I have always delivered any work I have volunteered for on time.

I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.

== Paolo Perego - Owasp Orizon Project ==
* '''Executive Summary''':
Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.

I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.

Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.

I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.

* '''Objectives and Deliverables''':
Completing the static code review API section
* improving programming language to XML translator
* improving security best practices code review scan library
* improving secure coding fashion best practices library
* writing the pattern matching scan using the aformentioned libraries
Writing the java source code enforment objects
* writing an object to handle form data values to avoid XSS
* writing an object to handle form data values to avoid SQL Injection
* writing an object to handle HttpRequest and HttpSession objects

* '''Why I should be sponsored for the project''':
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.
I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

== Sebastien Deleersnyder - OWASP Education Project ==
* '''Executive Summary''':
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.

Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

* '''Objectives and Deliverables''':
Currently the project goals are to create Educational Tracks:
* Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past
* A "Web Application Security Primer" Track for beginners (4 hours)
* A "What developers should know on Web Application Security" Track for developers (4 hours)

* '''Why you should be sponsored for the project''':
I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.

This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.

If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.

* '''More details''':
The detailed [[OWASP Education Project Roadmap|road map]] can be found here.
The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.

== Subere - OWASP JBroFuzz Project ==

==== Overview ====

JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.

==== Fuzzing ====

As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.

==== Objectives ====

JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):

* '''Open Source Tab'''
* '''NTLM Brute Force over HTTP/S Tab'''
* '''Pure HTTP/S Fuzzing using HTTPClient'''
* '''Blind SQL Injection Fuzzing Tab'''

At the same time, the following existing tabs need to be updated and made more robust (details in next section):

* '''TCP Fuzzing tab allowing graph outputs'''
* '''TCP Sniffing tab update thread Agent Queue'''
* '''Update Generators file format'''
* '''Include SOAP and XML fuzzing'''

This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.

==== Deliverables ====

Based on the above, the new code elements that will be added are as follows:

* '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''
* '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''
* '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''
* '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''

For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail:

* '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''
* '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''
* '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''
* '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''

Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.

==== Background ====

In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months.

Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.

I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.

==== Why should JBroFuzz be sponsored? ====

Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.

Keep the code platform independent adds a huge advantage.

Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.

== Joshua Perrymon - OWASP LiveCD Project ==
* '''Executive Summary''':
I am proposing that I complete the second version of the OWASP LiveCD during this period.
The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training.

In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.

* '''Objectives and Deliverables''':

Update of the LiveCD:
* Complete OWASP branding
* Add OWASP wiki
* Add encryption capabilities
* Add more OWASP tools
* Add more pen-test tools such as;
VOIP, RFID, BlueTooth, Wireless, etc..

* '''Why I should be sponsored for the project''':

I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.

----

== Mark Curphey – The OWASP Web Security Certification Framework ==

'''Problem'''

PCI DSS is attracting a lot of criticism for a lot of valid reasons.

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/

http://blogs.csoonline.com/node/210

http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html

The list is of course long and not appropriate here……and while its easy to knock PCI, there is nothing better out there.

'''Solution and Deliverables'''

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.

This project would address the;

'''Standard'''
*A complete auditable (important) web site security standard suitable for modern e-commerce companies including
**The technical things people should care about
**The operational / management things people should care about
'''Certification Model'''
*A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc). This will include for example the model for certifying auditors (including the actual test program); checklists and forms for auditors to complete and other supporting material.

Essentially its a complete blueprint for an organisation like OWASP or a regulatory body need to run a web site security certification program complete with the supporting material to implement it.

Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.

== Erwin Geirnaert - OWASP Java Project ==

* '''Executive Summary''':
I would like to help the OWASP Java Project to gather all Java security related information and to document any domains that lack documentation.

* '''Objectives and Deliverables''':
The main objective I see is to gather all information in one place, where security experts and developers can find the information they need.
In order to get there, I need to collect all information in the OWASP Wiki, ask people if they want to donate it to OWASP so that we can include it as public material, add URLs, white-papers, references to books, ... And if time permits, write some documentation myself.

One deliverable is the OWASP Top 10 for J2EE applications with clear examples of vulnerabilities and mitigations.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Erwin Geirnaert - OWASP WebGoat Solutions Guide ==

* '''Executive Summary''':
WebGoat is used by a lot of people to learn about web application security and the different vulnerabilities. But it takes a lot of time to grasp how the tools like WebScarab work and how to use them effectively in WebGoat. I propose to create a walkthrough of the lessons in WebGoat so that people can learn from the solutions, without spoiling the fun.

* '''Objectives and Deliverables''':
The WebGoat Solutions Guide is a document that can be bundled with WebGoat. Each lesson contains a detailed solution with screenshots and tools. I created a PDF with the solution for WebGoat 4.0 but this is too big to load (15 MB) and is not very practical.

After a discussion with Bruce about this, we think that the solutions should be made like the existing Lessons Plan so it is easier to maintain and update when a lesson changes. This means that there will be documentation folder and an individual solution for each lesson.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Bunyamin Demir – OWASP WeBekci Project ==

==== Executive Summary: ====

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

==== Objectives and Deliverables: ====

* '''Configuration''' : Will add all configuration parameter
* '''Rule Generator''': Will write all the Rules in Rule Language
* '''Logging''' : Auditlog and debuglog will be added.
* '''Multiple-DB''' : Will add PostgreSql and Sqlite support.

==== Why I should be sponsored for the project: ====

I am involved with OWASP Turkey [http://www.owasp.org/index.php/Turkey] and interested very much in WAF. Even though this is my first project for OWASP, I am very much interested in every aspect of ModSecurity. With SpoC007’s support I will finalize my work on OWASP WeBekci [http://www.owasp.org/index.php/Category:OWASP_WeBekci_Project].

== Eric Sheridan and Dr. Goran Trajkovski - The Scholastic Application Security Assessment Project ==

=== ABSTRACT ===

One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculums. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application.

This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

=== PARTICIPANTS ===

The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.

::*'''Application Security Professional''' – Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])
::*'''Towson University (TU) Partner''' – Dr. Goran Trajkovski, Towson University (http://www.towson.edu)
::*'''Students''' – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner
::*'''Web Application''' – The Open WebMail Project (http://openwebmail.org/)

=== OWASP UTILIZATION ===

The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:

::*'''OWASP Top Ten 2007''' - The security critical areas that the students will assess in the review
::*'''OWASP Testing Guide v2''' – The primary resource for building penetration testing cases
::*'''OWASP Guide''' – The primary resource for technical details pertaining to a technology and/or vulnerability
::*'''OWASP WebScarabNG''' – The primary proxy utility used throughout the assessment

=== THE FINAL REPORT ===

Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

=== HOW DOES OWASP BENEFIT? ===

The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

''The OWASP Community…''
::*will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.
::*will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.
::*will be addressing the need to educate developers in the security critical areas.
::*will be seen as offering a professional level service to another open source project.
::*will be addressing one of the root causes of application software insecurity.

=== BACKGROUND ===

'''Eric Sheridan:'''

::*Earned a Bachelor’s of Science in Computer Science from Towson University
::*Graduate Student in Information Security at Johns Hopkins University
::*Application Security Engineer at Aspect Security
::*Lead of the OWASP Stinger Project and the OWASP Validation Project

'''Goran Trajkovski, PhD:'''

::*Has been teaching the Application Software Security course for the Computer Security undergraduate and master-level majors at TU since 2004 (TU has been a Center of Excellence in Information Assurance, designated by the NSA since 2002).
::*Assistant professor of Computer and Information Sciences at Towson University, and Director of its Cognitive Agency and Robotics Lab (CARoL).
::*Has lead curricular efforts in integrating application software security topics throughout the Computer Science and Computer Information Sciences curriculum
::*12 years of full time teaching experience in higher ed.

==Boris - OWASP Site Generator==
OWASP Site Generator is a great tool, but it could be even better and more widespread. There’s a lot room for improvements to both its functionality and user experience. The way I see it, main user needs to be addressed and specific development objectives for the next release of OWASP Site Generator would be:
===User Needs===
*Create multiple types of sites easily
*Track and analyze requests easily
*Change the look and feel of the resulting sites easily
*Create sites for multiple web backend technologies easily
*Learn how to use OWASP Site Generator easily

===Development Objectives===
*Create a vulnerability library that can be used for web services, HTML forms, AJAX, etc. instead of having to craft the same attack for each
*Add support for logging of all received requests, as well as querying resulting log files
*"Templatize" the code generation process, so it can support skinning of the resulting sites
*"Templatize" the code generation process, so it can support different backend web technologies
*Fix all significant defects in the current release of OWASP Site Generator
*Redesign the GUI to make it more efficient and user friendly
*Create a smooth setup program which would install both client and server components as effortlessly as possible
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one

===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Generator==
There is no doubt that OWASP Report Generator is a very handy tool for penetration testers and other security researchers, but it would be even better if some enhancements were made:
===User Needs===
*More robustness
*Ease of use (more efficient and intuitive GUI)
*Automated reporting for some typical (or not so typical) scenarios
*More documentation
*More samples

===Development Objectives===
*Redesign the GUI to make it more efficient and user friendly
*Clean up the code
*Add functionality to import, execute and create reports for OWASP Tiger automated tests
*Create some samples
*Create a smooth setup program
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Tiger==
OWASP Tiger project is at its very beginning. Some new features are needed in order for it to become more useful. Here’s a short list:
===User Needs===
*Easier editing of test projects
*Support for testing sites that require authentication
*Support for testing sites that require use of cookies
*An easy way of specifying vulnerability data, ideally an automated one
*More flexible reporting
*More project templates
*More documentation
===Development Objectives===
*Add support for cookies
*Add support for standard authentication schemes
*Add support for importing vulnerability data from a test definition (or a vulnerability library)
*Make use of OWASP Report Generator for more advanced reports
*Create a setup program that would install both client and project templates and also allow for adding new templates after the initial installation
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Heiko - Web Application Security put into practice==
I'm trying to make the OWASP Top Ten and Guide project known in the programming community, but I understand that clear examples in the specific programming language and best practices with explanation educate the best. I'm at the chair for secure software at my university and I want to contribute practical examples, because I believe not to teach secure programming is a great oversight in today's education. Not only the programmers in large companies have to be aware of security impacts, but also their future employees and their freelance programmers. I'm with a large organization of freelance programmers, which I want to make aware of security flaws.

The Ruby on Rails Security project [http://www.rorsecurity.info/] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [http://www.tiobe.com/tpci.htm], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [http://en.wikipedia.org/wiki/Cargo_cult_programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

===Objectives and Deliverables===
* Create a security guide to the most popular web server software, Apache
** Installation
** secure configuration, emphasis on Rails, but not limited to it
** file system privileges for Rails and Apache
** anti profiling techniques for Apache
** Modules and Mod_security configuration

* Create a security guide to the popular database software, MySQL, as practical contribution to the OWASP Top 10 Insecure storage section
** Installation
** secure configuration, emphasis on Rails, but not limited to it
** file system privileges for Rails and MySQL
** MySQL access restriction techniques
** encryption methods

* Ruby on Rails security guide and code examples, with at least the following topics:
** Anti profiling techniques
** Rails routes security
** error handling and presentation, as in OWASP Top 10 Improper Error Handling
** OWASP Top 10: XSS in Rails
** OWASP Top 10: SQL injection in Rails
** OWASP Top 10: Parameter injection in Rails
** OWASP Top 10: Session handling in Rails
** OWASP Top 10: Access control in Rails
** handling of files
** integrity
** encryption and SSL
** logging flaws
** Ajax security

* Code & other
** means to check the security of MySQL
** input validation guide, and implement it in Ruby
** update the poorly documented guide at http://manuals.rubyonrails.com/read/chapter/40 which is the only official guide to security
** usage guide for OWASP tools, also in connection with Rails
** make the results known in the several communities I'm in
** if applicable: submit code to Rails for security holes found

===Why I should be sponsored for the project===
I have been programming professionally for 10 years and created several software products, including Internet applications, and I always focused on security. I am currently graduating university, my thesis is about web application security. Recently, I started the Ruby on Rails security project, which is the only security project for Rails. I have always delivered my work on time, and I believe I have the knowledge to deliver good quality.

===Long-term vision for the project===
Make it available to the community and accept security notices and best practices from other users to constantly improve it.

===Benefits to the OWASP===
* practical guides on how to put security into practice: the most popular web server software Apache and the popular database software MySQL
* if applicable: additional examples and chapters for the OWASP Guide
* the first and only fully-fledged security guide to a programming language and framework which is used by many large companies
* security awareness of future employees and freelancers
* more exposure of the OWASP

Category:Ruby on Rails

2007-02-21T22:38:57Z

Hawe:

Many share the perception of Rails being a "secure" framework.
And that might well be true, because we need less code to get things done and less
code means a better overview of what's happening.
But though Rails seems to be safer, doesn't allow to lean back. There has
been a [http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure security bug] ([http://blog.evanweaver.com/articles/2006/08/12/anatomy-of-an-attack-against-1-1-4 more detailed]) in Rails last year and even in [http://www.ruby-lang.org/en/news/2006/11/03/CVE-2006-5467/ Ruby].

'''Starting point'''
As a good starting point, here's a good Ruby on Rails example, which deliberately
includes several security vulnerabilities: [http://www.foundstone.com/resources/proddesc/hacmecasino.htm The Hacme Casino]. Especially reading the [http://www.foundstone.com/resources/whitepapers/hacmecasino_userguide.pdf user guide] gives you a good insight on what can go wrong.

'''[http://www.rorsecurity.info More on the Ruby on Rails Security site]'''

[[Category:Technology]]
[[Category:Language]]

Category:Ruby on Rails

2007-02-21T22:35:18Z

Hawe: New page: Many share the perception of Rails being a "secure" framework. And that might well be true, because we need less code to get things done and less code means a better overview of what's hap...