https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Jun+ZhuOWASP - User contributions [en]2026-04-22T05:33:49ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=215998Projects/OWASP ASIDE Project2016-04-26T07:58:08Z<p>Jun Zhu: /* Publications */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [https://www.linkedin.com/in/mahmoudmo Mahmoud Mohammadi], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [https://www.linkedin.com/in/mahmoudmohamadi/ Mahmoud Mohammadi], [[User:Bill Chu|Bill Chu]] and [http://hci.uncc.edu/~richter/ Heather Richter Lipford], “POSTER : Using Unit Testing to Detect Sanitization Flaws,” in CCS’15: The 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, Denver, USA<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [http://www.tylerthomaswebsite.net/ Tyler Thomas], [https://drive.google.com/file/d/0B4IYTQA8N1S7QTJIczlZRi1SQjg/view?usp=sharing Mitigating Access Control Vulnerabilities through Interactive Static Analysis] , In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Vienna, Austria <br />
<br />
3. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/3dyl6i5n3xongm7/12.pdf?dl=0 Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [https://www.dropbox.com/s/527xwwkm0tfz314/13.pdf?dl=0 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/yctg4bzyr3zqin3/14.pdf?dl=0 Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
7. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [https://www.dropbox.com/s/vfp261rhx3o2lac/15.pdf?dl=0 Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Relevant Research==<br />
<br />
8. [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], etc [https://www.dropbox.com/s/fs2jin7azy1z7pm/16.pdf?dl=0 The Impact of A Structured Application Development Framework on Web Application Security]<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Bill Chu|Bill Chu]], and [[User:Jun Zhu|Jun Zhu]]. [https://drive.google.com/open?id=0B4IYTQA8N1S7cmpCRFlQWjRJems Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course]. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Runnable ESIDE Prototype and Installation Guidelines ==<br />
The recent publicly available ESIDE plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ESIDE work properly. ESIDE is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
== Open Source Code ==<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=215997Projects/OWASP ASIDE Project2016-04-26T07:53:30Z<p>Jun Zhu: /* Research Activities */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [https://www.linkedin.com/in/mahmoudmo Mahmoud Mohammadi], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [https://www.linkedin.com/in/mahmoudmohamadi/ Mahmoud Mohammadi], [[User:Bill Chu|Bill Chu]] and [http://hci.uncc.edu/~richter/ Heather Richter Lipford], “POSTER : Using Unit Testing to Detect Sanitization Flaws,” in CCS’15: The 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, Denver, USA<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [http://www.tylerthomaswebsite.net/ Tyler Thomas], [https://drive.google.com/file/d/0B4IYTQA8N1S7QTJIczlZRi1SQjg/view?usp=sharing Mitigating Access Control Vulnerabilities through Interactive Static Analysis] , In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Vienna, Austria <br />
<br />
3. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/3dyl6i5n3xongm7/12.pdf?dl=0 Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [https://www.dropbox.com/s/527xwwkm0tfz314/13.pdf?dl=0 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/yctg4bzyr3zqin3/14.pdf?dl=0 Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
7. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [https://www.dropbox.com/s/vfp261rhx3o2lac/15.pdf?dl=0 Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Relevant Research==<br />
<br />
8. [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], etc [https://www.dropbox.com/s/fs2jin7azy1z7pm/16.pdf?dl=0 The Impact of A Structured Application Development Framework on Web Application Security]<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Bill Chu|Bill Chu]], and [[User:Jun Zhu|Jun Zhu]]. [http://webpages.uncc.edu/~jzhu16/EmbeddingSecureCodingInstructionIntoTheIDE.pdf Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course]. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Runnable ESIDE Prototype and Installation Guidelines ==<br />
The recent publicly available ESIDE plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ESIDE work properly. ESIDE is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
== Open Source Code ==<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=215996Projects/OWASP ASIDE Project2016-04-26T07:52:05Z<p>Jun Zhu: /* Research Activities */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [https://www.linkedin.com/in/mahmoudmo Mahmoud Mohammadi], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [https://www.linkedin.com/in/mahmoudmohamadi/ Mahmoud Mohammadi], [[User:Bill Chu|Bill Chu]] and [http://hci.uncc.edu/~richter/ Heather Richter Lipford], “POSTER : Using Unit Testing to Detect Sanitization Flaws,” in CCS’15: The 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, Denver, USA<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [http://www.tylerthomaswebsite.net/ Tyler Thomas], [https://drive.google.com/file/d/0B4IYTQA8N1S7QTJIczlZRi1SQjg/view?usp=sharing] , In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Vienna, Austria <br />
<br />
3. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/3dyl6i5n3xongm7/12.pdf?dl=0 Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [https://www.dropbox.com/s/527xwwkm0tfz314/13.pdf?dl=0 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/yctg4bzyr3zqin3/14.pdf?dl=0 Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
7. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [https://www.dropbox.com/s/vfp261rhx3o2lac/15.pdf?dl=0 Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Relevant Research==<br />
<br />
8. [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], etc [https://www.dropbox.com/s/fs2jin7azy1z7pm/16.pdf?dl=0 The Impact of A Structured Application Development Framework on Web Application Security]<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Bill Chu|Bill Chu]], and [[User:Jun Zhu|Jun Zhu]]. [http://webpages.uncc.edu/~jzhu16/EmbeddingSecureCodingInstructionIntoTheIDE.pdf Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course]. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Runnable ESIDE Prototype and Installation Guidelines ==<br />
The recent publicly available ESIDE plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ESIDE work properly. ESIDE is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
== Open Source Code ==<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=208358Projects/OWASP ASIDE Project2016-02-09T01:18:00Z<p>Jun Zhu: /* Publications */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [https://www.linkedin.com/in/mahmoudmo Mahmoud Mohammadi], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [https://www.linkedin.com/in/mahmoudmohamadi/ Mahmoud Mohammadi], [[User:Bill Chu|Bill Chu]] and [http://hci.uncc.edu/~richter/ Heather Richter Lipford], “POSTER : Using Unit Testing to Detect Sanitization Flaws,” in CCS’15: The 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, Denver, USA<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [http://www.tylerthomaswebsite.net/ Tyler Thomas], [http://webpages.uncc.edu/~jzhu16/Mitigating_Access_Control_Vulnerabilities_through_Interactive_Static_Analysis.pdf Mitigating Access Control Vulnerabilities through Interactive Static Analysis] , In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Vienna, Austria <br />
<br />
3. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/3dyl6i5n3xongm7/12.pdf?dl=0 Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [https://www.dropbox.com/s/527xwwkm0tfz314/13.pdf?dl=0 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/yctg4bzyr3zqin3/14.pdf?dl=0 Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
7. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [https://www.dropbox.com/s/vfp261rhx3o2lac/15.pdf?dl=0 Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Relevant Research==<br />
<br />
8. [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], etc [https://www.dropbox.com/s/fs2jin7azy1z7pm/16.pdf?dl=0 The Impact of A Structured Application Development Framework on Web Application Security]<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Bill Chu|Bill Chu]], and [[User:Jun Zhu|Jun Zhu]]. [http://webpages.uncc.edu/~jzhu16/EmbeddingSecureCodingInstructionIntoTheIDE.pdf Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course]. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Runnable ESIDE Prototype and Installation Guidelines ==<br />
The recent publicly available ESIDE plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ESIDE work properly. ESIDE is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
== Open Source Code ==<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=208357Projects/OWASP ASIDE Project2016-02-09T00:58:11Z<p>Jun Zhu: /* Research Activities */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [https://www.linkedin.com/in/mahmoudmo Mahmoud Mohammadi], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [https://www.linkedin.com/in/mahmoudmohamadi/ Mahmoud Mohammadi], [[User:Bill Chu|Bill Chu]] and [http://hci.uncc.edu/~richter/ Heather Richter Lipford], “POSTER : Using Unit Testing to Detect Sanitization Flaws,” in CCS’15: The 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, Denver, USA<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [http://www.tylerthomaswebsite.net/ Tyler Thomas], [http://webpages.uncc.edu/~jzhu16/Mitigating_Access_Control_Vulnerabilities_through_Interactive_Static_Analysis.pdf Mitigating Access Control Vulnerabilities through Interactive Static Analysis] , In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Vienna, Austria <br />
<br />
3. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/3dyl6i5n3xongm7/12.pdf?dl=0 Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [https://www.dropbox.com/s/527xwwkm0tfz314/13.pdf?dl=0 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/yctg4bzyr3zqin3/14.pdf?dl=0 Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
7. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [https://www.dropbox.com/s/vfp261rhx3o2lac/15.pdf?dl=0 Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Relevant Research==<br />
<br />
8. [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], etc [https://www.dropbox.com/s/fs2jin7azy1z7pm/16.pdf?dl=0 The Impact of A Structured Application Development Framework on Web Application Security]<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Bill Chu|Bill Chu]], and [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Runnable ESIDE Prototype and Installation Guidelines ==<br />
The recent publicly available ESIDE plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ESIDE work properly. ESIDE is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
== Open Source Code ==<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=208355Projects/OWASP ASIDE Project2016-02-09T00:36:51Z<p>Jun Zhu: /* Research Activities */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [https://www.linkedin.com/in/mahmoudmo Mahmoud Mohammadi], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [https://www.linkedin.com/in/mahmoudmohamadi/ Mahmoud Mohammadi], [[User:Bill Chu|Bill Chu]] and [http://hci.uncc.edu/~richter/ Heather Richter Lipford], “POSTER : Using Unit Testing to Detect Sanitization Flaws,” in CCS’15: The 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, Denver, USA<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [http://www.tylerthomaswebsite.net/ Tyler Thomas], [https://drive.google.com/file/d/0B4IYTQA8N1S7QTJIczlZRi1SQjg/view?usp=sharing Mitigating Access Control Vulnerabilities through Interactive Static Analysis] , In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Vienna, Austria <br />
<br />
3. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/3dyl6i5n3xongm7/12.pdf?dl=0 Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [https://www.dropbox.com/s/527xwwkm0tfz314/13.pdf?dl=0 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/yctg4bzyr3zqin3/14.pdf?dl=0 Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
7. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [https://www.dropbox.com/s/vfp261rhx3o2lac/15.pdf?dl=0 Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Relevant Research==<br />
<br />
8. [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], etc [https://www.dropbox.com/s/fs2jin7azy1z7pm/16.pdf?dl=0 The Impact of A Structured Application Development Framework on Web Application Security]<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Bill Chu|Bill Chu]], and [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Runnable ESIDE Prototype and Installation Guidelines ==<br />
The recent publicly available ESIDE plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ESIDE work properly. ESIDE is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
== Open Source Code ==<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=205057Projects/OWASP ASIDE Project2015-12-12T04:35:45Z<p>Jun Zhu: /* Research Activities */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [https://www.linkedin.com/in/mahmoudmo Mahmoud Mohammadi], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [https://www.linkedin.com/in/mahmoudmohamadi/ Mahmoud Mohammadi], [[User:Bill Chu|Bill Chu]] and [http://hci.uncc.edu/~richter/ Heather Richter Lipford], “POSTER : Using Unit Testing to Detect Sanitization Flaws,” in CCS’15: The 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, Denver, USA<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [http://www.tylerthomaswebsite.net/ Tyler Thomas], [https://drive.google.com/file/d/0B4IYTQA8N1S7QTJIczlZRi1SQjg/view?usp=sharing Mitigating Access Control Vulnerabilities through Interactive Static Analysis] , In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Vienna, Austria <br />
<br />
3. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/7omb3kluj6lq8j1/10.pdf?dl=0 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/3dyl6i5n3xongm7/12.pdf?dl=0 Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [https://www.dropbox.com/s/527xwwkm0tfz314/13.pdf?dl=0 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [https://www.dropbox.com/s/yctg4bzyr3zqin3/14.pdf?dl=0 Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
7. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [https://www.dropbox.com/s/vfp261rhx3o2lac/15.pdf?dl=0 Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Relevant Research==<br />
<br />
8. [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], etc [https://www.dropbox.com/s/fs2jin7azy1z7pm/16.pdf?dl=0 The Impact of A Structured Application Development Framework on Web Application Security]<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Bill Chu|Bill Chu]], and [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Runnable ESIDE Prototype and Installation Guidelines ==<br />
The recent publicly available ESIDE plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ESIDE work properly. ESIDE is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
== Open Source Code ==<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191615Projects/OWASP ASIDE Project2015-03-17T21:37:08Z<p>Jun Zhu: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [http://www.owasp.org/index.php/User:Mahmoodm2 Mahmoud Mohammadi], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Bill Chu|Bill Chu]], and [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Runnable ESIDE Prototype and Installation Guidelines ==<br />
The recent publicly available ESIDE plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ESIDE work properly. ESIDE is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
== Open Source Code ==<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191565Projects/OWASP ASIDE Project2015-03-17T15:46:25Z<p>Jun Zhu: /* Publications */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], [[User:Bill Chu|Bill Chu]], and [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Runnable ESIDE Prototype and Installation Guidelines ==<br />
The recent publicly available ESIDE plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ESIDE work properly. ESIDE is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
== Open Source Code ==<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191564Projects/OWASP ASIDE Project2015-03-17T15:44:18Z<p>Jun Zhu: /* Runnable ESIDE Prototype and Installation Guidelines */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Runnable ESIDE Prototype and Installation Guidelines ==<br />
The recent publicly available ESIDE plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ESIDE work properly. ESIDE is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
== Open Source Code ==<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191563Projects/OWASP ASIDE Project2015-03-17T15:44:00Z<p>Jun Zhu: /* Education branch of ASIDE: ESIDE */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
=== Runnable ESIDE Prototype and Installation Guidelines ===<br />
The recent publicly available ESIDE plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ESIDE work properly. ESIDE is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
== Open Source Code ==<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191562Projects/OWASP ASIDE Project2015-03-17T15:39:46Z<p>Jun Zhu: /* Education branch of ASIDE: ESIDE */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Open Source Code ==<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191561Projects/OWASP ASIDE Project2015-03-17T15:39:11Z<p>Jun Zhu: /* Education branch of ASIDE: ESIDE */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
=== Source Code ===<br />
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191560Projects/OWASP ASIDE Project2015-03-17T15:35:19Z<p>Jun Zhu: /* What is ASIDE/ESIDE? */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191559Projects/OWASP ASIDE Project2015-03-17T15:34:52Z<p>Jun Zhu: /* What is ASIDE/ESIDE? */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: <br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
p.s. (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
* Real-time IDE support for secure code education (Java).<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191558Projects/OWASP ASIDE Project2015-03-17T15:34:28Z<p>Jun Zhu: /* What is ASIDE/ESIDE? */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides: (Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].)<br />
* Real-time IDE support for secure code education (Java).<br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191557Projects/OWASP ASIDE Project2015-03-17T15:33:53Z<p>Jun Zhu: /* What is ASIDE/ESIDE? */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
ESIDE provides:<br />
* Real-time IDE support for secure code education (Java).<br />
* Identification of targeted Java code patterns.<br />
* Interactive instructional opportunities for students in the IDE.<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191556Projects/OWASP ASIDE Project2015-03-17T15:33:01Z<p>Jun Zhu: /* What ESIDE provides? */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
<br />
• Identification of targeted Java code patterns.<br />
<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191548Projects/OWASP ASIDE Project2015-03-17T14:26:15Z<p>Jun Zhu: /* Priorities and get involved */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191547Projects/OWASP ASIDE Project2015-03-17T14:25:43Z<p>Jun Zhu: /* Priorities and get involved */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Priorities and get involved ==<br />
As of March 17, 2015 the priorities are:<br />
1. Move xml into a database.<br />
<br />
2. Create a public repository of customized ESIDE support for specific courses.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191546Projects/OWASP ASIDE Project2015-03-17T14:24:20Z<p>Jun Zhu: /* Publications */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191545Projects/OWASP ASIDE Project2015-03-17T14:23:50Z<p>Jun Zhu: /* Publications */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191544Projects/OWASP ASIDE Project2015-03-17T14:23:20Z<p>Jun Zhu: /* Publications */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
1. Whitney, M., [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [[User:Jun Zhu|Jun Zhu]]. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191543Projects/OWASP ASIDE Project2015-03-17T14:21:14Z<p>Jun Zhu: /* Research Activities */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191542Projects/OWASP ASIDE Project2015-03-17T14:20:21Z<p>Jun Zhu: /* Milestone/timeline */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Publications ==<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191541Projects/OWASP ASIDE Project2015-03-17T14:18:47Z<p>Jun Zhu: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=OWASP_ASIDE_Project&diff=191539OWASP ASIDE Project2015-03-17T14:07:29Z<p>Jun Zhu: Undo revision 191538 by Jun Zhu (talk)</p>
<hr />
<div>==== Project About ====<br />
{{:Projects/OWASP ASIDE Project | Project About}}</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=OWASP_ASIDE_Project&diff=191538OWASP ASIDE Project2015-03-17T14:05:18Z<p>Jun Zhu: </p>
<hr />
<div>==== Project About ====<br />
{{:Projects/OWASP ASIDE/ASIDE Project | Project About}}</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=191303Projects/OWASP ASIDE Project2015-03-12T20:41:25Z<p>Jun Zhu: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE/ESIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
New! OWASP ASIDE has an educational branch, named ESIDE (Educational Security in the IDE), details are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE/ESIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187082Projects/OWASP ASIDE Project2014-12-16T09:48:50Z<p>Jun Zhu: /* OWASP ASIDE */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.uncc.edu/~richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
New! OWASP ASIDE has an educational branch, named ESIDE (Educational Security in the IDE), details are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187081Projects/OWASP ASIDE Project2014-12-16T09:47:48Z<p>Jun Zhu: /* OWASP ASIDE */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
New! OWASP ASIDE has an education branch, named ESIDE (Educational Security in the IDE), details are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187080Projects/OWASP ASIDE Project2014-12-16T09:47:27Z<p>Jun Zhu: /* OWASP ASIDE */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
<br/><br />
OWASP ASIDE has an education branch, named ESIDE (Educational Security in the IDE), details are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187079Projects/OWASP ASIDE Project2014-12-16T09:45:27Z<p>Jun Zhu: /* OWASP ASIDE */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br/><br />
OWASP ASIDE has an education branch, named ESIDE (Educational Security in the IDE), details are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187078Projects/OWASP ASIDE Project2014-12-16T09:45:12Z<p>Jun Zhu: /* OWASP ASIDE */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
OWASP ASIDE has an education branch, named ESIDE (Educational Security in the IDE), details are described [[https://www.owasp.org/index.php/Projects/OWASP_ASIDE_Project#Education_branch_of_ASIDE:_ESIDE here]].<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187077Projects/OWASP ASIDE Project2014-12-16T09:42:43Z<p>Jun Zhu: /* ESIDE */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187076Projects/OWASP ASIDE Project2014-12-16T09:42:06Z<p>Jun Zhu: /* ESIDE */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
The education branch of ASIDE, named ESIDE, is led by [http://hci.uncc.edu/tomcat/Michael_Whitney/ Michael Whitney] and [http://hci.uncc.edu/~richter Heather Richter Lipford]. Other major contributors include [[User: Bill Chu|Bill Chu]] and [[http://www.linkedin.com/in/junzhu1 Jun Zhu]].<br/><br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187075Projects/OWASP ASIDE Project2014-12-16T09:35:19Z<p>Jun Zhu: /* Description */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction. When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand. For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187074Projects/OWASP ASIDE Project2014-12-16T09:33:45Z<p>Jun Zhu: /* Priorities and get involved */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction (Figure 1). When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand (Figure 2). For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187073Projects/OWASP ASIDE Project2014-12-16T09:33:16Z<p>Jun Zhu: /* Priorities and get involved */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction (Figure 1). When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand (Figure 2). For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* Developing more controls for faculty members to modify educational content<br />
* Develop a means to control when students are first exposed to warnings. Ideas include:<br />
* 1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
* 2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
* 3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187072Projects/OWASP ASIDE Project2014-12-16T09:32:26Z<p>Jun Zhu: /* Priorities and get involved */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction (Figure 1). When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand (Figure 2). For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
* 1. Developing more controls for faculty members to modify educational content<br />
* 2. Develop a means to control when students are first exposed to warnings. Ideas include:<br />
** 1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
** 2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
** 3. Students are asked if they are ready for a particular interaction.<br />
<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187071Projects/OWASP ASIDE Project2014-12-16T09:31:29Z<p>Jun Zhu: /* Milestone/timeline */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction (Figure 1). When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand (Figure 2). For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper accepted to SIGCSE 2015<br />
* 1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
* 2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
* 1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
* 2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
* 3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
* 4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
* 5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
1. Developing more controls for faculty members to modify educational content<br />
2. Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help:<br />
Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their<br />
classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=187069Projects/OWASP ASIDE Project2014-12-16T04:44:57Z<p>Jun Zhu: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!<br />
<br />
= Education branch of ASIDE: ESIDE =<br />
== ESIDE ==<br />
<br />
== Introduction ==<br />
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning<br />
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes<br />
on the out of class, in the IDE time by providing layered educational opportunities whenever the<br />
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar<br />
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding<br />
principles and practices concurrently with the lessons they are learning in their respective courses.<br />
<br />
== Description ==<br />
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns<br />
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an<br />
interactive system that provides a layered educational opportunity. Because students are contextually<br />
“in the moment” when the support becomes available, they are more receptive to making the<br />
connection between classroom principles and coding practices. A secondary effect is the exponential<br />
increase in instructional exposure which has been proven to be successful in other instructional areas.<br />
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the<br />
principles and practices of secure coding throughout their educational experience. To this end, we have<br />
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates<br />
a layered educational intervention based on the targeted code. The first layer is a warning icon that<br />
is placed in the left margin of the code editor. Hovering the icon reveals a short message that<br />
encourages further interaction (Figure 1). When the student clicks the icon, ESIDE generates a<br />
content specific list of educational options. Each of these options are accompanied with a short<br />
explanation of the issue at hand (Figure 2). For each generated list, there also exists the option to<br />
access an explanation page that provides a more comprehensive explanation of what was<br />
discovered, why it is important, and how to integrate the provided principles into coding practices.<br />
<br />
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8<br />
<br />
== What ESIDE provides? ==<br />
• Real-time IDE support for secure code education (Java).<br />
• Identification of targeted Java code patterns.<br />
• Interactive instructional opportunities for students in the IDE.<br />
<br />
== Milestone/timeline ==<br />
Advanced Student Studies – paper submitted to SIGCSE 2015<br />
1. Fall, 2012 – Ten day assignment study at UNCC with the Network Based Application<br />
Development course.<br />
2. Spring, 2013 – Semester long deployment study at UNCC with the Network Based Application<br />
Development course.<br />
Early / Intermediate Student Studies – TOCE Journal targeted for submission<br />
1. Fall, 2012 – Classroom activity study with 61 early Elon University students<br />
2. Spring, 2013 – Classroom activity study with 22 intermediate Elon University students<br />
3. Spring, 2013 – Focus group study with 5 JCSU early students<br />
4. Fall, 2013 – Interactive walk through study with 4 JCSU early students<br />
5. Fall, 2013 – Seven day assignment study with 57 Elon University students<br />
<br />
== Priorities and get involved ==<br />
As of October 13, 2014 the priorities are:<br />
1. Developing more controls for faculty members to modify educational content<br />
2. Develop a means to control when students are first exposed to warnings. Ideas include:<br />
1. The tool monitors code and only provides warnings after the student has successfully<br />
written a particular code pattern x amount of times.<br />
2. Faculty are provided with a means to unlock warnings based on student readiness.<br />
3. Students are asked if they are ready for a particular interaction.<br />
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to<br />
be a security expert in order to contribute. Some of the ways you can help:<br />
Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their<br />
classroom would be wonderful!!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=184670Projects/OWASP ASIDE Project2014-11-04T15:24:34Z<p>Jun Zhu: /* OWASP ASIDE */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=181795Projects/OWASP ASIDE Project2014-09-05T14:52:57Z<p>Jun Zhu: /* Acknowledgements */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [http://hci.uncc.edu/tomcat/Michael_Whitney Michael Whitney], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= RoadMap and Get Involvement =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=181767Projects/OWASP ASIDE Project2014-09-05T01:52:21Z<p>Jun Zhu: /* Runnable plugins and installation guidelines = */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [http://hci.uncc.edu/tomcat/Michael_Whitney Michael Whitney], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ===<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=181766Projects/OWASP ASIDE Project2014-09-05T01:52:12Z<p>Jun Zhu: /* Quick Download */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [http://hci.uncc.edu/tomcat/Michael_Whitney Michael Whitney], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
=== Runnable plugins and installation guidelines ====<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=Projects/OWASP_ASIDE_Project&diff=181765Projects/OWASP ASIDE Project2014-09-05T01:51:19Z<p>Jun Zhu: /* Quick Download */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP ASIDE==<br />
<br />
OWASP ASIDE is led by [[http://www.linkedin.com/in/junzhu1 Jun Zhu]] and [[User: Bill Chu|Bill Chu]]. Other major contributors include [[http://www.linkedin.com/pub/jing-xie/45/890/a1a Jing Xie]], [http://hci.sis.uncc.edu:8080/richter Heather Richter Lipford], [http://www.tylerthomaswebsite.net Tyler Thomas], [http://hci.uncc.edu/tomcat/Michael_Whitney Michael Whitney], [[User:John Melton|John Melton]] & [[User: Will Stranathan|Will Stranathan]].<br/><br />
<br/><br />
We have presented our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation] here.<br />
<br/><br />
We have presented our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation] here.<br />
<br />
==Introduction==<br />
<br />
'''ASIDE''' is an abbreviation for '''Application Security plugin for Integrated Development Environment'''. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.<br />
<br />
==Description==<br />
<br />
ASIDE currently has three prototype implementations: [http://www.youtube.com/watch?v=VjzlpccMjTM ASIDE CodeRefactoring for Education], ASIDE CodeAnnotate which consists of two implementations, [http://www.youtube.com/watch?v=hyAO8WztiMc ASIDE JavaCodeAnnotate] and ASIDE PHPCodeAnnotate. <br />
<br />
ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. <br />
<br />
ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. <br />
<br />
An older version of [http://webpages.uncc.edu/~jxie2/aside_old.swf ASIDE DEMO] shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.<br />
<br />
==Research Activities==<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
==Licensing==<br />
OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASIDE? ==<br />
<br />
OWASP ASIDE provides:<br />
<br />
* Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code<br />
* Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices<br />
<br />
== Presentation ==<br />
<br />
1. Our talk [http://vimeo.com/54121249 Using Interactive Static Analysis for Early Detection of Software Vulnerabilities] at [http://www.appsecusa.org/ AppSec USA 2012]. You can view and download our [http://webpages.uncc.edu/~jzhu16/InteractiveStaticAnalysis.pdf presentation].<br />
<br />
2. Our talk [http://vimeo.com/32657812 Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. You can view and download our [http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation].<br />
<br />
== Project Leaders ==<br />
[[http://www.linkedin.com/in/junzhu1 Jun Zhu]],<br />
[[User: Bill Chu|Bill Chu]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_CISO_Survey]]<br />
<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/owaspaside OWASP ASIDE Ohloh]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle];<br />
<br />
=== Source Code ===<br />
ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education<br />
ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate<br />
ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate<br />
<br />
== Email List ==<br />
<br />
Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project<br />
<br />
== News and Events ==<br />
* [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!<br />
* [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!<br />
* [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!<br />
* [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!<br />
* [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!<br />
* [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!<br />
* [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!<br />
* [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!<br />
<br />
== In Print ==<br />
N/A<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
ASIDE project has been continuously under active research, development, and evaluation.<br />
Involvement in the development and promotion of ASIDE is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Try ASIDE and email your feedback, comments to the project leaders.<br />
* Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=OWASP_ASIDE_Project&diff=181764OWASP ASIDE Project2014-09-05T01:44:13Z<p>Jun Zhu: /* Research Activities */</p>
<hr />
<div>{|<br />
|-<br />
! width="700" align="center" | <br> <br />
! width="500" align="center" | <br><br />
|-<br />
| align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] <br />
| align="right" | <br />
<br />
|}<br />
<br />
==== Project About ====<br />
{{:Projects/OWASP ASIDE Project | Project About}}</div>Jun Zhuhttps://wiki.owasp.org/index.php?title=OWASP_ASIDE_Project&diff=181763OWASP ASIDE Project2014-09-05T01:44:06Z<p>Jun Zhu: /* Download */</p>
<hr />
<div>{|<br />
|-<br />
! width="700" align="center" | <br> <br />
! width="500" align="center" | <br><br />
|-<br />
| align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] <br />
| align="right" | <br />
<br />
|}<br />
<br />
==== Project About ====<br />
{{:Projects/OWASP ASIDE Project | Project About}}<br />
<br />
==== Research Activities ====<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
<br />
[[Category:OWASP_Project|ASIDE Project]] [[Category:OWASP_Tool|OWASP ASIDE]] [[Category:OWASP_Alpha_Quality_Tool|OWASP Alpha Quality Tool]] <!---[[Category:OWASP_Download]]---></div>Jun Zhuhttps://wiki.owasp.org/index.php?title=OWASP_ASIDE_Project&diff=181762OWASP ASIDE Project2014-09-05T01:43:58Z<p>Jun Zhu: /* Take a Look */</p>
<hr />
<div>{|<br />
|-<br />
! width="700" align="center" | <br> <br />
! width="500" align="center" | <br><br />
|-<br />
| align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] <br />
| align="right" | <br />
<br />
|}<br />
<br />
==== Project About ====<br />
{{:Projects/OWASP ASIDE Project | Project About}}<br />
<br />
==== Download ====<br />
<br />
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar here]. You also need to download the complementary [http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside.logging_1.0.0.201302251700.jar logging] facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.<br />
<br />
The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from [http://webpages.uncc.edu/~jzhu16/CodeAnnotate_1.0.0.201210240250.jar here]. ASIDE CodeAnnotate is built upon [http://www.eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/indigosr1 Eclipse IDE for Java EE Developers] Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here].<br />
<br />
''New!'' We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon [http://projects.eclipse.org/projects/tools.pdt Eclipse PDT framework], you can download the plugin [http://webpages.uncc.edu/~jzhu16/PHPCodeAnnotate_1.0.0.NoSelectRules.jar here]. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded [https://drive.google.com/file/d/0B4IYTQA8N1S7bS16MUY5MFN4V28/edit?usp=sharing here], and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from [http://www.youtube.com/watch?v=hyAO8WztiMc here]. A good PHP open source project you can try the plugin against is [http://download.moodle.org Moodle]; <br />
<br />
<br />
==== Research Activities ====<br />
1. [[User:Jun Zhu|Jun Zhu]], [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://www.sciencedirect.com/science/article/pii/S2090123213001422 Supporting Secure Programming in Web Applications through Interactive Static Analysis], In Journal of Advanced Research, Elsevier, December, 2013.<br />
<br />
2. [[User:Jun Zhu|Jun Zhu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jzhu16/SIGCSE12-Zhu.pdf Interactive Support for Secure Programming Education], In Proceedings of ACM Technical<br />
Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA<br />
<br />
3. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-CHI2012.pdf Evaluating Interactive Support for Secure Programming], In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA<br />
<br />
4. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:John Melton|John T. Melton]], [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=62&type=2 ASIDE:IDE Support for Web Application Security], In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA<br />
<br />
5. [[User:Jing Xie|Jing Xie]], [http://hci.uncc.edu/~richter/ Heather Richter Lipford], and [[User:Bill Chu|Bill Chu]], [http://webpages.uncc.edu/~jxie2/XIE-VLHCC2011.pdf Why do programmers make security errors?], In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA<br />
<br />
6. [[User:Jing Xie|Jing Xie]], [[User:Bill Chu|Bill Chu]], and [http://hci.uncc.edu/~richter/ Heather Richter Lipford] [http://www.arc.uncc.edu/pubs/essos2011.pdf Interactive Support for Secure Software Development], In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
<br />
[[Category:OWASP_Project|ASIDE Project]] [[Category:OWASP_Tool|OWASP ASIDE]] [[Category:OWASP_Alpha_Quality_Tool|OWASP Alpha Quality Tool]] <!---[[Category:OWASP_Download]]---></div>Jun Zhu