2009-08-07T12:53:15Z

Marc Chisinevski: /* Goals */

==== Main ====

The OWASP Logging Project [http://www.owasp.org/index.php/Template:OWASP_Logging_Project [Roadmap]] .

[[Image:Owasp_Logging_Project_Roadmap.pdf]] 

[[Image:OWASP Logging Guide.pdf]] 

== Goals ==

http://www.pisa.org.hk/event/eventlog-mgt.jpg

 Provide tools for software developers in order to help them define and provide meaningful logs

Provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps)

Facilitate the integration of logs from different sources

Facilitate attack reconstruction

Facilitate information sharing around security events

 

== Existing tools and use cases ==

 '''1) IDE integration''' (auto-completion, templates, logging policy definition support) for guiding software developers to define and provide meaningful logs

 '''IDE templates''' (Eclipse and NetBeans examples below) helping developers remember to log all necessary information while avoiding too much typing.

 '''OWASP ESAPI Logger''' interface (Logger.java) and implementations http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API http://code.google.com/p/owasp-esapi-java/downloads/list

 For example, a template can provide checks/hints/defaults s.a. those defined by the OWASP Enterprise Security API : - something equivalent to a generated logging session ID, or a hashed value of the session ID so they can track session specific events without risking the exposure of a live session's ID - identity of the user that caused the event - description of the event (supplied by the caller) - whether the event succeeded or failed (indicated by the caller) - severity level of the event (indicated by the caller) - that this is a security relevant event (indicated by the caller) - hostname or IP where the event occurred (and ideally the user's source IP as well) - a time stamp

 '''2/ Code audit tools''' s.a. OWASP yasca can be easily adapted in order to ensure that logging standards are respected and that log messages are consistent and complete (content, format, timestamps) See http://www.owasp.org/index.php/Category:OWASP_Yasca_Project Related OWASP projects: http://www.owasp.org/index.php/Category:OWASP_Orizon_Project

'''3) Integrating application logs into a Security Information Management configuration''' OSSIM (http://www.ossim.net/) has numerous plugins for parsing webserver, appserver, WAF, IPS, IDS logs and generating/storing events in its standard format.

Adding a plugin for parsing custom application logs is as easy as finding the correct regular expression provided that developers included all relevant information in the log message and that they have done so in a consistent way.

You can refer to the OSSIM database model to see what data is stored for events.

See http://www.owasp.org/index.php/File:OWASP_Logging_Guide.pdf for more details/screenshots on application event integration and correlation via OSSIM

 '''4) Reconstructing attacks''' It is difficult to analyze, filter and generally reconstruct an attack because messages are spread around various log levels.

See the Logging part of the OWASP ESAPI project http://code.google.com/p/owasp-esapi-java/downloads/list

Along the same lines, Arshan Dabirsiaghi's proposal of adding a security log level is very interesting http://www.owasp.org/index.php/How_to_add_a_security_log_level_in_log4j

 '''5) Implement scripts for filtering/scrubbing logs in order to enable log data sharing between organizations''' Goal: information sharing around security events Custom logger implementations based on the OWASP ESAPI might also filter out any sensitive data specific to the current application or organization, such as credit cards, social security numbers etc.

See the Logging part of the OWASP ESAPI project See http://code.google.com/p/owasp-esapi-java/downloads/list

 

 

 

*** We need your efforts and contribution to this project ***

 

 

== Feedback and Participation: ==

We hope you find the OWASP Logging Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Logging Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-logging subscription page.]

 

==== Project Identification (Under work) ====

Project Leader: '''Marc Chisinevski''' 

{{Template:OWASP Logging Project}} __NOTOC__ <headertabs />

[[Category:OWASP_Project|Logging Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]

2009-07-16T11:45:44Z

Marc Chisinevski:

'''This page contains project Applications to the [[OWASP Season of Code 2009|OWASP Season of Code 2009]]'''.

= A few notes =
*'''If you want to apply for a OWASP SoC 09 sponsorship you HAVE TO USE THIS PAGE for your application.'''
** See [[OWASP Season of Code 2009#HOW TO PARTICIPATE (TO DEVELOPERS)|How To Participate]] for what to do once you completed your Application.
** Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Season_of_Code_2009#SELECTION_CRITERIA|Selection Criteria]].
** Please see [[OWASP Summer of Code 2008 Applications|OWASP SoC 08]], [[OWASP Spring Of Code 2007 Applications|OWASP SpoC 07]] for examples of Applications and [[OWASP Autumn of Code 2006 - Applications|OWASP AoC 06]].
* '''You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include [[OWASP Season of Code 2009 - Applications - Proposal Type|this information in your proposal]].
'''

= Applications - {Fill in below} =

== Application 1 ==

{| border="0" align="center" style="width: 95%;"
|-
| align="center" style="background: white none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="2" |
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Applicant's Identification/Project Release Leader 
([[OWASP Season of Code 2009 - Applications - Proposal Type Applicant's Identification|''Please see specifications'']])

| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Igor Kranjec
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Application Designation/Name
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | ASTRanger (Abstract Syntax Tree Ranger)
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | First (proposed) Reviewer 
([[OWASP Season of Code 2009 - Applications - Proposal Type Applicant's Identification|''Please see specifications'']])

| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Paulo Coimbra
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Application Security Issue Addressed
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" |
'''Prelude'''

A commonly available tool for the Source Code static analysis (SCA, Static Code Analyzer) is a tool aimed to perform a parsing of the application source code in order to create a reference model on which to apply specific rules to identify problems and create a detailed report. There are a number of complete and efficient SCA tools available on the market.

'''Problem to be addressed'''

Based on our experience an ideal SCA tool should have the following additional characteristics: - multiplatform support;

- multi programming language support (with complete grammars, without “syntax holes”);

- ability to execute in stand alone mode or integrated with the most utilized development environment;

- Open Source distribution, with a strong community support;

- Security issues dedicated, with a clean separation between the analysis engine and vulnerability repository;

- Able to analyze large code bases with high performance.

'''Proposal'''

ASTRanger Project foresees the prototype development of a tool for the static analysis of source code that is going to address all of the above problems and will be able to assure that correct security rules (based on OWASP best practices) will be applied at the same time of the source code implementation. The tool will be embedded on the application developed, in such a way becoming a real Security Framework.

|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Prioritized area (''Please choose from'' [[OWASP Season of Code 2009#HOW_TO_PARTICIPATE_.28TO_DEVELOPERS.29|''here'']])
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Enterprise usability of OWASP projects
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Project Release Roadmap
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" |
'''Milestones''':

June 30, 2009 - Project Begins

July 10, 2009 – Requirements Analysis: Functional Requirements Document (FRD)

July 16, 2009 – Requirements Analysis: SAR (System Architectural Requirements)

July 20, 2009 – Identify vulnerabilities and exploitation methods.

July 24, 2009 - Defining rules set for selected vulnerabilities

July 28 2 2009 - Create thresholds for generating security alerts

Aug 3 2009 - Define parsing source code actions in response to security alerts

Aug 6 2009 - Development

Aug 18 2009 – Test and debugging

Aug 28, 2009 - Peer Review & Revisions

Aug 31, 2009 – Deliver of Prototype (Project Completion)

|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Other Questions
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | |}
|}

== Application 2 ==

{| border="0" align="center" style="width: 95%;"
|-
| align="center" style="background: white none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="2" |
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Applicant's Identification/Project Release Leader 
([[OWASP Season of Code 2009 - Applications - Proposal Type Applicant's Identification|''Please see specifications'']])

| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Marc Chisinevski
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Application Designation/Name
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Asset management (asset identification, valuation and risk assessment based on ISO27005)
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | First (proposed) Reviewer 
([[OWASP Season of Code 2009 - Applications - Proposal Type Applicant's Identification|''Please see specifications'']])

| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Paulo Coimbra
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Application Security Issue Addressed
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" |
'''Prelude'''

Asset management (asset identification, valuation and risk assessment based on ISO27005): integration with opensource Security Information Management systems is currently being discussed.

Party management (clients, providers)

Contract and license management - integration with opensource tools such as OCS Inventory needs to be investigated, assetmng offering complementary functionalities.

'''Problem to be addressed'''
integration of different asset valuation and risk assessment models;
integration with opensource Security Information Management systems

'''Proposal'''

1/ managers/business analysts use the interface in order to:

- define assets and business process and their intrinsic values;

- classify these assets according to ISO27005 guidelines

2/ the application calculates asset values taking into an account:

- the intrinsic value of the asset defined in step 1;

- the values of other assets depending on this asset;

- the values of business processes using the asset.

The concept of an “asset” derived from ISO 27005
=================================================
An asset can be a :

- a business process or activity;

- information;

- a supporting asset such as a server or a network device.

|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Prioritized area (''Please choose from'' [[OWASP Season of Code 2009#HOW_TO_PARTICIPATE_.28TO_DEVELOPERS.29|''here'']])
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Enterprise usability of OWASP projects
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Project Release Roadmap
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" |
'''Milestones''':

July 16th, 2009 - Sources and documentation published at http://sourceforge.net/projects/assetmng

August 1st, 2009 – Identify improvements, new functionalities and integration options

Aug 10th, 2009 - Development

Aug 18th, 2009 – Test and debugging

Aug 28, 2009 - Peer Review & Revisions

Aug 31, 2009 – Deliver of Prototype (Project Completion)

|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Other Questions
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | |}
|}

OWASP Season of Code 2009 - Applications - Proposal Type

2009-07-16T11:15:00Z

Marc Chisinevski:

OWASP Season of Code 2009 - Applications - Proposal Type

2009-07-16T11:12:52Z

Marc Chisinevski: Asset management (asset identification, valuation and risk assessment based on ISO27005): integration with opensource Security Information Management systems is currently being discussed. Party manag

= Suggested Proposal Type =

{| border="0" align="center" style="width: 95%;"
|-
| align="center" colspan="2" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | '''Suggested Proposal Type'''
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Description'''
| align="center" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''To be filled in below'''
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Applicant's Identification/Project Release Leader 
([[OWASP Season of Code 2009 - Applications - Proposal Type Applicant's Identification|''Please see specifications'']])

| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Marc Chisinevski 
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Application Designation/Name
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | assetmng 
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | First (proposed) Reviewer 
([[OWASP Season of Code 2009 - Applications - Proposal Type Applicant's Identification|''Please see specifications'']])

| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Kate Hartmann 
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Application Security Issue Addressed
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Asset identification, valuation and risk assessment (ISO 27005) 
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Prioritized area (''Please choose from'' [[OWASP Season of Code 2009#HOW_TO_PARTICIPATE_.28TO_DEVELOPERS.29|''here'']])
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Enterprise usability 
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Project Release Roadmap
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Other Questions
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Please see: http://sourceforge.net/projects/assetmng/ 
|}

OWASP Season of Code 2009 - Applications - Proposal Type

2009-07-16T11:12:24Z

= Suggested Proposal Type =

{| border="0" align="center" style="width: 95%;"
|-
| align="center" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="2" | '''Suggested Proposal Type'''
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Description'''
| align="center" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''To be filled in below'''
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Applicant's Identification/Project Release Leader 
([[OWASP Season of Code 2009 - Applications - Proposal Type Applicant's Identification|''Please see specifications'']])

| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Marc Chisinevski 
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Application Designation/Name
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | assetmng 
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | First (proposed) Reviewer 
([[OWASP Season of Code 2009 - Applications - Proposal Type Applicant's Identification|''Please see specifications'']])

| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Kate Hartmann 
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Application Security Issue Addressed
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Asset identification, valuation and risk assessment (ISO 27005) 
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Prioritized area (''Please choose from'' [[OWASP Season of Code 2009#HOW_TO_PARTICIPATE_.28TO_DEVELOPERS.29|''here'']])
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Enterprise usability 
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Project Release Roadmap
|-
| align="center" style="background: rgb(179, 179, 179) none repeat scroll 0% 0%; width: 30%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Other Questions
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 70%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Please see: http://sourceforge.net/projects/assetmng/ 
|}