OWASP - User contributions [en]

GSOC2018 Ideas

2018-02-16T06:28:36Z

Sauriti: adding BLT

'''OWASP Foundation has been selected as an organization to be part of the GOOGLE SUMMER CODE 2018'''

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''
'''* Read the [[GSoC SAT]] '''
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/OWASP github organization]
==OWASP ZAP==
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.
===Active Scanning WebSockets===
'''Brief Explanation:'''

ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.

We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.

'''Expected Results:'''
* An plugable infrastructure that allows us to active scan websockets
* Converting the relevant existing scan rules to work with websockets
* Implementing new websocket specific scan rules

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== React Handling ===
'''Brief Explanation:'''

ZAP doesnt understand React applications as well as it should be able to.

It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.

'''Expected Results:'''
* ZAP able to explore React applications more effectively
* ZAP able to attack React applications more effectively

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Automated authentication detection and configuration ===
'''Brief Explanation:'''

Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki>

This is time consuming and error prone.

Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.

'''Expected Results:'''
* Detect login and registration pages
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible
* An option to completely automate the authentication process, for as many authentication mechanisms as possible

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Zest Text Representation and Parser ===
'''Brief Explanation:'''

Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.

A standardized text representation and parser would be very useful and help its adoption.

'''Expected Results:'''
* A documented definition of a text representation for Zest
* A parser that converts the text representation into a working Zest script
* An option in the Zest java implementation to output Zest scripts text format

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Develop Bamboo Addon ===
'''Brief Explanation:'''

It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]

For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].

'''Expected Results:'''

A Bamboo addon that supports:
* Spidering (using the traditional and Ajax spiders)
* Active Scanning
* Authentication

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
'''Brief Explanation:'''

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

'''Expected Results:'''
* A new feature that makes ZAP even better
* Code that conforms to our Development Rules and Guidelines

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2018 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== Frontend Technology Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target client-architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, testing and building

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== UI/Graphics Design Update ===

'''Brief Explanation:'''

The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.

'''Expected Results:'''
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way

''' Getting started: '''
* Get familiar with the existing HTML views and CSS of the frontend
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites

'''Knowledge Prerequisites:'''
* Strong web and graphic design experience
* Sophisticated HTML and CSS experience

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader

==OWASP Security Knowledge Framework - Chatbot machine learning feature==

=== Brief Explanation ===
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.

The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.

The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.

=== Expected Results ===
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.
# A Chatbot (using existing frameworks) to:
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.
## Based on enriched query fetch relevant information from knowledge base and return.
# An integration to some chat system like Gitter.im, IRC, Slack etc.

=== Knowledge Prerequisites ===
* Programming languages:
** OWASP-SKF API is build in Python 3.6/3.7
** OWASP-SKF Frontend is build with Angular 4 TS
* Machine learning enthusiastic/interest

=== Proposal from student ===
* We want to ask from the student to write a proposal on how to approach the problem we described.
'''Mentors''':

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]

==OWASP Nettacker==
===Brief Explanation===
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.

if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).

===Getting started===

* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.

'''A Better Penetration Testing Automated Framework'''

===Expected Results===
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.

===Knowledge Prerequisites===

* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.
* Good knowledge of computer security (and penetration testing)
* Knowledge of OS (Linux, Windows, Mac...) and Services
* Familiar with IDS/IPS/Firewalls and ...
* To develop the API you should be familiar with HTTP, Database...

===Mentors===
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]

==OWASP OWTF==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.
===OWASP OWTF - MiTM proxy interception and replay capabilities===
'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible
*ability to intercept the transactions
*modify or replay transaction on the fly
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code
Bonus:
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
*Create a browser instance and do the necessary login procedure
*Handle the browser for the URI
*When called to close the browser, do a clean logout and kill the browser instance.
'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - Web interface enhancements===
'''Brief explanation:'''

The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - New plugin architecture===
'''Brief explanation:'''

The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.

This issue is documented in detail at https://github.com/owtf/owtf/issues/905.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation

== OWASP CSRF Protector ==
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form.
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===
'''Brief explanation:'''

The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.

Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;

The goal of this project would be to:
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues]
'''Expected results:'''
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)

'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]

== OWASP Code Review Guide ==
===Brief Explanation:===

OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.

Check OWASP Code Review Guide [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;

===Needs:===
'''Techincal writers'''

===Expected Results:===
* Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide
* Move work in pdf and Adobe InDesign to GitBook format
* Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format

===Knowledge Prerequisite:===
Good techincal writting skills, Adode InDesign

===Proposals from student:===
* Proposal on different formats to use to help increase the awareness and use of the OWASP Code Review Guide
* Recommendations on how to use social applications to promote OWASP Code Review Guide to developers and IT management

'''Mentors:'''
* Gary Robinson [mailto:Gary.Robinson@owasp.org] - OWASP Code Review Guide Project Leader

* Larry Conklin [mailto:Larry.Conklin@owasp.org] Larry Conklin - OWASP Code Review Guide Project Leader

== OWASP BLT (Bug Logging Tool) ==
===Brief Explanation:===

BLT lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

Check OWASP WIKI PAGE [https://www.owasp.org/index.php/OWASP_Bug_Logging_Tool] for some reference;

===Expected Results:===
* Fuse app to allow easy bug reporting from phone.
* BUG cryptocurrency rewarded for each bug reported - requires a way to verify bugs are valid and not duplicates
* Allow for companies to do private (paid) bug bounties
* allow for bug reporting via email
* build a referral program
* integrate an idea / suggestion feature

===Knowledge Prerequisite:===
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential. Fusetools will be used for the app and C++ (Bitcoin based) or Ethereum will be used for the cryptocurrency part.

===Proposals from student:===
* Proposal on new features
* Recommendations on how to use social applications to promote OWASP BLT

'''Mentors:'''
* Sean Auriti [https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

Brooklyn

2017-09-14T23:59:59Z

Sauriti: updated member list

{{Chapter Template|chaptername=Brooklyn|extra=

Chapter Leaders:
* [mailto:Bev.corwin@owasp.org Bev Corwin, Founder]
* [mailto:Nicole.Becher@owasp.org Nicole Becher]
* [mailto:nwhysel@owasp.org Noreen Whysel]

------------------------------------

* Israel Bryski, Founder Emeritus
* Donald Gooden, Founder Emeritus

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-brooklyn|emailarchives=http://lists.owasp.org/pipermail/owasp-brooklyn}}

'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings. Our next OWASP Brookyn Chapter Meeting is posted on our meetup site:
https://www.meetup.com/OWASP-Brooklyn/

== Local News ==

'''OWASP Brooklyn Sponsors:'''

CipherTechs: https://www.ciphertechs.com

'''Ask your OWASP Brooklyn Chapter Leader how you can volunteer for amazing open source projects that call OWASP Brooklyn Chapter "Home":'''

1. OWASP Learning Gateway Project: https://www.owasp.org/index.php/OWASP_Learning_Gateway_Project#OWASP_Learning_Gateway_Project

2. OWASP NNI Initiative: [[OWASP NNI Initiative|https://www.owasp.org/index.php/OWASP_NNI_Initiative]]

3. KBAPM Project: https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project

4. OWASP BLT Project: https://www.owasp.org/index.php/OWASP_Bug_Logging_Tool

5. OWASP Secure Medical Device Deployment Standard: [[OWASP Secure Medical Device Deployment Standard|https://www.owasp.org/index.php/OWASP_Secure_Medical_Device_Deployment_Standard]]

6. OWASP VICNUM Project: https://www.owasp.org/index.php/OWASP_Vicnum_Project

'''Everyone is welcome to attend OWASP Brooklyn Chapter Meeting Meetups:''' http://www.meetup.com/OWASP-Brooklyn/

'''OWASP Brooklyn Twitter:''' https://twitter.com/OWASPBrooklyn

The OWASP Learning Gateway Project Team presented at the Gateway's Conference: http://sciencegateways.org/gateways2016/#news

[[Category:OWASP Chapter]]
[[Category:New York]]

2017-02-23T19:53:39Z

Sauriti: /* Project Resources */

GSOC2017 Ideas

2017-01-23T14:41:45Z

Sauriti:

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field enumeration ===

This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.

The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.

''' Expected Results '''

* User able to specify a specific field to enumerate via the ZAP UI
* A list of all valid characters to be returned from the sets of characters the user specifies
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Scripting Code Completion ===

ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.

''' Expected Results '''

* Code completion for all of the parameters for all available functions in the standard scripts
* Implementations for JavaScript, JRuby and Jython
* Helper classes with code completion for commonly required functionality
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

=== Your idea ===

'''Brief Explanation:'''

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes ZAP even better
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

'''Knowledge Prerequisites:'''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

GSOC2017 Ideas

2017-01-23T14:41:10Z

Sauriti:

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field enumeration ===

This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.

The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.

''' Expected Results '''

* User able to specify a specific field to enumerate via the ZAP UI
* A list of all valid characters to be returned from the sets of characters the user specifies
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Scripting Code Completion ===

ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.

''' Expected Results '''

* Code completion for all of the parameters for all available functions in the standard scripts
* Implementations for JavaScript, JRuby and Jython
* Helper classes with code completion for commonly required functionality
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== BLT / Bugheist ===

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

=== Your idea ===

'''Brief Explanation:'''

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes ZAP even better
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

'''Knowledge Prerequisites:'''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

Projects/OWASP BLT/Releases/Current

2017-01-21T02:23:36Z

Sauriti: Created page with "https://github.com/Bugheist/website/releases/tag/v0.5"

https://github.com/Bugheist/website/releases/tag/v0.5

OWASP Bug Logging Tool

2017-01-21T02:23:13Z

Sauriti: /* Project About */

OWASP Bug Logging Tool

2017-01-20T22:56:47Z

Sauriti:

OWASP Learning Gateway Project

2017-01-20T00:30:17Z

Sauriti:

=Main=

==OWASP Learning Gateway Project==

The OWASP Learning Gateway Project is developing a platform that is adaptable to self directed, collaborative learning needs and user requirements of a global community of technology learners. The gateway will offer learning pathways that connect learners with mentors and experiential knowledge and wisdom for success. Our goal is to be a successful OWASP and Gateways Project for the benefit of our community members while implementing User Directed Development methodologies.

== Sponsorship/Membership ==

[[Image:Btn_donate_SM.gif|link=http://www.regonline.com/donation_1044369]] to this project or become a local OWASP Brooklyn chapter supporter.

Or consider the value of OWASP Brooklyn [[Membership | Individual, Corporate, or Academic Supporter membership]]. Ready to become a member? [[Image:Join_Now_BlueIcon.JPG|75px|link=https://myowasp.force.com/]]

[[Category:OWASP Chapter]]

==Description==


OWASP Learning Gateway Project will be a connected, collaborative learning platform to support the OWASP Education Committee, Mentor Initiative, and WIA (Women in AppSec). We are currently working on a framework for the platform development.

==Licensing==
This program is free software available on Github: https://github.com/OWASP/OWASP-Learning-Gateway: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP Learning Gateway Project and any contributions are Copyright © by {Bev Corwin, Noreen Whysel, Sean Auriti, John Uhlmer, Janine Medina, Michael Heger, Zoe Braiterman, Daniela Pierra and OWASP Foundation} {2016}.

== Project Resources ==
OWASPLearningGateway.org,
LearningGateways.org,
Science Gateways Institute,
Xsede Gateways,
Gateways 2016

== Project Chapter ==
[mailto:bev.corwin@owasp.org OWASP Brooklyn]

== Project Leaders ==
[mailto:bev.corwin@owasp.org Bev Corwin, Project Leader],
[mailto:daniela.pirrera@owasp.org Daniela Pirrera, Co-Project Leader]

== Team Leaders ==
[mailto:nwhysel@owasp.org Noreen Whysel],
[mailto:sean.auriti@owasp.org Sean Auriti],
[mailto:john.ulmer@owasp.org John Ulmer],
[mailto:michael.heger@owasp.org Michael Heger],
[mailto:janine.medina@owasp.org Janine Medina],
Zoe Braiterman

== Related Projects ==

* [[OWASP_Education_Committee|OWASP Education Committee]]
* [[OWASP Mentor Committee|OWASP Mentor Committee]]
* [[OWASP Research Committee |OWASP Research Committee]]
* [[OWASP WIA (Women in AppSec) Committee|OWASP WIA (Women in AppSec) Committee]]
* [[OWASP Virtual Village Project|OWASP Virtual Village Project]]
* [[OWASP Training|OWASP Training]]
* [[OWASP Academies|OWASP Academies]]
* [[OWASP Winter_Code_Sprint|OWASP Winter Code Sprint]]
* [[OWASP Media Project|OWASP Media Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

== News and Events ==

10/19/2016: OWASP Learning Gateway Team Leaders receive travel grant for the Gateways 2016 Conference: http://sciencegateways.org/gateways2016/ . Congratulations Team Leaders!

10/15/2016: OWASP Learning Gateway was selected to present at the Gateways 2016 Conference: http://sciencegateways.org/gateways2016/

=FAQs=

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==

The OWASP Learning Gateway project is developed by a worldwide team of volunteers.

The first contributors to the project were:
Bev Corwin,
Noreen Whysel,
Sean Auriti,
John Uhlmer,
Janine Medina,
Michael Heger

= Road Map and Getting Involved =
==Roadmap==
As of November, 2016, the highest priorities for the next 6 months are:

* Get other people to review the Code Project Template and provide feedback
* [[UX Research Plan https://github.com/bevcorwin/OLP/issues/39]]
* Incorporate feedback into changes in the Code Project Template
* Finalize the Code Project template and have it reviewed
* Develop a mockup for the look and feel of all pages of the site
* Setup the Datamodel (80% done)
* Develop Sitemap
* Setup a feedback system
* Design & Setup API
* Develop API Strategy and Framework
* Implement Internationalization Support
* Add Unit Tests for critical procedures:
** signup
** integrate courses
** connect to mentor
* integrate gotomeeting
* Transfer project to a Github Organization
* Develop privacy policy
--
Completed
* Complete the first draft of the Code Project Template (done)


==Getting Involved==
Involvement in the development and promotion of Code Project Template is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:
===Coding===
We could implement some of the later items on the roadmap sooner if someone wanted to help out with unit or automated regression tests
===Grants===
https://www.owasp.org/images/4/4b/Learning-Gateway-Proposal-Gateways2016-submissions.pdf

===Financials and Resources===
https://docs.google.com/spreadsheets/d/1C73YMjMCpkh1g9-R4D_6e_u_Q5SpZBKSIl6yR29-fUw/edit#gid=0

===Whiteboard===
https://www.owasp.org/images/e/ea/Unnamed.jpg

===Localization===
Are you fluent in another language? Can you help translate the text strings in the Code Project Template into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
Please use the [https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/owasp_learning_gateway OWASP Learning Gateway Discussion List] for feedback about:
<ul>
<li>What do you like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
The Code Project Template must specify the minimum set of tabs a project should have, provide some an example layout on each tab, provide instructional text on how a project leader should modify the tab, and give some example text that illustrates how to create an actual project.

It would also be ideal if the sample text was translated into different languages.

=Project About=
The OWASP Learning Gateway Project is developing a platform that is adaptable to the learning needs and user requirements of a global community of technology learners. The gateway will offer learning pathways that connect learners with mentors and knowledge needed to be successful. Our goal is to be a successful OWASP and Gateways Project.

File:Unnamed.jpg

2017-01-20T00:28:37Z

Sauriti: Sauriti uploaded a new version of "File:Unnamed.jpg"

OWASP Learning Gateway Project

2017-01-20T00:21:29Z

Sauriti:

=Main=

==OWASP Learning Gateway Project==

The OWASP Learning Gateway Project is developing a platform that is adaptable to self directed, collaborative learning needs and user requirements of a global community of technology learners. The gateway will offer learning pathways that connect learners with mentors and experiential knowledge and wisdom for success. Our goal is to be a successful OWASP and Gateways Project for the benefit of our community members while implementing User Directed Development methodologies.

== Sponsorship/Membership ==

[[Image:Btn_donate_SM.gif|link=http://www.regonline.com/donation_1044369]] to this project or become a local OWASP Brooklyn chapter supporter.

Or consider the value of OWASP Brooklyn [[Membership | Individual, Corporate, or Academic Supporter membership]]. Ready to become a member? [[Image:Join_Now_BlueIcon.JPG|75px|link=https://myowasp.force.com/]]

[[Category:OWASP Chapter]]

==Description==


OWASP Learning Gateway Project will be a connected, collaborative learning platform to support the OWASP Education Committee, Mentor Initiative, and WIA (Women in AppSec). We are currently working on a framework for the platform development.

==Licensing==
This program is free software available on Github: https://github.com/OWASP/OWASP-Learning-Gateway: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP Learning Gateway Project and any contributions are Copyright © by {Bev Corwin, Noreen Whysel, Sean Auriti, John Uhlmer, Janine Medina, Michael Heger, Zoe Braiterman, Daniela Pierra and OWASP Foundation} {2016}.

== Project Resources ==
OWASPLearningGateway.org,
LearningGateways.org,
Science Gateways Institute,
Xsede Gateways,
Gateways 2016

== Project Chapter ==
[mailto:bev.corwin@owasp.org OWASP Brooklyn]

== Project Leaders ==
[mailto:bev.corwin@owasp.org Bev Corwin, Project Leader],
[mailto:daniela.pirrera@owasp.org Daniela Pirrera, Co-Project Leader]

== Team Leaders ==
[mailto:nwhysel@owasp.org Noreen Whysel],
[mailto:sean.auriti@owasp.org Sean Auriti],
[mailto:john.ulmer@owasp.org John Ulmer],
[mailto:michael.heger@owasp.org Michael Heger],
[mailto:janine.medina@owasp.org Janine Medina],
Zoe Braiterman

== Related Projects ==

* [[OWASP_Education_Committee|OWASP Education Committee]]
* [[OWASP Mentor Committee|OWASP Mentor Committee]]
* [[OWASP Research Committee |OWASP Research Committee]]
* [[OWASP WIA (Women in AppSec) Committee|OWASP WIA (Women in AppSec) Committee]]
* [[OWASP Virtual Village Project|OWASP Virtual Village Project]]
* [[OWASP Training|OWASP Training]]
* [[OWASP Academies|OWASP Academies]]
* [[OWASP Winter_Code_Sprint|OWASP Winter Code Sprint]]
* [[OWASP Media Project|OWASP Media Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

== News and Events ==

10/19/2016: OWASP Learning Gateway Team Leaders receive travel grant for the Gateways 2016 Conference: http://sciencegateways.org/gateways2016/ . Congratulations Team Leaders!

10/15/2016: OWASP Learning Gateway was selected to present at the Gateways 2016 Conference: http://sciencegateways.org/gateways2016/

=FAQs=

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==

The OWASP Learning Gateway project is developed by a worldwide team of volunteers.

The first contributors to the project were:
Bev Corwin,
Noreen Whysel,
Sean Auriti,
John Uhlmer,
Janine Medina,
Michael Heger

= Road Map and Getting Involved =
==Roadmap==
As of November, 2016, the highest priorities for the next 6 months are:

* Get other people to review the Code Project Template and provide feedback
* [[UX Research Plan https://github.com/bevcorwin/OLP/issues/39]]
* Incorporate feedback into changes in the Code Project Template
* Finalize the Code Project template and have it reviewed
* Develop a mockup for the look and feel of all pages of the site
* Setup the Datamodel (80% done)
* Develop Sitemap
* Setup a feedback system
* Design & Setup API
* Develop API Strategy and Framework
* Implement Internationalization Support
* Add Unit Tests for critical procedures:
** signup
** integrate courses
** connect to mentor
* integrate gotomeeting
* Transfer project to a Github Organization
* Develop privacy policy
--
Completed
* Complete the first draft of the Code Project Template (done)


==Getting Involved==
Involvement in the development and promotion of Code Project Template is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:
===Coding===
We could implement some of the later items on the roadmap sooner if someone wanted to help out with unit or automated regression tests
===Grants===
https://www.owasp.org/images/4/4b/Learning-Gateway-Proposal-Gateways2016-submissions.pdf

===Financials and Resources===
https://docs.google.com/spreadsheets/d/1C73YMjMCpkh1g9-R4D_6e_u_Q5SpZBKSIl6yR29-fUw/edit#gid=0

===Localization===
Are you fluent in another language? Can you help translate the text strings in the Code Project Template into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
Please use the [https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/owasp_learning_gateway OWASP Learning Gateway Discussion List] for feedback about:
<ul>
<li>What do you like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
The Code Project Template must specify the minimum set of tabs a project should have, provide some an example layout on each tab, provide instructional text on how a project leader should modify the tab, and give some example text that illustrates how to create an actual project.

It would also be ideal if the sample text was translated into different languages.

=Project About=
The OWASP Learning Gateway Project is developing a platform that is adaptable to the learning needs and user requirements of a global community of technology learners. The gateway will offer learning pathways that connect learners with mentors and knowledge needed to be successful. Our goal is to be a successful OWASP and Gateways Project.

File:Learning-Gateway-Proposal-Gateways2016-submissions.pdf

2017-01-20T00:20:02Z

Sauriti: Learning Gateway Proposal Gateways2016 submissions

Learning Gateway Proposal Gateways2016 submissions

OWASP Bug Logging Tool

2017-01-19T03:09:42Z

Sauriti: /* Project About */

OWASP Bug Logging Tool

2017-01-19T03:08:40Z

Sauriti: /* Project About */

OWASP Learning Gateway Project

2017-01-05T22:46:40Z

Sauriti: /* Roadmap */

=Main=

==OWASP Learning Gateway Project==

The OWASP Learning Gateway Project is developing a platform that is adaptable to self directed, collaborative learning needs and user requirements of a global community of technology learners. The gateway will offer learning pathways that connect learners with mentors and experiential knowledge and wisdom for success. Our goal is to be a successful OWASP and Gateways Project for the benefit of our community members while implementing User Directed Development methodologies.

== Sponsorship/Membership ==

[[Image:Btn_donate_SM.gif|link=http://www.regonline.com/donation_1044369]] to this project or become a local OWASP Brooklyn chapter supporter.

Or consider the value of OWASP Brooklyn [[Membership | Individual, Corporate, or Academic Supporter membership]]. Ready to become a member? [[Image:Join_Now_BlueIcon.JPG|75px|link=https://myowasp.force.com/]]

[[Category:OWASP Chapter]]

==Description==


OWASP Learning Gateway Project will be a connected, collaborative learning platform to support the OWASP Education Committee, Mentor Initiative, and WIA (Women in AppSec). We are currently working on a framework for the platform development.

==Licensing==
This program is free software available on Github: https://github.com/OWASP/OWASP-Learning-Gateway: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP Learning Gateway Project and any contributions are Copyright © by {Bev Corwin, Noreen Whysel, Sean Auriti, John Uhlmer, Janine Medina, Michael Heger, Zoe Braiterman, Daniela Pierra and OWASP Foundation} {2016}.

== Project Resources ==
OWASPLearningGateway.org,
LearningGateways.org,
Science Gateways Institute,
Xsede Gateways,
Gateways 2016

== Project Chapter ==
[mailto:bev.corwin@owasp.org OWASP Brooklyn]

== Project Leaders ==
[mailto:bev.corwin@owasp.org Bev Corwin, Project Leader],
[mailto:daniela.pirrera@owasp.org Daniela Pirrera, Co-Project Leader]

== Team Leaders ==
[mailto:nwhysel@owasp.org Noreen Whysel],
[mailto:sean.auriti@owasp.org Sean Auriti],
[mailto:john.ulmer@owasp.org John Ulmer],
[mailto:michael.heger@owasp.org Michael Heger],
[mailto:janine.medina@owasp.org Janine Medina]

== Related Projects ==

* [[OWASP_Education_Committee|OWASP Education Committee]]
* [[OWASP Mentor Committee|OWASP Mentor Committee]]
* [[OWASP Research Committee |OWASP Research Committee]]
* [[OWASP WIA (Women in AppSec) Committee|OWASP WIA (Women in AppSec) Committee]]
* [[OWASP Virtual Village Project|OWASP Virtual Village Project]]
* [[OWASP Training|OWASP Training]]
* [[OWASP Academies|OWASP Academies]]
* [[OWASP Winter_Code_Sprint|OWASP Winter Code Sprint]]
* [[OWASP Media Project|OWASP Media Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

== News and Events ==

10/19/2016: OWASP Learning Gateway Team Leaders receive travel grant for the Gateways 2016 Conference: http://sciencegateways.org/gateways2016/ . Congratulations Team Leaders!

10/15/2016: OWASP Learning Gateway was selected to present at the Gateways 2016 Conference: http://sciencegateways.org/gateways2016/

=FAQs=

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==

The OWASP Learning Gateway project is developed by a worldwide team of volunteers.

The first contributors to the project were:
Bev Corwin,
Noreen Whysel,
Sean Auriti,
John Uhlmer,
Janine Medina,
Michael Heger

= Road Map and Getting Involved =
==Roadmap==
As of November, 2016, the highest priorities for the next 6 months are:

* Get other people to review the Code Project Template and provide feedback
* [[UX Research Plan https://github.com/bevcorwin/OLP/issues/39]]
* Incorporate feedback into changes in the Code Project Template
* Finalize the Code Project template and have it reviewed
* Develop a mockup for the look and feel of all pages of the site
* Setup the Datamodel (80% done)
* Develop Sitemap
* Setup a feedback system
* Design & Setup API
* Develop API Strategy and Framework
* Implement Internationalization Support
* Add Unit Tests for critical procedures:
** signup
** integrate courses
** connect to mentor
* integrate gotomeeting
* Transfer project to a Github Organization
* Develop privacy policy
--
Completed
* Complete the first draft of the Code Project Template (done)


==Getting Involved==
Involvement in the development and promotion of Code Project Template is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:
===Coding===
We could implement some of the later items on the roadmap sooner if someone wanted to help out with unit or automated regression tests
===Localization===
Are you fluent in another language? Can you help translate the text strings in the Code Project Template into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
Please use the [https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/owasp_learning_gateway OWASP Learning Gateway Discussion List] for feedback about:
<ul>
<li>What do you like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
The Code Project Template must specify the minimum set of tabs a project should have, provide some an example layout on each tab, provide instructional text on how a project leader should modify the tab, and give some example text that illustrates how to create an actual project.

It would also be ideal if the sample text was translated into different languages.

=Project About=
The OWASP Learning Gateway Project is developing a platform that is adaptable to the learning needs and user requirements of a global community of technology learners. The gateway will offer learning pathways that connect learners with mentors and knowledge needed to be successful. Our goal is to be a successful OWASP and Gateways Project.

OWASP Learning Gateway Project

2017-01-05T22:39:39Z

OWASP Learning Gateway Project

2016-10-19T16:35:19Z

Sauriti: adding roadmap

=Main=

==OWASP Learning Gateway Project==

The OWASP Learning Gateway Project proposes developing a platform that is adaptable to the learning needs and user requirements of a global community of technology learners. The gateway will offer learning pathways that connect learners with mentors and knowledge needed to be successful. Our ultimate goal is to be a successful Science Gateways Incubation Project.

==Description==


OWASP Learning Gateway Project will be a connected, collaborative learning platform to support the OWASP Education Committee, Mentor Initiative, and WIA (Women in AppSec). We are currently working on a framework for the platform development.

==Licensing==
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP Learning Gateway Project and any contributions are Copyright © by {Bev Corwin, Noreen Whysel, Sean Auriti, Christie Ewen, John Uhlmer, Janine Medina, Lisa Ly and OWASP Foundation} {2016}.

== Project Resources ==
Science Gateways Institute,
Xsede Gateways,
Gateways 2016

== Project Leader ==
[mailto:bev.corwin@owasp.org Bev Corwin]

== Team Leaders ==
[mailto:noreen.whysel@owasp.org Noreen Whysel],
[mailto:sean.auriti@owasp.org Sean Auriti],
John Uhlmer,
Christie Ewen,
Janine Medina,
Lisa Ly

== Related Projects ==

* [[OWASP_Education_Committee|OWASP Education Committee]]
* [[OWASP Mentor Committee|OWASP Mentor Committee]]
* [[OWASP Research Committee |OWASP Research Committee]]
* [[OWASP Virtual Village Project|OWASP Virtual Village Project]]
* [[OWASP WIA (Women in AppSec) Committee|OWASP WIA (Women in AppSec) Committee]]
* [[OWASP Training|OWASP Training]]
* [[OWASP Academies|OWASP Academies]]
* [[OWASP Winter_Code_Sprint|OWASP Winter Code Sprint]]
* [[OWASP Media Project|OWASP Media Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

== News and Events ==

10/19/2016: OWASP Learning Gateway Team Leaders receive travel grant for the Gateways 2016 Conference: http://sciencegateways.org/gateways2016/ . Congratulations Team Leaders!

10/15/2016: OWASP Learning Gateway was selected to present at the Gateways 2016 Conference: http://sciencegateways.org/gateways2016/

=FAQs=

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==

The OWASP Learning Gateway project is developed by a worldwide team of volunteers.

The first contributors to the project were:
Bev Corwin,
Noreen Whysel,
Sean Auriti,
John Uhlmer,
Christie Ewen,
Janine Medina,
Lisa Ly

= Road Map and Getting Involved =
==Roadmap==
As of November, 2016, the highest priorities for the next 6 months are:

* Complete the first draft of the Code Project Template (done)
* Get other people to review the Code Project Template and provide feedback
* Incorporate feedback into changes in the Code Project Template
* Finalize the Code Project template and have it reviewed
* Develop a mockup for the look and feel of all pages of the site
* Setup the Datamodel
* Develop Sitemap
* Setup a feedback system
* Setup API
* Develop API Strategy and Framework
* Implement Internationalization Support
* Add Unit Tests for critical procedures:
** signup
** create a course
** connect to mentor
* integrate gotomeeting
* Transfer project to a Github Organization


==Getting Involved==
Involvement in the development and promotion of Code Project Template is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:
===Coding===
We could implement some of the later items on the roadmap sooner if someone wanted to help out with unit or automated regression tests
===Localization===
Are you fluent in another language? Can you help translate the text strings in the Code Project Template into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
Please use the [https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/owasp_learning_gateway OWASP Learning Gateway Discussion List] for feedback about:
<ul>
<li>What do you like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
The Code Project Template must specify the minimum set of tabs a project should have, provide some an example layout on each tab, provide instructional text on how a project leader should modify the tab, and give some example text that illustrates how to create an actual project.

It would also be ideal if the sample text was translated into different languages.

=Project About=
The OWASP Learning Gateway Project proposes developing a platform that is adaptable to the learning needs and user requirements of a global community of technology learners. The gateway will offer learning pathways that connect learners with mentors and knowledge needed to be successful. Our ultimate goal is to be a successful Science Gateways Incubation Project.

Talk:OWASP Coderbounty Project

2016-04-12T04:48:48Z

Sauriti: /* Project Resources */

=Main=
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Coderbounty==

The OWASP Coderbounty project aims to accelerate development of projects through gamification within OWASP by placing bounties on Github issues, cheat sheets writing code and related tasks while keeping security in mind. OWASP Coderbounty is not a "Bug Bounty" platform that encourages users to find bugs. It is more of a project management software that allows users to hire developers to complete coding tasks.

A proposed functionality of Coderbounty in conjunction with OWASP is that Projects can accumulate points for each bounty offer and in this way their money spent into running a bounties can increase.

30% of the 10% earned commission will go to the Flagship/LAB projects budget for running bounties.
Another possibility is that 10% of the full bounty goes to OWASP.

==Description==
Coderbounty accelerates software development in the open source community. We connect developers who want to make money with software creators. Coderbounty makes it easy to get your issues fixed for a low cost. Developers compete for the cash prize, i.e. bounty, to get the issue done fast.

Open source software used to require developers to donate their time to help out a project. Now, with Coderbounty, they can earn money. When project managers need to add a feature to an open source program, they can add the issue and post a bounty that will attract coders to complete it. Coderbounty is the best way to get open source code issues solved and supports innovation in the open source and software industry.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP XXX and any contributions are Copyright © by {the Project Leader(s) or OWASP} {Year(s)}.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://www.coderbounty.com/ Coderbounty.com]

[http://www.coderbounty.com/help/ FAQ]

[https://coderbounty-slackin.herokuapp.com/ Slack]

[https://coderbounty.uservoice.com/forums/139944-general-feedback Feedback]

[https://drive.google.com/a/alphaonelabs.com/folderview?id=0B27eQuixxEoiNWhIT2ZQeVhJaW8&usp=sharing# Drive]

[https://github.com/CoderBounty/coderbounty/ Source]

[https://www.owasp.org/index.php/OWASP_Coder_Bounty_Project#News_and_Events What's New]

[https://github.com/CoderBounty/coderbounty/commits/master Commits]

[https://github.com/CoderBounty/coderbounty/issues Issues]

[https://github.com/CoderBounty/coderbounty/labels Labels]

[https://github.com/CoderBounty/coderbounty/milestones Milestones]

[https://github.com/CoderBounty/coderbounty/wiki Wiki]

[https://twitter.com/coderbounty Twitter]

[https://www.facebook.com/coderbounty Facebook]

== Project Leader ==
Project leader (s) name:

Sean Auriti

Email: sean.auriti@owasp.org

== Related Projects ==
* [[OWASP_Snakes_and_Ladders]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

* [26 Feb 2016] Applied to become an OWASP project
* [07 Jan 2016] Became a NYS corporation.
* [10 Dec 2015] Implemented the AGPL license.
* [14 Oct 2015] Became open source on Github.
* [29 Nov 2013] Completed new western theme design from design contest.
* [04 May 2013] Created new mockup for full website design.
* [01 May 2013] Moved from Webfaction to Heroku.
* [27 Oct 2012] Moved source code from SVN to Bitbucket.
* [24 Sep 2012] Featured in DailyTekk's 100 Terrific Tools for Coders & Developers article.
* [18 Apr 2012] Received our first $100 bounty for the OpenFrameworks project.
* [08 Feb 2012] Hired first developer and project manager to help move the project along faster. Added more gamification, coins and animations.
* [28 Dec 2011] Has first transaction of a coder helping Clusterify, an open source project, and getting paid the bounty.
* [20 Dec 2011] Launched first version of the website. Over 100 users signed up.

|}

=FAQs=

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. See the Road Map and Getting Involved tab for more details.

==How do I use this Coderbounty==
First find an issue on any of the services we support, paste a link to it, and add a bounty. Additionally you can add to existing bounties or if you are a coder you can complete the tasks and get the bounty!

==How long will the bounty remain on the issue==
As long as you want. You can request a refund within 60 days for a 3% fee, after that the bounty stays on the issue until it is closed.

==What does open mean==
Open means that the issue has not been fixed, coders can commit their code and fix the issue.

==What does in review mean==
In review means that the coder has committed a fix, and the issue reporter and bounty placers are reviewing the code. Bounties can still be placed and when the issue remains closed for 3 days, the bounty is paid out to the coder who committed the code to close the issue.

==What does paid mean==
Paid means that the issue has been fixed, was in review for 3 days and has been verified as closed. Also, the bounty was paid to the coder who closed the issue.

==Can you integrate my bug tracker for my company==
Yes! Let us know in the feedback area or send an email to coderbounty at gmail.com

==I code, will I be guaranteed the bounty==
Yes! Payment is collected up front and held in escrow. When your code is approved you will receive a payment to your selected payment service.

==What does take mean==
Take gives you exclusive rights to close the issue. This issue will be blocked from anyone else taking it and you will have 24 hours to resolve the issue.

= Acknowledgements =
==Contributors==

The OWASP Coderbounty Project is developed by a worldwide team of people. A live update of project [https://github.com/CoderBounty/coderbounty/graphs/contributors contributors is found here].

The first contributors to the project were:

* [https://www.owasp.org/index.php/User:Sauriti Sean Auriti] who created the OWASP Coderbounty project
* [https://github.com/julyzergcn Long Yang] who helped add more gamification features to the first version
* [https://github.com/zaebee Andrey Gromov] Helped with the first version's funcionality

= Road Map and Getting Involved =

==Roadmap==
1 - fix any issues the site may have, integrate payment services

2 - Endemic Advertising with tags on GitHub

3 - Collaboration with FOSS Communities & Orgs to develop a mutually beneficial model

4 - Develop the site to become the go-to tool for open source software development

As of February, 2016, the highest priorities for the next 6 months are: 
* Get other people to review OWASP Coderbounty and provide feedback
* Incorporate feedback into changes
* Finalize and have it reviewed to be promoted from an Incubator Project to a Lab Project


Subsequent Releases will add

* Internationalization Support
* Additional Unit Tests
* Automated Regression tests


==Getting Involved==
Involvement in the development and promotion of OWASP Coderbounty is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
We could implement some of the later items on the roadmap sooner if someone wanted to help out with unit or automated regression tests
===Localization===
Are you fluent in another language? Can you help translate the text strings in the Tool Project Template into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
Please use the [https://coderbounty.uservoice.com/forums/139944-general-feedback Uservoice] for feedback about:
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=

Our MVP is to have a fully automatic bounty purchase and payout as well as integrate special functions, methods and processes for OWASP projects.

=Project About=

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

Talk:OWASP Coderbounty Project

2016-04-12T02:10:53Z

Sauriti: removed logo, updated project info

=Main=
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Coderbounty==

The OWASP Coderbounty project aims to accelerate development of projects through gamification within OWASP by placing bounties on Github issues, cheat sheets writing code and related tasks while keeping security in mind. OWASP Coderbounty is not a "Bug Bounty" platform that encourages users to find bugs. It is more of a project management software that allows users to hire developers to complete coding tasks.

A proposed functionality of Coderbounty in conjunction with OWASP is that Projects can accumulate points for each bounty offer and in this way their money spent into running a bounties can increase.

30% of the 10% earned commission will go to the Flagship/LAB projects budget for running bounties.
Another possibility is that 10% of the full bounty goes to OWASP.

==Description==
Coderbounty accelerates software development in the open source community. We connect developers who want to make money with software creators. Coderbounty makes it easy to get your issues fixed for a low cost. Developers compete for the cash prize, i.e. bounty, to get the issue done fast.

Open source software used to require developers to donate their time to help out a project. Now, with Coderbounty, they can earn money. When project managers need to add a feature to an open source program, they can add the issue and post a bounty that will attract coders to complete it. Coderbounty is the best way to get open source code issues solved and supports innovation in the open source and software industry.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP XXX and any contributions are Copyright © by {the Project Leader(s) or OWASP} {Year(s)}.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://www.coderbounty.com/ Coderbounty.com]

[http://www.coderbounty.com/help/ FAQ]

[https://coderbounty-slackin.herokuapp.com/ Slack]

[https://coderbounty.uservoice.com/forums/139944-general-feedback Feedback]

[https://drive.google.com/a/alphaonelabs.com/folderview?id=0B27eQuixxEoiNWhIT2ZQeVhJaW8&usp=sharing# Drive]

[https://drive.google.com/file/d/0B27eQuixxEoiYmpOSWJtd1JoMlU/view?usp=sharing Presentation]

[https://github.com/CoderBounty/coderbounty/ Source]

[https://www.owasp.org/index.php/OWASP_Coder_Bounty_Project#News_and_Events What's New]

[https://github.com/CoderBounty/coderbounty/commits/master Commits]

[https://github.com/CoderBounty/coderbounty/issues Issues]

[https://github.com/CoderBounty/coderbounty/labels Labels]

[https://github.com/CoderBounty/coderbounty/milestones Milestones]

[https://github.com/CoderBounty/coderbounty/wiki Wiki]

[https://twitter.com/coderbounty Twitter]

[https://www.facebook.com/coderbounty Facebook]

[https://angel.co/coderbounty Angel.co]

== Project Leader ==
Project leader (s) name:

Sean Auriti

Email: sean.auriti@owasp.org

== Related Projects ==
* [[OWASP_Snakes_and_Ladders]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

* [26 Feb 2016] Applied to become an OWASP project
* [07 Jan 2016] Became a NYS corporation.
* [10 Dec 2015] Implemented the AGPL license.
* [14 Oct 2015] Became open source on Github.
* [29 Nov 2013] Completed new western theme design from design contest.
* [04 May 2013] Created new mockup for full website design.
* [01 May 2013] Moved from Webfaction to Heroku.
* [27 Oct 2012] Moved source code from SVN to Bitbucket.
* [24 Sep 2012] Featured in DailyTekk's 100 Terrific Tools for Coders & Developers article.
* [18 Apr 2012] Received our first $100 bounty for the OpenFrameworks project.
* [08 Feb 2012] Hired first developer and project manager to help move the project along faster. Added more gamification, coins and animations.
* [28 Dec 2011] Has first transaction of a coder helping Clusterify, an open source project, and getting paid the bounty.
* [20 Dec 2011] Launched first version of the website. Over 100 users signed up.

|}

=FAQs=

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. See the Road Map and Getting Involved tab for more details.

==How do I use this Coderbounty==
First find an issue on any of the services we support, paste a link to it, and add a bounty. Additionally you can add to existing bounties or if you are a coder you can complete the tasks and get the bounty!

==How long will the bounty remain on the issue==
As long as you want. You can request a refund within 60 days for a 3% fee, after that the bounty stays on the issue until it is closed.

==What does open mean==
Open means that the issue has not been fixed, coders can commit their code and fix the issue.

==What does in review mean==
In review means that the coder has committed a fix, and the issue reporter and bounty placers are reviewing the code. Bounties can still be placed and when the issue remains closed for 3 days, the bounty is paid out to the coder who committed the code to close the issue.

==What does paid mean==
Paid means that the issue has been fixed, was in review for 3 days and has been verified as closed. Also, the bounty was paid to the coder who closed the issue.

==Can you integrate my bug tracker for my company==
Yes! Let us know in the feedback area or send an email to coderbounty at gmail.com

==I code, will I be guaranteed the bounty==
Yes! Payment is collected up front and held in escrow. When your code is approved you will receive a payment to your selected payment service.

==What does take mean==
Take gives you exclusive rights to close the issue. This issue will be blocked from anyone else taking it and you will have 24 hours to resolve the issue.

= Acknowledgements =
==Contributors==

The OWASP Coderbounty Project is developed by a worldwide team of people. A live update of project [https://github.com/CoderBounty/coderbounty/graphs/contributors contributors is found here].

The first contributors to the project were:

* [https://www.owasp.org/index.php/User:Sauriti Sean Auriti] who created the OWASP Coderbounty project
* [https://github.com/julyzergcn Long Yang] who helped add more gamification features to the first version
* [https://github.com/zaebee Andrey Gromov] Helped with the first version's funcionality

= Road Map and Getting Involved =

==Roadmap==
1 - fix any issues the site may have, integrate payment services

2 - Endemic Advertising with tags on GitHub

3 - Collaboration with FOSS Communities & Orgs to develop a mutually beneficial model

4 - Develop the site to become the go-to tool for open source software development

As of February, 2016, the highest priorities for the next 6 months are: 
* Get other people to review OWASP Coderbounty and provide feedback
* Incorporate feedback into changes
* Finalize and have it reviewed to be promoted from an Incubator Project to a Lab Project


Subsequent Releases will add

* Internationalization Support
* Additional Unit Tests
* Automated Regression tests


==Getting Involved==
Involvement in the development and promotion of OWASP Coderbounty is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
We could implement some of the later items on the roadmap sooner if someone wanted to help out with unit or automated regression tests
===Localization===
Are you fluent in another language? Can you help translate the text strings in the Tool Project Template into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
Please use the [https://coderbounty.uservoice.com/forums/139944-general-feedback Uservoice] for feedback about:
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=

Our MVP is to have a fully automatic bounty purchase and payout as well as integrate special functions, methods and processes for OWASP projects.

=Project About=

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]