OWASP - User contributions [en]

ORPRO-process

2009-02-08T15:54:11Z

Njama:

[[Image:ORPRO_process_detail_2.jpg]]

* '''Project intake'''
** ''PIN.01: Communication with open source project.'' Proposals for open source projects to be reviewed can be sent to one of the ORPRO project leads. Alternatively, the project actively approach open source projects. The open source project must provide at least one primary contact.
** ''PIN.02: Check entry criteria.'' The open source project will be checked against entry criteria. Entry criteria are:
*** it must be widely used
*** its license must allow independent security review
*** the open source project team should be in a position to remediate security defects that are discovered
*** the programming language must be supported by ORPRO's automated source code scanners and manual review team
** ''PIN.03: Risk assessment.'' Before conducting manual reviews we perform a risk assessment on the open source software. The steps taken are:
*** based on typical business use, conduct a business impact assessment (BIA): determine the maximum business impact of loss of confidentiality, loss of integrity and unavailability of the software under review;
*** using the results of the BIA, conduct a threat assessment. The results are
**** critical information assets processed by the software under review;
**** main threats for the software under review;
**** prioritized list of source code to be reviewed, highest risk first. In its simplest forms, the list might be based on source code files or directories. In many cases, other ways to address this may be more appropriate: examples are high risk use cases, API calls, and interfaces;
** ''PIN.04: Assemble team.'' The project leads assigns a review project lead and the lead can additionally assemble a team of reviewers. Reviewers may be involved with architecture review, automated scanning, and/or manual review.
* '''Architecture review'''
** ''ARR.01: Obtain architecture information.'' If available, request architecture document from Open Source Project. Otherwise assess architecture based on the source code.
** ''ARR.02: Review architecture.'' Review architecture for security defects.
** ''ARR.03: Document results.'' Architecture defects are documented and disclosed to the open source project. In case of serious flaws, the Open Review may end with an advise at this stage and will not continue with code review.
* '''Review'''
** '''Automated code review'''
*** ''ACR.01: Configure tooling.'' Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis.
*** ''ACR.02: Run tool on project.'' For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
*** ''ACR.03: Review findings.'' Defects discovered are manually reviewed.
*** ''ACR.04: Document results.'' Defects are communicated to the owners of the open source project for remediation.
** '''Manual code review'''
*** ''MCR.01: Configure tooling.'' For collaborating on manual reviews ORPRO will be setting up tooling. The tooling needs to be configured for the software under review.
*** ''MCR.02: Perform manual review.'' The manual review is being performed under supervision of the review project lead. The review project lead assigns source code to individual reviewers. The results from PI.03 (Risk assessment) have specified the prioritization of the reviews to be performed.
*** ''MCR.03: Document results.'' Identified defects are documented and reported to the owners of the open source project for remediation.
* '''Reporting'''
** ''REP.01: Report issues to project.'' Either reviewers or the open source project leaders responsibly disclose the identified security issues.
** ''REP.02: Final report at OWASP site.'' After finishing a review and having responsibly disclosed security defects ORPRO will document the results on the OWASP site for educational purposes. Apart from the defects being documented details should be made available on the coverage of automated and manual review and the specific defects found by either method.

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

File:ORPRO process detail 2.jpg

2009-02-08T15:43:39Z

Njama: uploaded a new version of "Image:ORPRO process detail 2.jpg"

File:ORPRO process detail 2.jpg

2009-02-08T15:41:59Z

Njama:

File:ORPRO process 3.jpg

2009-02-08T15:38:44Z

Njama:

Category:OWASP Open Review Project

2009-02-08T15:38:14Z

Njama: /* Open review process */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Open Review Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Open Review Project}}
[[Category:OWASP Project]]

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

The OWASP Open Review Project (ORPRO) exists to act as a resource for open source projects and for the community in general. The goal is to provides facilities for both automated and manual review of open source applications and libraries.

Fortify Software has made their [http://www.fortify.com/products/detect/in_development.jsp Source Code Analyzer (SCA) technology] available to open source projects at [http://owasp.fortify.com owasp.fortify.com]. See the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ owasp.fortify.com FAQ] for more information.

== Project Goals ==
* Provide an independent security review of open source projects with a record of what has been reviewed and by whom in order to best communicate the security state of the open source projects. This will include both automated and manual review of source code as well as analysis of algorithms such as compression, crypto, etc
* Provide resources to the community to centrally manage the review of open source projects
* Engage in responsible disclosure of any security vulnerabilities discovered

== Project Planning ==
* Settle overlap between OWASP projects: August 2008 (completed)
* Initial tool selection and implementation: September 2008 (completed)
* Roll out automated review capabilities for a limited set of projects: September 2008 (completed)
* First reviews: October 2008 (ongoing: first project has been selected)

== Open review process ==
The high level process is as follows:

[[Image:ORPRO_process_3.jpg]]

Click [[ORPRO-process|here]] for a more detailed process description.

== Related OWASP Projects ==
The following OWASP projects have a direct relation with ORPRO:
* [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
* [http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Project]
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]

== News ==
* '''5 June 2008''' OWASP ORPRO launched
* '''12 September 2008''' [http://owasp.fortify.com/ owasp.fortify.com] made available as a public beta for automated source code review of open source projects

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, PHP, etc who also have the audacity to review some of the most popular open source projects around.

We also need open source project leaders to submit their projects for review. If you run an open source project and are interested in participating, please email the mailing list.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project leads: [[User:Njama|Mario de Boer]], [[User:Dancornell|Dan Cornell]].

Contributors: [http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

[[Category:OWASP Project]]

ORPRO-process

2009-02-08T14:38:08Z

Njama: Changes in RA

[[Image:ORPRO_process_detail_1.jpg]]

* '''Project intake'''
** ''PI.01: Communication with open source project.'' Proposals for open source projects to be reviewed can be sent to one of the ORPRO project leads. Alternatively, the project actively approach open source projects. The open source project must provide at least one primary contact.
** ''PI.02: Check entry criteria.'' The open source project will be checked against entry criteria. Entry criteria are:
*** it must be widely used
*** its license must allow independent security review
*** the open source project team should be in a position to remediate security defects that are discovered
*** the programming language must be supported by ORPRO's automated source code scanners and manual review team
** ''PI.03: Risk assessment.'' Before conducting manual reviews we perform a risk assessment on the open source software. The steps taken are:
*** based on typical business use, conduct a business impact assessment (BIA): determine the maximum business impact of loss of confidentiality, loss of integrity and unavailability of the software under review;
*** using the results of the BIA, conduct a threat assessment. The results are
**** critical information assets processed by the software under review;
**** main threats for the software under review;
**** prioritized list of source code to be reviewed, highest risk first. In its simplest forms, the list might be based on source code files or directories. In many cases, other ways to address this may be more appropriate: examples are high risk use cases, API calls, and interfaces;
** ''PI.04: Assemble team.'' The project leads assigns a review project lead and the lead can additionally assemble a team of reviewers. Reviewers may be involved with automated scanning, manual review, or both.
* '''Review'''
** '''Automated review'''
*** ''AR.01: Configure tooling.'' Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis.
*** ''AR.02: Run tool on project.'' For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
*** ''AR.03: Review findings.'' Defects discovered are manually reviewed.
*** ''AR.04: Document results.'' Defects are communicated to the owners of the open source project for remediation.
** '''Manual Review'''
*** ''MR.01: Configure tooling.'' For collaborating on manual reviews ORPRO will be setting up tooling. The tooling needs to be configured for the software under review.
*** ''MR.02: Perform manual review.'' The manual review is being performed under supervision of the review project lead. The review project lead assigns source code to individual reviewers. The results from PI.03 (Risk assessment) have specified the prioritization of the reviews to be performed.
*** ''MR.03: Document results.'' Identified defects are documented and reported to the owners of the open source project for remediation.
* '''Reporting'''
** ''RE.01: Report issues to project.'' Either reviewers or the open source project leaders responsibly disclose the identified security issues.
** ''RE.02: Final report at OWASP site.'' After finishing a review and having responsibly disclosed security defects ORPRO will document the results on the OWASP site for educational purposes. Apart from the defects being documented details should be made available on the coverage of automated and manual review and the specific defects found by either method.

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

ORPRO-process

2008-10-31T10:57:49Z

Njama:

[[Image:ORPRO_process_detail_1.jpg]]

* '''Project intake'''
** ''PI.01: Communication with open source project.'' Proposals for open source projects to be reviewed can be sent to one of the ORPRO project leads. Alternatively, the project actively approach open source projects. The open source project must provide at least one primary contact.
** ''PI.02: Check entry criteria.'' The open source project will be checked against entry criteria. Entry criteria are:
*** it must be widely used
*** its license must allow independent security review
*** the open source project team should be in a position to remediate security defects that are discovered
*** the programming language must be supported by ORPRO's automated source code scanners and manual review team
** ''PI.03: Risk assessment.'' Before conducting manual reviews we perform a risk assessment on the open source software. The minimum results must be:
*** main threats for the particular software
*** prioritized list of source code to be reviewed, highest risk first.
** ''PI.04: Assemble team.'' The project leads assigns a review project lead and the lead can additionally assemble a team of reviewers. Reviewers may be involved with automated scanning, manual review, or both.
* '''Review'''
** '''Automated review'''
*** ''AR.01: Configure tooling.'' Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis.
*** ''AR.02: Run tool on project.'' For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
*** ''AR.03: Review findings.'' Defects discovered are manually reviewed.
*** ''AR.04: Document results.'' Defects are communicated to the owners of the open source project for remediation.
** '''Manual Review'''
*** ''MR.01: Configure tooling.'' For collaborating on manual reviews ORPRO will be setting up tooling. The tooling needs to be configured for the software under review.
*** ''MR.02: Perform manual review.'' The manual review is being performed under supervision of the review project lead. The review project lead assigns source code to individual reviewers. The results from PI.03 (Risk assessment) have specified the prioritization of the reviews to be performed.
*** ''MR.03: Document results.'' Identified defects are documented and reported to the owners of the open source project for remediation.
* '''Reporting'''
** ''RE.01: Report issues to project.'' Either reviewers or the open source project leaders responsibly disclose the identified security issues.
** ''RE.02: Final report at OWASP site.'' After finishing a review and having responsibly disclosed security defects ORPRO will document the results on the OWASP site for educational purposes. Apart from the defects being documented details should be made available on the coverage of automated and manual review and the specific defects found by either method.

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

ORPRO-process

2008-10-31T10:38:09Z

Njama:

ORPRO-process

2008-10-31T10:30:31Z

Njama: Documented activities

[[Image:ORPRO_process_detail_1.jpg]]

* '''Project intake'''
** ''PI.01: Communication with Open source project.'' Proposals for open source projects to be reviewed can be sent to one of the ORPRO project leads.
** ''PI.02: Check entry criteria.'' The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
** ''PI.03: Risk assessment.''
** ''PI.04: Assemble team.'' The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
* '''Review'''
** '''Automated review'''
*** Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis. Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation. For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
*** ''AR.01: Configure tooling.''
*** ''AR.02: Run tool on project.''
*** ''AR.03: Review findings.''
*** ''AR.04: Document results.''
** '''Manual Review'''
*** ''MR.01: Configure tooling.''
*** ''MR.02: Perform manual review.''
*** ''MR.03: Document results.''
*** Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
* '''Reporting'''
** ''RE.01: Report issues to project.'' Either reviewers or the open source project leaders responsibly disclose the identified security issues
** ''RE.02: Final report at OWASP site.''

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

File:ORPRO process detail 1.jpg

2008-10-31T10:05:39Z

Njama: Orpro detailed activities

Orpro detailed activities

ORPRO-process

2008-10-31T10:04:37Z

Njama:

[[Image:ORPRO_process_detail_1.jpg]]

* Project intake
** Proposals for open source projets to be reviewed can be sent to the ORPRO project lead. The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
* Team Development
** The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
* Review
** Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis. Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation. For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
** Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
** Either reviewers or the open source project leaders responsibly disclose the identified security issues

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

File:ORPRO process 2.jpg

2008-10-31T10:03:10Z

Njama:

Category:OWASP Open Review Project

2008-10-31T10:02:44Z

Njama: /* Open review process */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Open Review Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Open Review Project}}
[[Category:OWASP Project]]

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

The OWASP Open Review Project (ORPRO) exists to act as a resource for open source projects and for the community in general. The goal is to provides facilities for both automated and manual review of open source applications and libraries.

Fortify Software has made their [http://www.fortify.com/products/detect/in_development.jsp Source Code Analyzer (SCA) technology] available to open source projects at [http://owasp.fortify.com owasp.fortify.com]

== Project Goals ==
* Provide an independent security review of open source projects with a record of what has been reviewed and by whom in order to best communicate the security state of the open source projects. This will include both automated and manual review of source code as well as analysis of algorithms such as compression, crypto, etc
* Provide resources to the community to centrally manage the review of open source projects
* Engage in responsible disclosure of any security vulnerabilities discovered

== Project Planning ==
* Settle overlap between OWASP projects: August 2008 (completed)
* Initial tool selection and implementation: September 2008 (completed)
* Roll out automated review capabilities for a limited set of projects: September 2008 (completed)
* First reviews: October 2008 (ongoing: first project has been selected)

== Open review process ==
The high level process is as follows:

[[Image:ORPRO_process_2.jpg]]

Click [[ORPRO-process|here]] for a more detailed process description.

== Related OWASP Projects ==
The following OWASP projects have a direct relation with ORPRO:
* [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
* [http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Project]
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]

== News ==
* '''5 June 2008''' OWASP ORPRO launched
* '''12 September 2008''' [http://owasp.fortify.com/ owasp.fortify.com] made available as a public beta for automated source code review of open source projects

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, PHP, etc who also have the audacity to review some of the most popular open source projects around.

We also need open source project leaders to submit their projects for review. If you run an open source project and are interested in participating, please email the mailing list.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project leads: [[User:Njama|Mario de Boer]], [[User:Dancornell|Dan Cornell]].

Contributors: [http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

[[Category:OWASP Project]]

ORPRO-process

2008-10-31T08:51:04Z

Njama:

* Project intake
** Proposals for open source projets to be reviewed can be sent to the ORPRO project lead. The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
* Team Development
** The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
* Review
** Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis. Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation. For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
** Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
** Either reviewers or the open source project leaders responsibly disclose the identified security issues

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

ORPRO-process

2008-10-31T08:43:40Z

Njama: New page: * Proposal ** Proposals for open source projets to be reviewed can be sent to the ORPRO project lead. The open source project will be checked against some entry criteria - for example the...

* Proposal
** Proposals for open source projets to be reviewed can be sent to the ORPRO project lead. The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
* Team Development
** The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
* Review
** Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis. Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation. For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
** Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
** Either reviewers or the open source project leaders responsibly disclose the identified security issues

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

Category:OWASP Open Review Project

2008-10-31T08:43:27Z

Njama: /* Open review process */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Open Review Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Open Review Project}}
[[Category:OWASP Project]]

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

The OWASP Open Review Project (ORPRO) exists to act as a resource for open source projects and for the community in general. The goal is to provides facilities for both automated and manual review of open source applications and libraries.

Fortify Software has made their [http://www.fortify.com/products/detect/in_development.jsp Source Code Analyzer (SCA) technology] available to open source projects at [http://owasp.fortify.com owasp.fortify.com]

== Project Goals ==
* Provide an independent security review of open source projects with a record of what has been reviewed and by whom in order to best communicate the security state of the open source projects. This will include both automated and manual review of source code as well as analysis of algorithms such as compression, crypto, etc
* Provide resources to the community to centrally manage the review of open source projects
* Engage in responsible disclosure of any security vulnerabilities discovered

== Project Planning ==
* Settle overlap between OWASP projects: August 2008 (completed)
* Initial tool selection and implementation: September 2008 (completed)
* Roll out automated review capabilities for a limited set of projects: September 2008 (completed)
* First reviews: October 2008 (ongoing: first project has been selected)

== Open review process ==
The high level process is as follows:

[[Image:ORPRO_Process1.png]]

Click [[ORPRO-process|here]] for a more detailed process description.

== Related OWASP Projects ==
The following OWASP projects have a direct relation with ORPRO:
* [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
* [http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Project]
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]

== News ==
* '''5 June 2008''' OWASP ORPRO launched
* '''12 September 2008''' [http://owasp.fortify.com/ owasp.fortify.com] made available as a public beta for automated source code review of open source projects

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, PHP, etc who also have the audacity to review some of the most popular open source projects around.

We also need open source project leaders to submit their projects for review. If you run an open source project and are interested in participating, please email the mailing list.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project leads: [[User:Njama|Mario de Boer]], [[User:Dancornell|Dan Cornell]].

Contributors: [http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

[[Category:OWASP Project]]

Category:OWASP Open Review Project

2008-10-31T08:42:52Z

Njama: /* Open review process */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Open Review Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Open Review Project}}
[[Category:OWASP Project]]

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

The OWASP Open Review Project (ORPRO) exists to act as a resource for open source projects and for the community in general. The goal is to provides facilities for both automated and manual review of open source applications and libraries.

Fortify Software has made their [http://www.fortify.com/products/detect/in_development.jsp Source Code Analyzer (SCA) technology] available to open source projects at [http://owasp.fortify.com owasp.fortify.com]

== Project Goals ==
* Provide an independent security review of open source projects with a record of what has been reviewed and by whom in order to best communicate the security state of the open source projects. This will include both automated and manual review of source code as well as analysis of algorithms such as compression, crypto, etc
* Provide resources to the community to centrally manage the review of open source projects
* Engage in responsible disclosure of any security vulnerabilities discovered

== Project Planning ==
* Settle overlap between OWASP projects: August 2008 (completed)
* Initial tool selection and implementation: September 2008 (completed)
* Roll out automated review capabilities for a limited set of projects: September 2008 (completed)
* First reviews: October 2008 (ongoing: first project has been selected)

== Open review process ==
The high level process is as follows:

[[Image:ORPRO_Process1.png]]

Click [[ORPRO-process|here]] for a more detailed process description.
* Proposal
** Proposals for open source projets to be reviewed can be sent to the ORPRO project lead. The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
* Team Development
** The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
* Review
** Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis. Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation. For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
** Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
** Either reviewers or the open source project leaders responsibly disclose the identified security issues

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

== Related OWASP Projects ==
The following OWASP projects have a direct relation with ORPRO:
* [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
* [http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Project]
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]

== News ==
* '''5 June 2008''' OWASP ORPRO launched
* '''12 September 2008''' [http://owasp.fortify.com/ owasp.fortify.com] made available as a public beta for automated source code review of open source projects

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, PHP, etc who also have the audacity to review some of the most popular open source projects around.

We also need open source project leaders to submit their projects for review. If you run an open source project and are interested in participating, please email the mailing list.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project leads: [[User:Njama|Mario de Boer]], [[User:Dancornell|Dan Cornell]].

Contributors: [http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

[[Category:OWASP Project]]

Category:OWASP Open Review Project

2008-10-31T08:39:43Z

Njama: /* Open review process */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Open Review Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Open Review Project}}
[[Category:OWASP Project]]

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

The OWASP Open Review Project (ORPRO) exists to act as a resource for open source projects and for the community in general. The goal is to provides facilities for both automated and manual review of open source applications and libraries.

Fortify Software has made their [http://www.fortify.com/products/detect/in_development.jsp Source Code Analyzer (SCA) technology] available to open source projects at [http://owasp.fortify.com owasp.fortify.com]

== Project Goals ==
* Provide an independent security review of open source projects with a record of what has been reviewed and by whom in order to best communicate the security state of the open source projects. This will include both automated and manual review of source code as well as analysis of algorithms such as compression, crypto, etc
* Provide resources to the community to centrally manage the review of open source projects
* Engage in responsible disclosure of any security vulnerabilities discovered

== Project Planning ==
* Settle overlap between OWASP projects: August 2008 (completed)
* Initial tool selection and implementation: September 2008 (completed)
* Roll out automated review capabilities for a limited set of projects: September 2008 (completed)
* First reviews: October 2008 (ongoing: first project has been selected)

== Open review process ==
The high level process is as follows:

[[Image:ORPRO_Process1.png]]

Click [here] for a more detailed process description.
* Proposal
** Proposals for open source projets to be reviewed can be sent to the ORPRO project lead. The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
* Team Development
** The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
* Review
** Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis. Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation. For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
** Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
** Either reviewers or the open source project leaders responsibly disclose the identified security issues

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

== Related OWASP Projects ==
The following OWASP projects have a direct relation with ORPRO:
* [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
* [http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Project]
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]

== News ==
* '''5 June 2008''' OWASP ORPRO launched
* '''12 September 2008''' [http://owasp.fortify.com/ owasp.fortify.com] made available as a public beta for automated source code review of open source projects

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, PHP, etc who also have the audacity to review some of the most popular open source projects around.

We also need open source project leaders to submit their projects for review. If you run an open source project and are interested in participating, please email the mailing list.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project leads: [[User:Njama|Mario de Boer]], [[User:Dancornell|Dan Cornell]].

Contributors: [http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

[[Category:OWASP Project]]

File:ORPRO Process1.png

2008-10-31T08:36:46Z

Njama: High level process

High level process

Category:OWASP Open Review Project

2008-10-31T08:29:40Z

Njama: /* Project Planning */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Open Review Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Open Review Project}}
[[Category:OWASP Project]]

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

The OWASP Open Review Project (ORPRO) exists to act as a resource for open source projects and for the community in general. The goal is to provides facilities for both automated and manual review of open source applications and libraries.

Fortify Software has made their [http://www.fortify.com/products/detect/in_development.jsp Source Code Analyzer (SCA) technology] available to open source projects at [http://owasp.fortify.com owasp.fortify.com]

== Project Goals ==
* Provide an independent security review of open source projects with a record of what has been reviewed and by whom in order to best communicate the security state of the open source projects. This will include both automated and manual review of source code as well as analysis of algorithms such as compression, crypto, etc
* Provide resources to the community to centrally manage the review of open source projects
* Engage in responsible disclosure of any security vulnerabilities discovered

== Project Planning ==
* Settle overlap between OWASP projects: August 2008 (completed)
* Initial tool selection and implementation: September 2008 (completed)
* Roll out automated review capabilities for a limited set of projects: September 2008 (completed)
* First reviews: October 2008 (ongoing: first project has been selected)

== Open review process ==
The high level process is as follows:
* Proposal
** Proposals for open source projets to be reviewed can be sent to the ORPRO project lead. The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
* Team Development
** The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
* Review
** Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis. Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation. For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
** Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
** Either reviewers or the open source project leaders responsibly disclose the identified security issues

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

== Related OWASP Projects ==
The following OWASP projects have a direct relation with ORPRO:
* [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
* [http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Project]
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]

== News ==
* '''5 June 2008''' OWASP ORPRO launched
* '''12 September 2008''' [http://owasp.fortify.com/ owasp.fortify.com] made available as a public beta for automated source code review of open source projects

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, PHP, etc who also have the audacity to review some of the most popular open source projects around.

We also need open source project leaders to submit their projects for review. If you run an open source project and are interested in participating, please email the mailing list.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project leads: [[User:Njama|Mario de Boer]], [[User:Dancornell|Dan Cornell]].

Contributors: [http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

[[Category:OWASP Project]]

Category:OWASP Open Review Project

2008-10-31T08:27:55Z

Njama: /* Open review process */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Open Review Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Open Review Project}}
[[Category:OWASP Project]]

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

The OWASP Open Review Project (ORPRO) exists to act as a resource for open source projects and for the community in general. The goal is to provides facilities for both automated and manual review of open source applications and libraries.

Fortify Software has made their [http://www.fortify.com/products/detect/in_development.jsp Source Code Analyzer (SCA) technology] available to open source projects at [http://owasp.fortify.com owasp.fortify.com]

== Project Goals ==
* Provide an independent security review of open source projects with a record of what has been reviewed and by whom in order to best communicate the security state of the open source projects. This will include both automated and manual review of source code as well as analysis of algorithms such as compression, crypto, etc
* Provide resources to the community to centrally manage the review of open source projects
* Engage in responsible disclosure of any security vulnerabilities discovered

== Project Planning ==
* Settle overlap between OWASP projects: August 2008 (completed)
* Initial tool selection and implementation: September 2008 (completed)
* Roll out automated review capabilities for a limited set of projects: September 2008
* First reviews: October 2008

== Open review process ==
The high level process is as follows:
* Proposal
** Proposals for open source projets to be reviewed can be sent to the ORPRO project lead. The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
* Team Development
** The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
* Review
** Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis. Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation. For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
** Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
** Either reviewers or the open source project leaders responsibly disclose the identified security issues

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

== Related OWASP Projects ==
The following OWASP projects have a direct relation with ORPRO:
* [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
* [http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Project]
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]

== News ==
* '''5 June 2008''' OWASP ORPRO launched
* '''12 September 2008''' [http://owasp.fortify.com/ owasp.fortify.com] made available as a public beta for automated source code review of open source projects

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, PHP, etc who also have the audacity to review some of the most popular open source projects around.

We also need open source project leaders to submit their projects for review. If you run an open source project and are interested in participating, please email the mailing list.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project leads: [[User:Njama|Mario de Boer]], [[User:Dancornell|Dan Cornell]].

Contributors: [http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

[[Category:OWASP Project]]

Category:OWASP Open Review Project

2008-10-31T08:23:47Z

Njama: /* Overview */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Open Review Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Open Review Project}}
[[Category:OWASP Project]]

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

The OWASP Open Review Project (ORPRO) exists to act as a resource for open source projects and for the community in general. The goal is to provides facilities for both automated and manual review of open source applications and libraries.

Fortify Software has made their [http://www.fortify.com/products/detect/in_development.jsp Source Code Analyzer (SCA) technology] available to open source projects at [http://owasp.fortify.com owasp.fortify.com]

== Project Goals ==
* Provide an independent security review of open source projects with a record of what has been reviewed and by whom in order to best communicate the security state of the open source projects. This will include both automated and manual review of source code as well as analysis of algorithms such as compression, crypto, etc
* Provide resources to the community to centrally manage the review of open source projects
* Engage in responsible disclosure of any security vulnerabilities discovered

== Project Planning ==
* Settle overlap between OWASP projects: August 2008 (completed)
* Initial tool selection and implementation: September 2008 (completed)
* Roll out automated review capabilities for a limited set of projects: September 2008
* First reviews: October 2008

== Open review process ==
The high level process is as follows:
* Proposal
** Proposals for open source projets to be reviewed can be sent to the ORPRO project lead. The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
* Team Development
** The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
* Review
** Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis. Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation. For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
** Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
** Either reviewers or the open source project leaders responsibly disclose the identified security issues

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

== News ==
* '''5 June 2008''' OWASP ORPRO launched
* '''12 September 2008''' [http://owasp.fortify.com/ owasp.fortify.com] made available as a public beta for automated source code review of open source projects

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, PHP, etc who also have the audacity to review some of the most popular open source projects around.

We also need open source project leaders to submit their projects for review. If you run an open source project and are interested in participating, please email the mailing list.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project leads: [[User:Njama|Mario de Boer]], [[User:Dancornell|Dan Cornell]].

Contributors: [http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

[[Category:OWASP Project]]

Category:OWASP Open Review Project

2008-08-01T08:20:28Z

Njama: /* Project Planning */

Category:OWASP Open Review Project

2008-08-01T07:53:46Z

Njama: /* Project Goals */

Category:OWASP Open Review Project

2008-06-06T18:31:44Z

Njama:

{{:Project Information:template Open Review Project}}

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

In the OWASP Open Review Project (ORPRO) we perform open reviews of open source projects. We focus on security, are independent, and use the excellent deliverables from other OWASP projects to achieve traceable assurance statements on the security of the code. Users, both end-users and organizations using open source in their products, may benefit from ORPRO’s results.

== Project Goals ==
* Independent security review of open source projects;
* Centrally managed review projects;
* Independent statement on what is reviewed and by whom, resulting in a form of assurance that the software is free from security bugs;
* Analysis not limited to code review, including digging into hard algorithms (compression, crypto, etc);
* Responsible disclosure of any security vulnerabilities discovered.

== News ==
'''5 June 2008''' OWASP ORPRO launched

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, php, etc and that have the audacity to review some of the most popular open source projects around.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project lead: [[User:Njama|Mario de Boer]].

Contributors: None yet, any help more than appreciated.

[[Category:OWASP Project]]

Category:OWASP Open Review Project

2008-06-05T19:44:12Z

Njama: /* Overview */

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

In the OWASP Open Review Project (ORPRO) we perform open reviews of open source projects. We focus on security, are independent, and use the excellent deliverables from other OWASP projects to achieve traceable assurance statements on the security of the code. Users, both end-users and organizations using open source in their products, may benefit from ORPRO’s results.

== Project Goals ==
* Independent security review of open source projects;
* Centrally managed review projects;
* Independent statement on what is reviewed and by whom, resulting in a form of assurance that the software is free from security bugs;
* Analysis not limited to code review, including digging into hard algorithms (compression, crypto, etc);
* Responsible disclosure of any security vulnerabilities discovered.

== News ==
'''5 June 2008''' OWASP ORPRO launched

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, php, etc and that have the audacity to review some of the most popular open source projects around.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project lead: [[User:Njama|Mario de Boer]].

Contributors: None yet, any help more than appreciated.

Category:OWASP Open Review Project

2008-06-05T19:41:45Z

Njama: /* Project Goals */

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. And in our routers, our cars, our phones, everywhere...

In the OWASP Open Review Project (ORPRO) we perform open reviews of open source projects. We focus on security, are independent, and use the excellent deliverables from other OWASP projects to achieve traceable assurance statements on the security of the code. Users, both end-users and organizations using open source in their products, may benefit from ORPRO’s results.

== Project Goals ==
* Independent security review of open source projects;
* Centrally managed review projects;
* Independent statement on what is reviewed and by whom, resulting in a form of assurance that the software is free from security bugs;
* Analysis not limited to code review, including digging into hard algorithms (compression, crypto, etc);
* Responsible disclosure of any security vulnerabilities discovered.

== News ==
'''5 June 2008''' OWASP ORPRO launched

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, php, etc and that have the audacity to review some of the most popular open source projects around.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project lead: [[User:Njama|Mario de Boer]].

Contributors: None yet, any help more than appreciated.

User:Njama

2008-06-05T19:37:14Z

Njama:

Hi, my name is Mario de Boer. I am with the Dutch OWASP Chapter, and run the Open Review Project.

Please contact me at [mailto:njama@owasp.org njama@owasp.org].

Category:OWASP Open Review Project

2008-06-05T19:34:01Z

Njama: /* People */

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. And in our routers, our cars, our phones, everywhere...

In the OWASP Open Review Project (ORPRO) we perform open reviews of open source projects. We focus on security, are independent, and use the excellent deliverables from other OWASP projects to achieve traceable assurance statements on the security of the code. Users, both end-users and organizations using open source in their products, may benefit from ORPRO’s results.

== Project Goals ==
* Independent security review of open source projects;
* Centrally managed;
* Independent statement on what is reviewed and by whom, resulting in a form of assurance that the software is free from security bugs;
* Analysis not limited to code review, including digging into hard algorithms (compression, crypto, etc);
* Responsible disclosure of any security vulnerabilities discovered.

== News ==
'''5 June 2008''' OWASP ORPRO launched

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, php, etc and that have the audacity to review some of the most popular open source projects around.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project lead: [[User:Njama|Mario de Boer]].

Contributors: None yet, any help more than appreciated.

Category:OWASP Open Review Project

2008-06-05T19:30:05Z

Njama: /* Project Goals */

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. And in our routers, our cars, our phones, everywhere...

In the OWASP Open Review Project (ORPRO) we perform open reviews of open source projects. We focus on security, are independent, and use the excellent deliverables from other OWASP projects to achieve traceable assurance statements on the security of the code. Users, both end-users and organizations using open source in their products, may benefit from ORPRO’s results.

== Project Goals ==
* Independent security review of open source projects;
* Centrally managed;
* Independent statement on what is reviewed and by whom, resulting in a form of assurance that the software is free from security bugs;
* Analysis not limited to code review, including digging into hard algorithms (compression, crypto, etc);
* Responsible disclosure of any security vulnerabilities discovered.

== News ==
'''5 June 2008''' OWASP ORPRO launched

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, php, etc and that have the audacity to review some of the most popular open source projects around.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project lead: [[User:Mario de Boer|Mario de Boer]].

Contributors: None yet, any help more than appreciated.

Category:OWASP Open Review Project

2008-06-05T19:28:19Z

Njama: /* Overview */

== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. And in our routers, our cars, our phones, everywhere...

In the OWASP Open Review Project (ORPRO) we perform open reviews of open source projects. We focus on security, are independent, and use the excellent deliverables from other OWASP projects to achieve traceable assurance statements on the security of the code. Users, both end-users and organizations using open source in their products, may benefit from ORPRO’s results.

== Project Goals ==
* Independent security review of open source projects;
* Centrally managed;
* Independent statement on what is reviewed and by whom, leading a form of assurance that the software is free from security bugs;
* Analysis beyond code review, including digging into hard algorithms (compression, crypto, etc);
* Responsible disclosure of any security vulnerabilities discovered.

== News ==
'''5 June 2008''' OWASP ORPRO launched

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, php, etc and that have the audacity to review some of the most popular open source projects around.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project lead: [[User:Mario de Boer|Mario de Boer]].

Contributors: None yet, any help more than appreciated.

Category:OWASP Open Review Project

2008-06-05T19:25:37Z

Njama: Added some sections

== Overview ==
We are surrounded by open source. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. And in our routers, our cars, our phones, everywhere...
In the OWASP Open Review Project (ORPRO) we perform open reviews of open source projects. We focus on security, are independent, and use the excellent deliverables from other OWASP projects to achieve traceable assurance statements on the security of the code. Users, both individuals and integrators, may benefit from ORPRO’s results.

== Project Goals ==
* Independent security review of open source projects;
* Centrally managed;
* Independent statement on what is reviewed and by whom, leading a form of assurance that the software is free from security bugs;
* Analysis beyond code review, including digging into hard algorithms (compression, crypto, etc);
* Responsible disclosure of any security vulnerabilities discovered.

== News ==
'''5 June 2008''' OWASP ORPRO launched

== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, php, etc and that have the audacity to review some of the most popular open source projects around.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

== People ==
Project lead: [[User:Mario de Boer|Mario de Boer]].

Contributors: None yet, any help more than appreciated.

Category:OWASP Open Review Project

2008-06-05T19:12:53Z

Njama:

Category:OWASP Open Review Project RoadMap

2008-06-05T19:00:40Z

Njama: Removed contents: was old mail, now on main page

User:Njama

2008-06-04T19:18:14Z

Njama: Njama's first info

Hi, my name is Mario de Boer. I am with the Dutch OWASP Chapter, and run the Open Review Project.