OWASP - User contributions [en]

Global Industry Committee - Application 2

2009-11-16T20:27:19Z

Walden:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----
{| style="width:100%" border="0" align="center"
! colspan="2" align="center" style="background:#4058A0; color:white"|'''COMMITTEE APPLICATION FORM'''
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|Alexander Fry
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|SoC 2008 Reviewer for Teachable Static Analysis Workbench and Source Code Review OWASP Projects

|-
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Global Industry Committee.
|}
----

----
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''.
An incomplete application will not be considered for vote.
----

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''COMMITTEE RECOMMENDATIONS'''
|-
! align="center" style="background:white; color:white"|
! align="center" style="background:#7B8ABD; color:white"|'''Who Recommends/Name'''
! align="center" style="background:#7B8ABD; color:white"|'''Role in OWASP'''
! align="center" style="background:#7B8ABD; color:white"|'''Recommendation Content'''
|-
| style="width:3%; background:#cccccc" align="center"|'''1'''
| style="width:20%; background:#cccccc" align="center"|'''Nishi Kumar'''
| style="width:20%; background:#cccccc" align="center"|'''Contributor of Live CD Project'''
| style="width:57%; background:#cccccc" align="center"|'''Alexander is bright and dedicated towards security. His involvement in Industry committe will be very valuable. '''
|-
| style="width:3%; background:#cccccc" align="center"|'''2'''
| style="width:20%; background:#cccccc" align="center"|'''James Walden'''
| style="width:20%; background:#cccccc" align="center"|'''Project leader for Source Code Review OWASP Projects'''
| style="width:57%; background:#cccccc" align="center"|'''Alexander has contacts that would let him reach out to industry areas OWASP hasn't impacted yet.'''
|-
| style="width:3%; background:#cccccc" align="center"|'''3'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|-
| style="width:3%; background:#cccccc" align="center"|'''4'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|-
| style="width:3%; background:#cccccc" align="center"|'''5'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|}
----

Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B

2008-12-19T19:09:38Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The major project objectives have been accomplished:
# We have finalized the workflow for introducing static analysis into OWASP projects.
# We have submitted 10 OWASP projects to be analyzed on the owasp.fortify.com site to establish an OWASP baseline.
# We have submitted the 25 most popular open source PHP projects to the be analyzed on the owasp.fortify.com site to establish an open source baseline.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
We spent the time since the project midpoint submitting projects to the owasp.fortify.com site. The current status of tasks is:
# Workflow for introducing static analysis into OWASP projects (100%).
# Analyzed 10 OWASP projects (100%).
# Analyzed 25 most popular open source PHP projects on owasp.fortify.com (100%).
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All Alpha criteria are fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All Beta criteria are fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The OWASP EU Summit presentation has been uploaded to fulfill that requirement.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
To ensure that this project leads to continuing improvement in the security of OWASP projects, we need more OWASP project leaders to incorporate static analysis into their project's software development lifecycle. We have received only one volunteer who was willing to take the time to incorporate static analysis into his project: Yiannis, project leader of the JBroFuzz project. We can analyze OWASP projects on our own, but it's important to include static analysis as part of the lifecycle.
|}

Category:OWASP Source Code Review OWASP Projects Project

2008-12-16T14:53:17Z

Walden: /* Process */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Source Code Review OWASP Projects|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Source Code Review OWASP Projects}}
[[Category:OWASP Project]]

== Summary ==

This project involving creating a process for integrating the Fortify Open Review Process into the OWASP project development lifecycle and working with Fortify to develop and test their new Open Review site at [http://owasp.fortify.com/ http://owasp.fortify.com/]. The [https://www.owasp.org/images/c/c9/OWASPEU_SourceReview.ppt OWASP EU Summit presentation] contains a more detailed summary of the project.

== Goals ==

The goals of this project were to:

# Create a process for integrating the Fortify Open Review into open source development, so that source code review can be a required step in OWASP development.
# Test functionality of the new Fortify Open Review site introduced in Summer 2008.
# Scan 10 OWASP projects with the Fortify Open Review to verify the site's functionality and establish a baseline.
# Scan 25 popular open source PHP projects to verify the site's ability to handle large scale projects and establish a baseline.

== Process ==

The purpose of this workflow is to integrate and automate SCA into the development cycle of open source applications for the sole purpose of decreasing software vulnerabilities. This effort can, and should, be supplemented by a manual code review as described in the OWASP Open Review Project. The workflow diagrams can be found in [https://www.owasp.org/index.php/Image:Workflow_July_11a.zip Workflow.zip]. Within the ZIP file, overview.pdf describes the relationships between the different parts of the workflow. The file start.pdf describes the first step of the workflow which verifies that the project is an OWASP project. If it is not then the project is added as a new OWASP project [[Image:Workflow_Draft1.pdf#file]]. Once the project is established as an OWASP project, it can be added by an OWASP administrator (contact the project mailing list below to contact an OWASP administrator) to the Fortify Open Review (reference createProject.pdf).

As described in the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ Fortify Open Review process], the Project Lead or Source Code Review Lead can choose between a continuous evaluation, where the project is checked out from its repository and the Open Review scan is updated on a weekly basis, or a one time analysis as part of their usual development process (see waterfall.pdf and iterative.pdf) after unit testing and prior to final system testing. The single analysis requires the evaluator to produce and upload a Fortify FPR scan file, which requires either that the evaluator uses their own copy of Fortify SCA or contacts an OWASP administrator via the project mailing list to request a scan. In order to track project progress over time, single analyses of major project versions will be maintained on the project web site so that software vulnerability metrics can be tracked. The continuous evaluation is automated, does not require the developer have a Fortify SCA license. There are additional open source static analysis tools that can be used as part of a project's development lifecycle on a regular basis, such as FindBugs (see findBugs.pdf) and OWASP Orizon.

Of course, once vulnerabilities are detected, they need to be either fixed or marked as false positives through the Fortify Open Review site interface. See the [http://www.lulu.com/content/1415989 OWASP Code Review Guide] for information on how to fix common vulnerabilities.

== OWASP Projects Scanned ==

AntiSamy

CSRFGuard

CSRFTester

DirBuster

JBroFuzz

Lapse

Stinger

Webekci

WebGoat

WebScarab

Non-OWASP projects scanned in MediaWiki, WordPress, and many others. See [https://owasp.fortify.com/ owasp.fortify.com] for details.

== Get involved ==

We need OWASP project leaders to submit their projects for review. We will work with you to upload your project and review the findings, so that we can get each OWASP project to show zero defects.

Please go to https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects to subscribe to the list to contact us. You can post to the mailing list by emailing [mailto:owasp-scode-review-owasp-projects@lists.owasp.org].

== People ==

Project lead: [[User:Walden|James Walden]]

Contributors: Maureen Doyle, Grant Welch, Michael Whelan

Reviewers: Marco Morano, Alex Fry

[http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

Project Information:template Source Code Review OWASP Projects

2008-12-12T16:16:08Z

Walden:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Source Code Review OWASP-Projects Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The objectives of this project are: 1. Develop and document a workflow for FLOSS projects to incorporate static analysis into the Software Development Life Cycle (SDLC); 2. Apply the above workflow as a required step for OWASP projects; 3. Aid in auditing select FLOSS projects to create a baseline for comparing security amongst FLOSS projects.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:dan@denimgroup.com '''Dan Cornell'''] SoC's Project Leader [mailto:waldenj1@nku.edu '''James Walden''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors [mailto:jderry@owasp.org '''Justin Derry'''] 
[mailto:doylem3@nku.edu '''Maureen Doyle'''] 
[mailto:whelanm87@gmail.com '''Michael Whelan''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects '''Mailing List/Subscribe'''] [mailto:OWASP-SCode-Review-OWASP-Projects(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:afry(at)strongcrypto.biz '''Alex Fry'''] [http://www.linkedin.com/in/alexanderfry Profile]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:marco.m.morana(at)gmail.com '''Marco M. Morana'''] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Marco M Morana Curriculum|Curriculum]]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* Updated workflow [[Image:Workflow_July_11a.zip]]
* [[Image:Workflow_Draft1.pdf]]
* [[Image:CreateProjectExample.pdf]]
* [https://owasp.fortify.com/teamserver/welcome.fhtml Fortify OWASP Open Review Project]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [[:Category:OWASP Open Review Project|'''OWASP Open Review Project (ORPRO)''']]

|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Source Code Review OWASP Projects - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Source Code Review OWASP Projects 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' --------- Which status has been reached? '''Season of Code''' - --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

Category:OWASP Source Code Review OWASP Projects Project

2008-12-12T16:15:10Z

Walden:

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Source Code Review OWASP Projects|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Source Code Review OWASP Projects}}
[[Category:OWASP Project]]

== Summary ==

This project involving creating a process for integrating the Fortify Open Review Process into the OWASP project development lifecycle and working with Fortify to develop and test their new Open Review site at [http://owasp.fortify.com/ http://owasp.fortify.com/]. The [https://www.owasp.org/images/c/c9/OWASPEU_SourceReview.ppt OWASP EU Summit presentation] contains a more detailed summary of the project.

== Goals ==

The goals of this project were to:

# Create a process for integrating the Fortify Open Review into open source development, so that source code review can be a required step in OWASP development.
# Test functionality of the new Fortify Open Review site introduced in Summer 2008.
# Scan 10 OWASP projects with the Fortify Open Review to verify the site's functionality and establish a baseline.
# Scan 25 popular open source PHP projects to verify the site's ability to handle large scale projects and establish a baseline.

== Process ==

The purpose of this workflow is to integrate and automate SCA into the development cycle of open source applications for the sole purpose of decreasing software vulnerabilities. This effort can, and should, be supplemented by a manual code review as described in the OWASP Open Review Project. The workflow diagrams can be found in [https://www.owasp.org/index.php/Image:Workflow_July_11a.zip Workflow.zip]. Within the ZIP file, overview.pdf describes the relationships between the different parts of the workflow. The file start.pdf describes the first step of the workflow which verifies that the project is an OWASP project. If it is not then the project is added as a new OWASP project [[Image:Workflow_Draft1.pdf#file]]. Once the project is established as an OWASP project, it can be added by an OWASP administrator (contact the project mailing list below to contact an OWASP administrator) to the Fortify Open Review (reference createProject.pdf).

As described in the Fortify Open Review process, the Project Lead or Source Code Review Lead can choose between a continuous evaluation, where the project is checked out from its repository and the Open Review scan is updated on a weekly basis, or a one time analysis as part of their usual development process (see waterfall.pdf and iterative.pdf) after unit testing and prior to final system testing. The single analysis requires the evaluator to produce and upload a Fortify FPR scan file, which requires either that the evaluator uses their own copy of Fortify SCA or contacts an OWASP administrator via the project mailing list to request a scan. In order to track project progress over time, single analyses of major project versions will be maintained on the project web site so that software vulnerability metrics can be tracked. The continuous evaluation is automated, does not require the developer have a Fortify SCA license. There are additional open source static analysis tools that can be used as part of a project's development lifecycle on a regular basis, such as FindBugs (see findBugs.pdf) and OWASP Orizon.

Of course, once vulnerabilities are detected, they need to be either fixed or marked as false positives through the Fortify Open Review site interface. See the [http://www.lulu.com/content/1415989 OWASP Code Review Guide] for information on how to fix common vulnerabilities.

== OWASP Projects Scanned ==

AntiSamy

CSRFGuard

CSRFTester

DirBuster

JBroFuzz

Lapse

Stinger

Webekci

WebGoat

WebScarab

Non-OWASP projects scanned in MediaWiki, WordPress, and many others. See [https://owasp.fortify.com/ owasp.fortify.com] for details.

== Get involved ==

We need OWASP project leaders to submit their projects for review. We will work with you to upload your project and review the findings, so that we can get each OWASP project to show zero defects.

Please go to https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects to subscribe to the list to contact us. You can post to the mailing list by emailing [mailto:owasp-scode-review-owasp-projects@lists.owasp.org].

== People ==

Project lead: [[User:Walden|James Walden]]

Contributors: Maureen Doyle, Grant Welch, Michael Whelan

Reviewers: Marco Morano, Alex Fry

[http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

Category:OWASP Source Code Review OWASP Projects Project

2008-12-12T16:01:21Z

Walden: /* Goals */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Source Code Review OWASP Projects|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Source Code Review OWASP Projects}}
[[Category:OWASP Project]]

== Summary ==

This project involving creating a process for integrating the Fortify Open Review Process into the OWASP project development lifecycle and working with Fortify to develop and test their new Open Review site at [http://owasp.fortify.com/ http://owasp.fortify.com/].

== Goals ==

The goals of this project were to:

# Create a process for integrating the Fortify Open Review into open source development, so that source code review can be a required step in OWASP development.
# Test functionality of the new Fortify Open Review site introduced in Summer 2008.
# Scan 10 OWASP projects with the Fortify Open Review to verify the site's functionality and establish a baseline.
# Scan 25 popular open source PHP projects to verify the site's ability to handle large scale projects and establish a baseline.

== Process ==
The workflow diagrams can be found in [https://www.owasp.org/index.php/Image:Workflow_July_11a.zip Workflow.zip]. Within the ZIP file, overview.pdf describes the relationships between the different parts of the workflow. The file start.pdf describes the first step of the workflow which verifies that the project is an OWASP project. If it is not then the project is added as a new OWASP project [[Image:Workflow_Draft1.pdf#file]]. Once the project is established as an OWASP project, it can be added by an OWASP administrator (contact the project mailing list below to contact an OWASP administrator) to the Fortify Open Review (reference createProject.pdf).

As described in the Fortify Open Review process, the Project Lead or Source Code Review Lead can choose between a continuous evaluation, where the project is checked out from its repository and the Open Review scan is updated on a weekly basis, or a one time analysis as part of their usual development process (see waterfall.pdf and iterative.pdf) after unit testing and prior to final system testing. The single analysis requires the evaluator to produce and upload a Fortify FPR scan file, which requires either that the evaluator uses their own copy of Fortify SCA or contacts an OWASP administrator via the project mailing list to request a scan. In order to track project progress over time, single analyses of major project versions will be maintained on the project web site so that software vulnerability metrics can be tracked. The continuous evaluation is automated, does not require the developer have a Fortify SCA license. There are additional open source static analysis tools that can be used as part of a project's development lifecycle on a regular basis, such as FindBugs (see findBugs.pdf) and OWASP Orizon.

Of course, once vulnerabilities are detected, they need to be either fixed or marked as false positives through the Fortify Open Review site interface. See the [http://www.lulu.com/content/1415989 OWASP Code Review Guide] for information on how to fix common vulnerabilities. remove common problems.

The purpose of this workflow is to integrate and automate SCA into the development cycle of open source applications for the sole purpose of decreasing software vulnerabilities. This effort can, and should, be supplemented by a manual code review as described in the OWASP Open Review Project.

== OWASP Projects Scanned ==

AntiSamy

CSRFGuard

CSRFTester

DirBuster

JBroFuzz

Lapse

Stinger

Webekci

WebGoat

WebScarab

Non-OWASP projects scanned in MediaWiki, WordPress, and many others. See [https://owasp.fortify.com/ owasp.fortify.com] for details.

== Get involved ==

We need OWASP project leaders to submit their projects for review. We will work with you to upload your project and review the findings, so that we can get each OWASP project to show zero defects.

Please go to https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects to subscribe to the list to contact us. You can post to the mailing list by emailing [mailto:owasp-scode-review-owasp-projects@lists.owasp.org].

== People ==

Project lead: [[User:Walden|James Walden]]

Contributors: Maureen Doyle, Grant Welch, Michael Whelan

Reviewers: Marco Morano, Alex Fry

[http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

Category:OWASP Source Code Review OWASP Projects Project

2008-12-12T15:59:55Z

Walden:

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Source Code Review OWASP Projects|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Source Code Review OWASP Projects}}
[[Category:OWASP Project]]

== Summary ==

This project involving creating a process for integrating the Fortify Open Review Process into the OWASP project development lifecycle and working with Fortify to develop and test their new Open Review site at [http://owasp.fortify.com/ http://owasp.fortify.com/].

== Goals ==

The goals of this project were to:

# Create a process for integrating the Fortify Open Review into open source development.
# Test functionality of the new Fortify Open Review site introduced in Summer 2008.
# Scan 10 OWASP projects with the Fortify Open Review to verify the site's functionality and establish a baseline.
# Scan 25 popular open source PHP projects to verify the site's ability to handle large scale projects and establish a baseline.

== Process ==
The workflow diagrams can be found in [https://www.owasp.org/index.php/Image:Workflow_July_11a.zip Workflow.zip]. Within the ZIP file, overview.pdf describes the relationships between the different parts of the workflow. The file start.pdf describes the first step of the workflow which verifies that the project is an OWASP project. If it is not then the project is added as a new OWASP project [[Image:Workflow_Draft1.pdf#file]]. Once the project is established as an OWASP project, it can be added by an OWASP administrator (contact the project mailing list below to contact an OWASP administrator) to the Fortify Open Review (reference createProject.pdf).

As described in the Fortify Open Review process, the Project Lead or Source Code Review Lead can choose between a continuous evaluation, where the project is checked out from its repository and the Open Review scan is updated on a weekly basis, or a one time analysis as part of their usual development process (see waterfall.pdf and iterative.pdf) after unit testing and prior to final system testing. The single analysis requires the evaluator to produce and upload a Fortify FPR scan file, which requires either that the evaluator uses their own copy of Fortify SCA or contacts an OWASP administrator via the project mailing list to request a scan. In order to track project progress over time, single analyses of major project versions will be maintained on the project web site so that software vulnerability metrics can be tracked. The continuous evaluation is automated, does not require the developer have a Fortify SCA license. There are additional open source static analysis tools that can be used as part of a project's development lifecycle on a regular basis, such as FindBugs (see findBugs.pdf) and OWASP Orizon.

Of course, once vulnerabilities are detected, they need to be either fixed or marked as false positives through the Fortify Open Review site interface. See the [http://www.lulu.com/content/1415989 OWASP Code Review Guide] for information on how to fix common vulnerabilities. remove common problems.

The purpose of this workflow is to integrate and automate SCA into the development cycle of open source applications for the sole purpose of decreasing software vulnerabilities. This effort can, and should, be supplemented by a manual code review as described in the OWASP Open Review Project.

== OWASP Projects Scanned ==

AntiSamy

CSRFGuard

CSRFTester

DirBuster

JBroFuzz

Lapse

Stinger

Webekci

WebGoat

WebScarab

Non-OWASP projects scanned in MediaWiki, WordPress, and many others. See [https://owasp.fortify.com/ owasp.fortify.com] for details.

== Get involved ==

We need OWASP project leaders to submit their projects for review. We will work with you to upload your project and review the findings, so that we can get each OWASP project to show zero defects.

Please go to https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects to subscribe to the list to contact us. You can post to the mailing list by emailing [mailto:owasp-scode-review-owasp-projects@lists.owasp.org].

== People ==

Project lead: [[User:Walden|James Walden]]

Contributors: Maureen Doyle, Grant Welch, Michael Whelan

Reviewers: Marco Morano, Alex Fry

[http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

Category:OWASP Source Code Review OWASP Projects Project

2008-12-12T15:49:58Z

Walden:

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Source Code Review OWASP Projects|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Source Code Review OWASP Projects}}
[[Category:OWASP Project]]

== Summary ==

This project involving creating a process for integrating the Fortify Open Review Process into the OWASP project development lifecycle and working with Fortify to develop and test their new Open Review site at [http://owasp.fortify.com/ http://owasp.fortify.com/].

== Goals ==

The goals of this project were to:

# Create a process for integrating the Fortify Open Review into open source development.
# Test functionality of the new Fortify Open Review site introduced in Summer 2008.
# Scan 10 OWASP projects with the Fortify Open Review to verify the site's functionality and establish a baseline.
# Scan 25 popular open source PHP projects to verify the site's ability to handle large scale projects and establish a baseline.

== Process ==
The workflow diagrams can be found in [https://www.owasp.org/index.php/Image:Workflow_July_11a.zip Workflow.zip]. Within the ZIP file, overview.pdf describes the relationships between the different parts of the workflow. The file start.pdf describes the first step of the workflow which verifies that the project is an OWASP project. If it is not then the project is added as a new OWASP project [[Image:Workflow_Draft1.pdf#file]]. Prior to any source code analysis (SCA), the project must also be added as a Fortify Open Review Project(reference createProject.pdf).

As described in the Fortify Open Review Process, the Project Lead or Source Code Review Lead can choose between a continuous evaluation, where SCA is done weekly, or a one time analysis as part of their usual development process (see waterfall.pdf and iterative.pdf) after unit testing and prior to final system testing. The single analysis requires the evaluator to submit a Fortify output file which requires the evaluator to own a copy of Fortify 360. The continuous evaluation is automated, does not require the developer have a Fortify 360 license, and in accordance with the [http://www.lulu.com/content/1415989 OWASP Code Review Guide] these results can be used to remove common problems. The common problems, along with other software errors exposed by findBugs (reference findBugs.pdf) will then be documented as known problems in the project's bug list.

The purpose of this workflow is to integrate and automate SCA into the development cycle of open source applications for the sole purpose of decreasing software vulnerabilities. This effort can, and should, be supplemented by a Manual Code Review as described in the OWASP Open Review Project.

== OWASP Projects Scanned ==

AntiSamy

CSRFGuard

CSRFTester

DirBuster

JBroFuzz

Lapse

Stinger

Webekci

WebGoat

WebScarab

Non-OWASP projects scanned in MediaWiki, WordPress, and many others. See [https://owasp.fortify.com/ owasp.fortify.com] for details.

== Get involved ==

We need OWASP project leaders to submit their projects for review. We will work with you to upload your project and review the findings, so that we can get each OWASP project to show zero defects.

Please go to https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects to subscribe to the list to contact us. You can post to the mailing list by emailing [mailto:owasp-scode-review-owasp-projects@lists.owasp.org].

== People ==

Project lead: [[User:Walden|James Walden]]

Contributors: Maureen Doyle, Grant Welch, Michael Whelan

Reviewers: Marco Morano, Alex Fry

[http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].

Category:OWASP Source Code Review OWASP Projects Project

2008-12-09T23:20:03Z

Walden:

User:Walden

2008-12-09T22:01:06Z

Walden: New page: [http://faculty.cs.nku.edu/~waldenj/ James Walden] is a professor of computer science at the [http://informatics.nku.edu/ NKU College of Informatics]. He leads the [https://www.owasp.org/...

[http://faculty.cs.nku.edu/~waldenj/ James Walden] is a professor of computer science at the [http://informatics.nku.edu/ NKU College of Informatics]. He leads the [https://www.owasp.org/index.php/Category:OWASP_Source_Code_Review_OWASP_Projects_Project OWASP Source Code Review] project and is a member of the [http://www.owasp.org/index.php/Cincinnati Cincinnati chapter] of OWASP.

Category:OWASP Source Code Review OWASP Projects Project

2008-12-09T21:53:50Z

Walden:

Category:OWASP Source Code Review OWASP Projects Project

2008-12-09T21:51:47Z

Walden:

OWASP EU Summit 2008

2008-12-09T18:39:11Z

Walden:

{|
! width="315" align="left"|
! width="190" align="center" |
! width="300" align="center" |
|-
| align="center"|__TOC__
| align="center"|[[Image:OWASP EU Summit Portugal 2008.jpg]] ''''SETTING THE WEB APPLICATION SECURITY AGENDA FOR 2009'''' 3th - 7th November 2008
| align="left"|
* [https://www.owasp.org/index.php/OWASP_EU_Summit_2008_Media_Coverage Summit media coverage]
* [http://spreadsheets.google.com/pub?key=pAX6n7m2zaTVLrPtR07riBA Sponsored Participants]
|}
{| style="width:80%" border="0" align="center"
| align="center" |
|-
| style="width:100%; align="center"|[[Image:Summit Group 4.jpg]]
|}

== KEY RESULTS FROM THE OWASP SUMMIT ==

=== SUMMIT CONCLUSIONS DOCUMENT ===

"ALGARVE, PORTUGAL, November 7, 2008 – The Open Web Application Security Project (OWASP) today announced results from the annual OWASP Summit. Over 80 application security experts from over 20 countries joined forces to identify, coordinate, and prioritize our 2009 efforts to create a more secure Internet.

OWASP is a free and open community that focuses on improving application security. There is overwhelming evidence that the vast majority of web applications contain security holes that are increasingly putting people and organizations at serious risk. Securing web applications is an extraordinarily difficult technical challenge that demands a concerted effort.

“OWASP came together for a week and produced a stunning amount of new ideas,” said OWASP Chair Jeff Williams. “Our community is growing and organizing into a powerful movement that will affect software development worldwide. This summit marks a major milestone our efforts to improve application security. (...)” [https://www.owasp.org/images/4/46/Board_signed_Document.pdf See here the fully OWASP Board's signed document with OWASP Summit 2008's conclusions"] and watch OWASP Board's videos - [http://www.youtube.com/watch?v=skTNrQOGLOc '''Jeff Williams'''] and [http://uk.youtube.com/watch?v=kHAC7skATQg&feature=related '''Dinis Cruz'''].

<hr>

Key results from the OWASP Summit include:

=== UPDATED OWASP PRINCIPLES ===

• Free & Open,

• Governed by rough consensus & running code,

• Abide by a code of ethics (see ethics),

• Not-for-profit,

• Not driven by commercial interests,

• Risk based approach.

=== UPDATED CODE OF ETHICS ===
• Support the implementation of and promote compliance with standards, procedures, controls for application security,

• Have objectivity, due diligence and professional care in accordance with established standards,

• Responsible disclosure.

=== NEW OUTREACH PROGRAMS ===
• OWASP has expanded its outreach efforts by building relationships with technology vendors, framework providers, and standards bodies. In addition, we piloted a new program to provide free one-day seminars at universities and developer conferences worldwide.

=== NEW GLOBAL COMMITTEE STRUCTURE ===
• OWASP recognized the extraordinary contribution of our most active leaders by engaging them to lead a set of six new committees. Each democratically established committee will focus on a key function or geographic region, such as OWASP projects, conferences, local chapters, membership and industry outreach.

{| style="width:80%" border="0" align="center"
| colspan="6" align="center" style="background:#4058A0; color:white" | OWASP GLOBAL COMMITTEES ( OWASP GC)
|-
| style="width:17%; background:#f2984c" align="center" | [[Global Education Committee|Education]]
| style="width:17%; background:#f2984c" align="center" | [[Global Chapter Committee|Chapters]]
| style="width:17%; background:#f2984c" align="center" | [[Global Conferences Committee|Conferences]]
| style="width:17%; background:#f2984c" align="center" | [[Global Industry Committee|Industry]]
| style="width:16%; background:#f2984c" align="center" | [[Global Projects and Tools Committee|Projects & Tools]]
| style="width:16%; background:#f2984c" align="center" | [[Global Membership Committee|Membership]]
|}

[https://www.owasp.org/index.php/How_to_Join_a_Committee '''How to Join a Global Committee'''] - '''Applications being accepted until January 9th 2009 for a 24 month term.'''

=== NEW FREE TOOLS AND GUIDANCE ===

• OWASP announced the release of Live CD 2008, many new testing tools, static analysis tools, the Enterprise Security API (ESAPI v1.4), AntiSamy, the Application Security Verification Standard (ASVS), guidance for Ruby on Rails and Classic ASP, international versions of our materials, and much more.

{| style="width:80%" border="0" align="center"
| colspan="2" align="center" style="background:#4058A0; color:white" | '''OWASP is proud to launch the following new or updated tools:'''
|-
| style="width:80%; background:#a0c0e0" align="center"|'''PROJECT'''
| style="width:20%; background:#C2C2C2" align="center"|'''AUTHOR'''
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP Application Security Verification Standard Project|'''OWASP Application Security Verification Standard - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Mike Boberski
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP AppSensor Project|'''OWASP AppSensor - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Michael Coates
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP Access Control Rules Tester Project|'''OWASP Access Control Rules Tester - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Andrew Petukhov
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP AntiSamy Project .NET|'''OWASP AntiSamy Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Arshan Dabirsiaghi
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project|'''OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Dmitry Kozlov
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP Code Crawler|'''OWASP Code Crawler - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Alessio Marziali
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP JSP Testing Tool Project|'''OWASP JSP Testing Tool - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Jason Li
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP Live CD 2008 Project|'''OWASP Live CD - SoC 08''']]

| style="width:20%; background:#C2C2C2" align="center"|Matt Tesauro
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP OpenPGP Extensions for HTTP - Enigform and mod openpgp|'''OWASP OpenPGP Extensions for HTTP - Enigform and mod openpgp - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Arturo ‘Buanzo’
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP Orizon Project|'''OWASP Orizon Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Paolo Perego
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP Python Static Analysis Project|'''OWASP Python Static Analysis Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Georgy Kilmov
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP Skavenger Project|'''OWASP Skavenger Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Matthias Rohr
|-
| style="width:80%; background:#a0c0e0" align="center"|[[:Category:OWASP Teachable Static Analysis Workbench Project|'''OWASP Teachable Static Analysis Workbench - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Dmitry Kozlov & Igor Konnov
|}

{| style="width:80%" border="0" align="center"
| colspan="2" align="center" style="background:#4058A0; color:white" | '''OWASP is proud to launch the following new or updated documents and resources:'''
|-
| style="width:80%; background:#FFDF80" align="center"|'''PROJECT'''
| style="width:20%; background:#C2C2C2" align="center"|'''AUTHOR'''
|-
| style="width:80%; background:#FFDF80" align="center"|[[:Category:OWASP ASDR Project|'''OWASP Application Security Desk Reference - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Leonardo Cavallari
|-
| style="width:80%; background:#FFDF80" align="center"|[[:Category:OWASP Backend Security Project|'''OWASP Backend Security Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Carlo Pelliccioni
|-
| style="width:80%; background:#FFDF80" align="center"|[[:Classic ASP Security Project|'''OWASP Classic ASP Security Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Juan Carlos Calderon
|-
| style="width:80%; background:#FFDF80" align="center"|[[:Category:OWASP Code Review Project|'''OWASP Code Review Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Eoin Keary
|-
| style="width:80%; background:#FFDF80" align="center"|[[:Category:OWASP Education Project|'''OWASP Education Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Sebastien Deleersnyder, Martin Knobloch
|-
| style="width:80%; background:#FFDF80" align="center"|[[:OWASP Internationalization|'''OWASP Internationalization Project - Soc 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Juan Carlos Calderon
|-
| style="width:80%; background:#FFDF80" align="center"|[[:OWASP Spanish|'''OWASP Spanish Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Juan Carlos Calderon
|-
| style="width:80%; background:#FFDF80" align="center"|[[:Category:OWASP Positive Security Project|'''OWASP Positive Security Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Eduardo V.C. Neves
|-
| style="width:80%; background:#FFDF80" align="center"|[[:Category:OWASP Ruby on Rails Security Guide V2|'''OWASP Ruby on Rails Security Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Heiko Webers
|-
| style="width:80%; background:#FFDF80" align="center"|[[:Category:OWASP Securing WebGoat using ModSecurity Project|'''OWASP Securing WebGoat using ModSecurity Project - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Stephen Craig Evans
|-
| style="width:80%; background:#FFDF80" align="center"|[[:Category:OWASP Source Code Review OWASP Projects Project|'''OWASP Source Code Review - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|James Walden
|-
| style="width:80%; background:#FFDF80" align="center"|[[:Category:OWASP Testing Project|'''OWASP Testing Guide V3 - SoC 08''']]
| style="width:20%; background:#C2C2C2" align="center"|Matteo Meucci
|}

Find more OWASP Projects at the [https://www.owasp.org/index.php/Category:OWASP_Project OWASP Projects Page].

== EVENT AGENDA ==

{| style="width:80%" border="0" align="center"
| colspan="5" align="center" style="background:#4058A0; color:white" | Agenda for Monday, November 3rd, 2008
|-
| style="width:10%; background:#7B8ABD" align="center"| 13:00
| colspan="4" style="width:90%; background:#C2C2C2" align="center" | Lunch
|-
| style="width:10%; background:white" align="center"|
| colspan="4" style="width:90%; background:white" align="center" | Training Sessions
|-
| style="width:10%; background:#7B8ABD" align="center"| 15:00 - 17:00
| style="width:30%; background:#c0a0a0" align="center" | Securing WebGoat with ModSecurity Stephen Craig Evans
| style="width:30%; background:#c0a0a0" align="center" | WebSec Apps for Managers and Executives [http://uk.youtube.com/watch?v=r04EOuukvMQ Video] Mano Paul
| style="width:30%; background:#c0a0a0" align="center" | OWASP Testing Guide Matteo Meucci
|-
| style="width:10%; background:#7B8ABD" align="center" | 19:00
| colspan="4" style="width:90%; background:#F2F2F2" align="center" | Summit Briefing Dinis Cruz and Summit Organization Team
|-
| style="width:10%; background:#7B8ABD" align="center" | 20:00
| colspan="4" style="width:90%; background:#C2C2C2" align="center" | Dinner
|-
|}

{| style="width:80%" border="0" align="center"
| colspan="5" align="center" style="background:#4058A0; color:white" | Agenda for Tuesday, November 4th, 2008
|-
| style="width:10%; background:#7B8ABD" align="center" | 08:00
| colspan="4" style="width:80%; background:#C2C2C2" align="center" | Registration
|-
| style="width:10%; background:#7B8ABD" align="center"| 09:00
| colspan="4" style="width:80%; background:#F2F2F2" align="center" | Summit Keynote Dinis Cruz and Summit Organization Team
|-
| style="width:10%; background:#7B8ABD" align="center" |
| colspan="2" style="width:45%; background:#FFDF80" align="center" | '''Documents'''
| colspan="2" style="width:45%; background:#a0c0e0" align="center" | '''Tools'''
|-
| style="background:#7B8ABD" align="center" | 09:30
| colspan="2" style="background:#FFDF80" align="center" | [[:Category:OWASP Testing Project|'''OWASP Testing Guide - SoC 08''']] Matteo Meucci
| colspan="2" style="background:#a0c0e0" align="center" | [[:Category:OWASP JSP Testing Tool Project|'''OWASP JSP Testing Tool - SoC 08''']] Jason Li
|-
| style="background:#7B8ABD" align="center" | 09:45
| colspan="2" style="background:#FFDF80" align="center" | [[:Category:OWASP Code Review Project|'''OWASP Code Review Project - SoC 08''']] [https://www.owasp.org/images/5/59/Code_Review_Eoin.pptx PowerPoint Presentation] Eoin Keary
| colspan="2" style="background:#a0c0e0" align="center" | [[:Category:OWASP Orizon Project|'''OWASP Orizon Project - SoC 08''']] [https://www.owasp.org/images/9/9b/OWASP_EU_Summit_2008_The_Owasp_Orizon_Project.ppt PowerPoint Presentation] Paolo Perego
|-
| style="background:#7B8ABD" align="center" | 10:00
| colspan="2" style="background:#FFDF80" align="center" | [[:Category:OWASP ASDR Project|'''OWASP Application Security Desk Reference - SoC 08''']] Leonardo Cavallari Militelli
| colspan="2" style="background:#a0c0e0" align="center" | [[:Category:OWASP Live CD 2008 Project|'''OWASP Live CD - SoC 08''']] Matt Tesauro
|-
| style="background:#7B8ABD" align="center" | 10:15
| colspan="2" style="background:#FFDF80" align="center" | [[:OWASP Spanish|'''OWASP Spanish Project - SoC 08''']] Juan Carlos Calderon
| colspan="2" style="background:#a0c0e0" align="center" | [[:Category:OWASP WebScarab Project|'''OWASP WebScarab Project''']] [https://www.owasp.org/images/8/88/OWASP_EU_Summit_2008_WebScarab_treasures.ppt PowerPoint Presentation] Rogan Dawes
|-
| style="background:#7B8ABD" align="center"| 10:30
| colspan="5" style="background:#C2C2C2" align="center" | Coffee Break
|-
| style="background:#7B8ABD" align="center"| 10:45
| colspan="2" style="background:#FFDF80" align="center" | .NET ESAPI Alex Smolen
| colspan="2" style="background:#a0c0e0" align="center" |
|-
| style="width:10%; background:#7B8ABD" align="center" | 11:00
| colspan="4" style="width:90%; background:#F2F2F2" align="center" | Working Sessions Briefing Dinis Cruz
|-
| style="width:10%; background:white" align="center"|
| colspan="4" style="width:90%; background:white" align="center" | Working Sessions
|}
{| style="width:80%" border="0" align="center" |
| colspan="5" align="center" style="background:white" |
|-
| style="width:10%; background:#7B8ABD" align="center" | 11:15 - 13:00
| style="width:30%; background:#B3FF99" align="center" | [[:OWASP Working Session - OWASP Documentation Projects|'''Documentation Projects/Guides Integration and Unified 4.0 Version''']] [https://www.owasp.org/images/9/92/Final_OWASP_Guidelines_Ideas_List_.docx WS Conclusions] Eduardo Neves
| style="width:30%; background:#B3FF99" align="center" | [[:OWASP Working Session - Browser Security|'''OWASP Intrinsic Security Working Group - Browser Security ''']] Arshan Dabirsiaghi
| style="width:30%; background:#B3FF99" align="center" | [[:OWASP Working Session - OWASP Tools Projects|'''Tools Projects]]''' [https://www.owasp.org/images/5/51/EUSummit08_OWASP_Tools_Working_Session_Suggestions.doc WS Conclusions] Matt Tesauro
|-
| style="background:#7B8ABD" align="center" | 13:00
| colspan="4" style="background:#C2C2C2" align="center" | Lunch
|-
| style="width:10%; background:white" align="center"|
| colspan="4" style="width:90%; background:white" align="center" | Training Sessions
|-
| style="background:#7B8ABD" align="center" | 14:00
| style="background:#c0a0a0" align="center" | '''The Art and Science of Threat Modeling Web Applications''' [http://uk.youtube.com/watch?v=r04EOuukvMQ Video] Mano Paul
| style="background:#c0a0a0" align="center" | '''Web Server Hardening SELinux''' [https://www.owasp.org/images/d/db/SELinux-course-OWASP.pdf PDF Presentation] Pavol Luptak
| style="background:#c0a0a0" align="center" | '''Offensive WebApp Hacking''' [http://www.youtube.com/watch?v=cl6BHhi2Dys Video - LDAP, XML and SQL injection] [http://www.carlosserrao.net/files/owasp/owaspdemo02.swf Video - LDAP injection demo] [http://www.carlosserrao.net/files/owasp/owaspdemo04.swf XML injection demo] [http://www.carlosserrao.net/files/owasp/owaspdemo03.swf Video - SQL injection demo ] Marco Slaviero
|-
| style="background:#7B8ABD" align="center" | 15:00
| style="background:#c0a0a0" align="center" | '''Phishing attack''' [http://www.youtube.com/watch?v=uf9hw-qvx-I Video] Matt Teasuro & Brad Causey
| colspan="2" style="background:#c0a0a0" align="center" | '''Clickjacking''' [http://www.youtube.com/watch?v=H9srYh0HMP4 Video] [http://www.carlosserrao.net/files/owasp/owaspdemo01.swf Demonstration] Arshan Dabirsiaghi
|-
| style="background:#7B8ABD" align="center" | 16:00
| colspan="4" style="background:#C2C2C2" align="center" | Coffee Break
|-
| style="width:10%; background:white" align="center"|
| colspan="4" style="width:90%; background:white" align="center" | Working Sessions
|-
| style="width:10%; background:#7B8ABD" align="center" | 16:30
| colspan="4" style="width:90%; background:#B3FF99" align="center" |[[:OWASP Working Session Enterprise Security API Project|'''OWASP Enterprise Security API Project (ESAPI)''']] [http://uk.youtube.com/watch?v=-D_bymZ-8vI Video] [https://www.owasp.org/images/7/70/ESAPI_Ideas_List.docx WS Conclusions] Jeff Williams
|-
| style="background:#7B8ABD" align="center" | 18:30
| colspan="2" style="background:#B3FF99" align="center" | [[:OWASP Working Session - OWASP ASDR|'''OWASP Application Security Desk Reference - ASDR]]''' Leonardo Cavallari
| style="background:#B3FF99" align="center" | [[:OWASP Working Session - .NET Project|'''.NET Project''']] Dinis Cruz
|}

{| style="width:80%" border="0" align="center"
| colspan="5" align="center" style="background:#4058A0; color:white" | Agenda for Wednesday, November 5th, 2008
|-
| style="width:10%; background:#7B8ABD" align="center"| 09:15
| colspan="4" style="width:80%; background:#F2F2F2" align="center" | Daily Briefing Dinis Cruz
|-
| style="width:10%; background:#7B8ABD" |
| colspan="2" style="width:30%; background:#FFDF80" align="center" | '''Standards and Education'''
| colspan="2" style="width:30%; background:#a0c0e0" align="center" | '''Tools'''
|-
| style="background:#7B8ABD" align="center" | 10:00
| colspan="2" style="background:#FFDF80" align="center" | [[:Category:OWASP Positive Security Project|'''OWASP Positive Security Project - SoC 08''']] Eduardo Neves
| colspan="2" style="background:#a0c0e0" align="center" | [[:Category:OWASP Access Control Rules Tester Project|'''OWASP Access Control Rules Tester - SoC 08''']] [https://www.owasp.org/images/3/32/OWASP_EU_Summit_2008_AcCoRuTe.pptx PowerPoint Presentation] Andrew Petukhov
|-
| style="background:#7B8ABD" align="center" | 10:15
| colspan="2" style="background:#FFDF80" align="center" | [[:Category:OWASP Education Project|'''OWASP Education Project - SoC 08''']] Sebastien Deleersnyder, Martin Knobloch
| colspan="2" style="background:#a0c0e0" align="center" | [[:Category:OWASP Teachable Static Analysis Workbench Project|'''OWASP Teachable Static Analysis Workbench - SoC 08''']] [https://www.owasp.org/images/6/69/Teachable_static_analysis_workbench.pptx PowerPoint Presentation] Dmitry Kozlov
|-
| style="background:#7B8ABD" align="center" | 10:30
| colspan="2" style="background:#FFDF80" align="center" | [[:OWASP Internationalization|'''OWASP Internationalization Project - Soc 08''']] Juan Carlos Calderon
| colspan="2" style="background:#a0c0e0" align="center" | [[:Category:OWASP AppSensor Project|'''OWASP AppSensor - SoC 08''']] [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt PowerPoint Presentation] Michael Coates
|-
| style="background:#7B8ABD" align="center" | 10:45
| colspan="2" style="background:#FFDF80" align="center" | '''PASSWD Project: Metrics and Vulnerabilities''' [https://www.owasp.org/images/f/f6/PASSWD.ppt PowerPoint Presentation] Lucilla Mancini
| colspan="2" style="background:#a0c0e0" align="center" | [[:Category:OWASP Backend Security Project|'''OWASP Backend Security Project - SoC 08''']] [https://www.owasp.org/images/2/20/OWASP_EU_Summit_2008_Presentation_Model.ppt PowerPoint Prsentation] Carlo Pelliccioni
|-
| style="background:#7B8ABD" align="center" | 11:00
| colspan="2" style="background:#FFDF80" align="center" | [[:Category:OWASP Open Review Project|'''OWASP Open Review Project''']] Dan Cornell
| colspan="2" style="background:#a0c0e0" align="center" | [[:Category:OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project|'''OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project - SoC 08''']] [https://www.owasp.org/images/c/c4/Site_generator.pptx PowerPoint Presentation] Dmitry Kozlov
|-
| style="background:#7B8ABD" align="center" | 11:15
| colspan="4" style="background:#f2984c" align="center" | [[OWASP EU Summit 2008#NEW GLOBAL COMMITTEE STRUCTURE|'''OWASP Global Committee Elections''']]
|-
| style="background:#7B8ABD" align="center" | 11:30
| colspan="4" style="background:#C2C2C2" align="center" | Coffee Break
|-
| style="width:10%; background:white" align="center"|
| colspan="4" style="width:90%; background:white" align="center" | Working Sessions
|-
| style="background:#7B8ABD" align="center" | 12:45
| colspan="2" style="background:#B3FF99" align="center" | [[OWASP Working Session Education Project|'''Education Project''']] [https://www.owasp.org/images/3/33/OWASP_Education_Working_Session_Notes_-_Ideas.ppt WS Conclusions] Sebastien Deleersnyder
| style="background:#B3FF99" align="center" | [[:OWASP Working Session - OWASP Testing Guide|'''Testing Guide''']] Matteo Meucci
| style="background:#B3FF99" align="center" | [[:OWASP Working Session - Web Application Framework Security|'''Web Application Framework Security''']] Arshan Dabirsiaghi
|-
| style="background:#7B8ABD" align="center" | 14:45
| colspan="4" style="background:#C2C2C2" align="center" | Lunch (During Working Sessions)
|-
| style="width:10%; background:white" align="center"|
| colspan="4" style="width:90%; background:white" align="center" | Training Sessions
|-
| style="background:#7B8ABD" align="center" | 15:00
| style="background:#c0a0a0" align="center" | '''Flash Player Security''' Peleus Uhley
| style="background:#c0a0a0" align="center" | '''OWASP Top 10''' [http://uk.youtube.com/watch?v=GsRbpshqqII Video] Sebastien Deleersnyder and Martin Knobloch
| style="background:#c0a0a0" align="center" | '''Uncovering WebScarab's Secret Treasures''' [https://www.owasp.org/images/8/88/OWASP_EU_Summit_2008_WebScarab_treasures.ppt PowerPoint Presentation] Rogan Dawes
| style="background:#c0a0a0" align="center" | '''Hacking the Orizon''' [http://www.owasp.org/index.php/Image:Hacking_the_Owasp_Orizon.ppt PowerPoint Presentation] Paolo Perego
|-
| style="background:#7B8ABD" align="center"| 17:00
| colspan="5" style="background:#C2C2C2" align="center" | Coffee Break
|-
| style="width:10%; background:white" align="center"|
| colspan="4" style="width:90%; background:white" align="center" | Working Sessions
|-
| style="background:#7B8ABD" align="center" | 17:30
| style="background:#B3FF99" align="center" | [[:OWASP Working Session - Code Review Guide|'''Code Review Guide''']] Eoin Keary
| style="background:#B3FF99" align="center" | EU Funding for OWASP Projects Carlos Serrao
| style="background:#B3FF99" align="center" | [[:OWASP Working Session - OWASP Certification|'''OWASP Certification''']] Tom Brennan
| style="background:#B3FF99" align="center" | Software Assurance Maturity Model Pravir Chandra
|-
| style="background:#7B8ABD" align="center" | 19:00
| style="background:#B3FF99" align="center" | [[:OWASP Working Session - OWASP Website|'''OWASP Website''']] [https://www.owasp.org/images/8/8b/EUSummit08_OWASP_Web_Site_Working_Session_Suggestions.doc WS Conclusions] [https://www.owasp.org/images/2/2e/Website.ppt PPT Presentation] Fabio Cerullo
| style="background:#B3FF99" align="center" | '''Metrics & Vulnerabilities''' Lucilla Mancini
| colspan="2" style="background:#B3FF99" align="center" | OWASP Orizon Paolo Perego
|}

{| style="width:80%" border="0" align="center"
| colspan="6" align="center" style="background:#4058A0; color:white" | Agenda for Thursday, November 6th, 2008
|-
| style="width:10%; background:#7B8ABD" align="center"| 09:15
| colspan="5" style="width:80%; background:#F2F2F2" align="center" | Daily Briefing Dinis Cruz
|-
| style="width:10%; background:#7B8ABD" |
| colspan="2" style="width:30%; background:#FFDF80" align="center" | '''Technology'''
| colspan="3" style="width:30%; background:#a0c0e0" align="center" | '''Tools'''
|-
| style="background:#7B8ABD" align="center" | 10:00
| colspan="2" style="background:#FFDF80" align="center" | [[:Classic ASP Security Project|'''OWASP Classic ASP Security Project - SoC 08''']] Juan Carlos Calderon
| colspan="3" style="background:#a0c0e0" align="center" | [[:Category:OWASP Source Code Review OWASP Projects Project|'''OWASP Source Code Review - SoC 08''']] [https://www.owasp.org/images/c/c9/OWASPEU_SourceReview.ppt PowerPoint Presentation] James Walden
|-
| style="background:#7B8ABD" align="center" | 10:15
| colspan="2" style="background:#FFDF80" align="center" | [[:Category:OWASP Ruby on Rails Security Guide V2|'''OWASP Ruby on Rails Security Project - SoC 08''']] [https://www.owasp.org/images/3/32/Rails_security_2_presentation.pdf PDF Presentation] Heiko Webers
| colspan="3" style="background:#a0c0e0" align="center" | [[:Category:OWASP OpenPGP Extensions for HTTP - Enigform and mod openpgp|'''OWASP OpenPGP Extensions for HTTP - Enigform and mod openpgp - SoC 08''']] Arturo Alberto Busleiman
|-
| style="background:#7B8ABD" align="center" | 10:30
| colspan="2" style="background:#FFDF80" align="center" | [[:Category:OWASP Webslayer Project|'''OWASP Webslayer Project''']] Christian Martorella
| colspan="3" style="background:#a0c0e0" align="center" | [[:Category:OWASP Securing WebGoat using ModSecurity Project|'''OWASP Securing WebGoat using ModSecurity Project - SoC 08''']] Stephen Evans and Christian Folini
|-
| style="background:#7B8ABD" align="center" | 11:00
| colspan="2" style="background:#FFDF80" align="center" | [[:Category:OWASP Skavenger Project|'''OWASP Skavenger Project - SoC 08''']] Matthias Rohr
| colspan="3" style="background:#a0c0e0" align="center" | [[:Category:OWASP AntiSamy Project .NET|'''OWASP AntiSamy Project - SoC 08''']] Marcin Wielgoszewski
|-
| style="background:#7B8ABD" align="center"| 11:15
| colspan="5" style="background:#C2C2C2" align="center" | Coffee Break
|-
| style="width:10%; background:white" align="center"|
| colspan="5" style="width:90%; background:white" align="center" | Working Sessions
|-
| style="background:#7B8ABD" align="center" | 11:30
| style="background:#B3FF99" align="center" | [[:OWASP Working Session Top 10 2009|'''OWASP Top 10 - 2009''']] Dave Wichers
| style="background:#B3FF99" align="center" | [[:OWASP Working Session - OWASP Intra Governmental Affairs|'''OWASP Intra Governmental Affairs''']] David Campbell
| style="background:#B3FF99" align="center" | SAMM v2
| style="background:#B3FF99" align="center" | [[:OWASP Working Session - OWASP Website|'''OWASP Website''']] Fabio Cerullo
| style="background:#B3FF99" align="center" | Handling Web MalWare
|-
| style="background:#7B8ABD" align="center" | 13:00
| colspan="5" style="background:#C2C2C2" align="center" | Lunch (During Working Sessions)
|-
| style="width:10%; background:white" align="center"|
| colspan="5" style="width:90%; background:white" align="center" | Training Sessions
|-
| style="background:#7B8ABD" align="center" | 14:00
| style="background:#c0a0a0" align="center" | Ajax Security
| colspan="2" style="background:#c0a0a0" align="center" | Auditing Flash Applications Peleus Uhley
| style="background:#c0a0a0" align="center" | WebApp Assessment Vicente Aguilera Diaz
| style="background:#c0a0a0" align="center" | Mod Security Lucas C. Ferreira
|-
| style="width:10%; background:white" align="center"|
| colspan="5" style="width:90%; background:white" align="center" | Working Sessions
|-
| style="background:#7B8ABD" align="center" | 16:30
| colspan="5" style="background:#B3FF99" align="center" | [[:Working Session OWASP Strategic Planning|'''OWASP Strategic Planning and Business Models compatible with OWASP values''']] Jeff Williams, Dinis Cruz, Dave Wichers, Sebastien Deleersnyder, Tom Brennan & Kate Hartmann and Paulo Combra
|-
| style="background:#7B8ABD" align="center" | 18:30
| colspan="2" style="background:#B3FF99" align="center" | [[:OWASP Working Session - Two-way Internationalization of OWASP Content|'''Two-way Internationalization of OWASP Content''']] Juan Carlos Calderon & Sebastien Deleersnyder
| colspan="2" style="background:#B3FF99" align="center" | [[:Best Practices for OWASP Chapter Leaders|'''OWASP Best Practices for Chapter Leaders''']] [https://www.owasp.org/images/0/01/BestPractices_2008.pptx WS Conclusions] Georg Hess
| colspan="2" style="background:#B3FF99" align="center" | [[:OWASP Working Session - OWASP Live CD&DVD|'''OWASP Live CD & DVD''']] Matt Tesauro
|-
| style="background:#7B8ABD" align="center" | 20:00
| colspan="5" style="background:#C2C2C2" align="center" | Gala Dinner
|-
| style="background:#7B8ABD " align="center" | 22:00
| colspan="5" style="background:#C2C2C2" align="center" | OWASP Band
|}

{| style="width:80%" border="0" align="center"
| colspan="2" align="center" style="background:#4058A0; color:white" | Agenda for Friday, November 7th, 2008
|-
| style="width:10%; background:#7B8ABD" align="center" | 10:00
| style="width:80%; background:#F2F2F2" align="center" | Daily Briefing Dinis Cruz
|-
| style="width:10%; background:#7B8ABD" align="center" | 10:15
| style="width:80%; background:#f2984c" align="center" | OWASP AppSec Agenda 2009: Working Session Outcomes
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Documentation Projects/Guides Integration and Unified 4.0 Version Eduardo Neves
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Browser Security Arshan Dabirsiaghi
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | ESAPI Jeff Williams
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Tools Projects Matt Tesauro
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Code Review Guide Eoin Keary
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | OWASP Certification Tom Brennan
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Software Assurance Maturity Model Pravir Chandra
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Top 10 2009 Dave Wichers
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Intra Governmental Affairs David Campbell
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Best Practices for Chapter Leaders Georg Hess
|-
| style="width:10%; background:#7B8ABD" align="center" | 11:15
| style="width:80%; background:#f2984c" align="center" | Coffee Break and Vote (put your dots on the wall)
|-
| style="width:10%; background:#7B8ABD" align="center" | 11:30
| style="width:80%; background:#C2C2C2" align="center" | Live CD & DVD Matt Tesauro
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | ADSR Leonardo Cavallari
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Education Project Sebastien Deleersnyder
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Web Application Framework Security Arshan Dabirsiaghi
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Testing Guide Matteo Meucci
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | OWASP Censorship Tom Brennan
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | EU Funding for OWASP Projects Carlos Serrao
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | OWASP Website Fabio Cerullo
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | OWASP Orizon Paolo Perego
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Handling Web MalWare
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | 2-Way Internationalization Juan Carlos Calderon
|-
| style="width:10%; background:#7B8ABD" |
| style="width:80%; background:#C2C2C2" align="center" | Portuguese Public & Private Organizations Carlos Serrao
|-
| style="width:10%; background:#7B8ABD" align="center" |
| style="width:80%; background:#C2C2C2" align="center" | Winter of Code 2009 Dinis Cruz and Sebastien Deleersnyder
|-
| style="width:10%; background:#7B8ABD" align="center" | 13:00
| style="width:80%; background:#F2F2F2" align="center" | Lunch
|-
| style="width:10%; background:#7B8ABD" align="center"| 14:00
| style="width:80%; background:#f2984c" align="center" | [http://www.owasp.org/index.php/Owasp_Board_Meetings_11-07-08 Board Meeting]
|-
| style="width:10%; background:#7B8ABD" align="center" | 17:00
| style="width:80%; background:#f2984c" align="center" | Announcement of Summit Procedings
|}

== OWASP BOARD MEETING ==
Board meeting was held at the OWASP Summit - [http://www.owasp.org/index.php/Owasp_Board_Meetings_11-07-08 RESULTS].

== EVENT'S PHOTOS ==

More event's photos can be seen [http://picasaweb.google.com/paulocoimbra7/OWASPSummitEUPortugal2008# here]. [http://picasaweb.google.com/paulocoimbra7/OWASPSummitEUPortugal2008#slideshow Summit's slide show].

==ARCHIVED DATA==

'''FORMER AGENDA''': [[:OWASP EU Summit 2008 Former Agenda|Click here to see.]]

'''SUMMIT BROCHURE''': [https://www.owasp.org/images/8/89/OWASP_EU_Summit_2008-Overview.pdf 6 page brochure] or this [https://www.owasp.org/images/3/3d/OWASP_EU_Summit_2008_-Full_Brochure.pdf 33 page brochure].

'''VENUE & TRAVEL ARRANGEMENTS''': The OWASP European Summit 2008 was hosted at the 5 start Resort in Algarve Portugal ([http://www.granderealsantaeulaliahotel.com/index.html '''Grande Real Santa Eulália Resort & Hotel''']). Hotel booking and the travel arrangements were be handled via [http://www.diplomatatours.pt/owasp.php '''Diplomata Tours'''], the assigned travel agency. The venue location - [http://maps.google.com/maps?f=q&hl=en&geocode=&q=Grande+Real+Santa+Eul%C3%A1lia+Resort+%26+Hotel+algarve&sll=37.015438,-7.919769&sspn=0.084982,0.176468&ie=UTF8&ll=37.124054,-8.182583&spn=0.08486,0.176468&z=13&iwloc=B Google Maps Link]. Nearest Airport - [http://maps.google.co.uk/maps?f=q&hl=en&geocode=&q=Aeroporto+de+Faro,+Montenegro,+Faro,+8005,+Portugal&ie=UTF8&ll=37.096812,-7.967834&spn=0.502766,1.235962&z=10&output=html Faro].

'''OTHER LINKS''': [[OWASP EU Summit 2008--PRESS|Press Information]], [[:OWASP Working Session - Browser Security Letters|Open Letter to Browsers&Frameworks]], [[:OWASP Summit UALG 1 Day Conference|OWASP Summit UALG 1 Day Conference]], [http://twitter.com/OwaspEU08Summit OwaspEU08Summit on Twitter!], [[OWASP EU Summit 2008 Internals|OWASP EU Summit 2008 Internals]].

'''SPONSORS''':
{| style="width:100%" border="0" align="center"
! colspan="0" align="center" style="background:white; color:white" |
|-
| style="width:100%; background:#FFDF80"; align="center" | https://www.owasp.org/images/5/5a/AOD_Logo_2c.gif https://www.owasp.org/images/9/9e/Mnemonic_logo.png https://www.owasp.org/images/1/1a/Softtek_logo.gif
|}

[[Category:OWASP AppSec Conference]]

Project Information:template Source Code Review OWASP Projects

2008-12-09T18:26:39Z

Walden:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Source Code Review OWASP-Projects Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The objectives of this project are: 1. Develop and document a workflow for FLOSS projects to incorporate static analysis into the Software Development Life Cycle (SDLC); 2. Apply the above workflow as a required step for OWASP projects; 3. Aid in auditing select FLOSS projects to create a baseline for comparing security amongst FLOSS projects.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:dan@denimgroup.com '''Dan Cornell'''] SoC's Project Leader [mailto:waldenj1@nku.edu '''James Walden''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors [mailto:jderry@owasp.org '''Justin Derry'''] 
[mailto:doylem3@nku.edu '''Maureen Doyle'''] 
[mailto:whelanm87@gmail.com '''Michael Whelan''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects '''Mailing List/Subscribe'''] [mailto:OWASP-SCode-Review-OWASP-Projects(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:afry(at)strongcrypto.biz '''Alex Fry'''] [http://www.linkedin.com/in/alexanderfry Profile]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:marco.m.morana(at)gmail.com '''Marco M. Morana'''] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Marco M Morana Curriculum|Curriculum]]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* Updated workflow [[Image:Workflow_July_11a.zip]]
* [[Image:Workflow_Draft1.pdf]]
* [[Image:CreateProjectExample.pdf]]
* [https://owasp.fortify.com/teamserver/welcome.fhtml Fortify OWASP Open Review Project]
* [[Image:OWASPEU_SourceReview.ppt]]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [[:Category:OWASP Open Review Project|'''OWASP Open Review Project (ORPRO)''']]

|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Source Code Review OWASP Projects - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Source Code Review OWASP Projects 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' --------- Which status has been reached? '''Season of Code''' - --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

File:OWASPEU SourceReview.ppt

2008-12-09T18:26:22Z

Walden: OWASP EU Summit 2008 presentation for the Source Code Review OWASP Projects Summer of Code project.

OWASP EU Summit 2008 presentation for the Source Code Review OWASP Projects Summer of Code project.

Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B

2008-10-31T03:07:28Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The major project objectives have been accomplished:
# We have finalized the workflow for introducing static analysis into OWASP projects.
# We have submitted 10 OWASP projects to be analyzed on the owasp.fortify.com site to establish an OWASP baseline.
# We have submitted the 25 most popular open source PHP projects to the be analyzed on the owasp.fortify.com site to establish an open source baseline.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
We spent the time since the project midpoint submitting projects to the owasp.fortify.com site. The current status of tasks is:
# Workflow for introducing static analysis into OWASP projects (100%).
# Analyzed 10 OWASP projects (100%).
# Analyzed 25 most popular open source PHP projects on owasp.fortify.com (100%).
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All Alpha criteria are fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The documentation needs to be expanded and links added to the code review guide.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
We will add the OWASP EU Summit presentation to fulfill that requirement once it's ready.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
To ensure that this project leads to continuing improvement in the security of OWASP projects, we need more OWASP project leaders to incorporate static analysis into their project's software development lifecycle. We have received only one volunteer who was willing to take the time to incorporate static analysis into his project: Yiannis, project leader of the JBroFuzz project. We can analyze OWASP projects on our own, but it's important to include static analysis as part of the lifecycle.
|}

Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B

2008-10-31T03:06:22Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The major project objectives have been accomplished:
# We have finalized the workflow for introducing static analysis into OWASP projects.
# We have submitted the 25 most popular open source PHP projects to the be analyzed on the owasp.fortify.com site to establish a baseline.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
We spent the time since the project midpoint submitting projects to the owasp.fortify.com site. The current status of tasks is:
# Workflow for introducing static analysis into OWASP projects (100%).
# Analyzed 25 most popular open source PHP projects on owasp.fortify.com (100%).
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All Alpha criteria are fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The documentation needs to be expanded and links added to the code review guide.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
We will add the OWASP EU Summit presentation to fulfill that requirement once it's ready.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
To ensure that this project leads to continuing improvement in the security of OWASP projects, we need more OWASP project leaders to incorporate static analysis into their project's software development lifecycle. We have received only one volunteer who was willing to take the time to incorporate static analysis into his project: Yiannis, project leader of the JBroFuzz project. We can analyze OWASP projects on our own, but it's important to include static analysis as part of the lifecycle.
|}

Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B

2008-10-31T03:02:39Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The major project objectives have been accomplished:
# We have finalized the workflow for introducing static analysis into OWASP projects.
# We have submitted the 25 most popular open source PHP projects to the be analyzed on the owasp.fortify.com site to establish a baseline.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
We spent the time since the project midpoint submitting projects to the owasp.fortify.com site. The current status of tasks is:
# Workflow for introducing static analysis into OWASP projects (100%).
# Analyzed 25 most popular open source PHP projects on owasp.fortify.com (100%).
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All Alpha criteria are fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
We will add the OWASP EU Summit presentation to fulfill that requirement once it's ready.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
To ensure that this project leads to continuing improvement in the security of OWASP projects, we need more OWASP project leaders to incorporate static analysis into their project's software development lifecycle. We have received only one volunteer who was willing to take the time to incorporate static analysis into his project: Yiannis, project leader of the JBroFuzz project. We can analyze OWASP projects on our own, but it's important to include static analysis as part of the lifecycle.
|}

Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B

2008-10-30T20:07:10Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The major project objectives have been accomplished:
# We have finalized the workflow for introducing static analysis into OWASP projects.
# We have submitted the 25 most popular open source PHP projects to the be analyzed on the owasp.fortify.com site to establish a baseline.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
We spent the time since the project midpoint submitting projects to the owasp.fortify.com site. The current status of tasks is:
# Workflow for introducing static analysis into OWASP projects (100%).
# Analyzed 25 most popular open source PHP projects on owasp.fortify.com (100%).
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
To ensure that this project leads to continuing improvement in the security of OWASP projects, we need more OWASP project leaders to incorporate static analysis into their project's software development. We have received only one volunteer who was willing to take the time to incorporate static analysis into his project: Yiannis, project leader of the JBroFuzz project.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B

2008-10-30T20:05:39Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The major project objectives have been accomplished:
# We have finalized the workflow for introducing static analysis into OWASP projects.
# We have submitted the 25 most popular open source PHP projects to the be analyzed on the owasp.fortify.com site to establish a baseline.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
We spent the time since the project midpoint submitting projects to the owasp.fortify.com site. The current status of tasks is:
# Workflow for introducing static analysis into OWASP projects (100%).
# Analyzed 25 most popular open source PHP projects on owasp.fortify.com (100%).
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
We need to find more OWASP project leaders to incorporate static analysis into their project's software development. We have worked with Yiannis, project leader of the JBroFuzz project.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B

2008-10-30T20:04:23Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The major project objectives have been accomplished:
# We have finalized the workflow for introducing static analysis into OWASP projects.
# We have submitted the 25 most popular open source PHP projects to the be analyzed on the owasp.fortify.com site to establish a baseline.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
We spent the time since the project midpoint submitting projects to the owasp.fortify.com site. The current status of tasks is:
# Workflow for introducing static analysis into OWASP projects (100%).
# Analyzed 25 most popular open source PHP projects on owasp.fortify.com (100%).
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
| We need to find more OWASP project leaders to incorporate static analysis into their project's software development.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A

2008-10-30T20:02:17Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Click here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''50% REVIEW PROCESS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25x%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. To what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
#Team finalized (Maureen Doyle, James Walden, Michael Whelan.)
#Projects selected for initial analysis (AntiSamy, WebScarab, OWASP Enterprise Security API (ESAPI) Project)
#Preliminary workflow.
#No projects submitted to Fortify Open Source Review, as Fortify is updating the application. We have talked extensively with Fortify and OWASP about the changes and how they match our workflow.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. To what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The current status of tasks planned for the end of June is:
#Team finalized (100%)
#Projects selected (100%)
#Preliminary workflow (100%)
#Projects submitted (0%)
Since the Fortify open source review is not currently accepting projects, we have not been able to submit any projects. However, we are currently analyzing the following tools using Fortify's commercial source code analyzer (SCA) tool.
#MediaWiki
#SquirrelMail
#WordPress
The updated version of Fortify's web site will allow us to upload the FPR files generated by this tool to create projects immediately, instead of waiting a week. The following tasks remain to be done:
#Revise workflow based on reviews.
#Submit initial project to Fortify site once its online for testing.
#Submit 3 projects as continuously analyzed projects on Fortify site.
#Select additional OWASP and non-OWASP projects to analyze.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|We need feedback and direction on the preliminary workflow.
|}

Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B

2008-10-30T19:50:31Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The major project objectives have been accomplished:
# We have finalized the workflow for introducing static analysis into OWASP projects.
# We have submitted the 25 most popular open source PHP projects to the be analyzed on the owasp.fortify.com site to establish a baseline.
# We are working with one OWASP project leader to submit his project to the workflow.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B

2008-10-30T19:48:56Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
# We have finalized the workflow for introducing static analysis into OWASP projects.
# We have submitted the 25 most popular open source PHP projects to the be analyzed on the owasp.fortify.com site to establish a baseline.
# We are working with one OWASP project leader to submit his project to the workflow.
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

OWASP Working Session Education Project

2008-10-27T20:40:08Z

Walden:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#b3b3b3; color:white"|'''Working Sessions Operational Rules''' - [[:Working Sessions Methodology|'''Please see here the general frame of rules''']].
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Education Project '''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|Set 2009 goals for the OWASP Education project
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
[[:Category:OWASP Education Project|OWASP Education Project]]
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
| style="width:25%; background:#cccccc" align="center"|'''Chair''' [mailto:seba(at)owasp.org '''Sebastien Deleersnyder''']
| style="width:25%; background:#cccccc" align="center"|'''Secretary''' [mailto:martin.knobloch(at)sogeti.nl '''Martin Knobloch''']
| style="width:25%; background:#cccccc" align="center"|'''Mailing list''' [https://lists.owasp.org/mailman/listinfo/owasp-education '''Subscription Page''']
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION SPECIFICS'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
* How to improve knowledge transfer from OWASP projects towards the community,
* How to create training material (lessons, classes, courses) from OWASP project material?
* How to set up an OWASP education baseline,
* How to setup an OWASP Boot Camp,
* How to connect to organisation to promote OWASP education content: e.g. universities, other non-profit (or profit?) education organisations,
* How to organize the OWASP / Conference trainings to make them the best in the world?
* Can we integrate this into OWASP certification projects?
* How to setup an OWASP Boot Camp?
* How to create lessons, classes, courses from OWASP project material?
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
| style="width:25%; background:#cccccc" align="center"|'''Venue''' [[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]
| style="width:25%; background:#cccccc" align="center"|'''Date&Time''' November 5, 2008 Time TBD
| style="width:25%; background:#cccccc" align="center"|'''Discussion Model''' "Everybody is a Participant"
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:white; color:white"|
|}

{|style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OPERATIONAL RESOURCES'''
|-
| style="width:100%; background:#cccccc" align="center"|Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:white; color:white"|
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION ADDITIONAL DETAILS'''
|-
| style="width:100%; background:#cccccc" align="left"|There is plenty of knowledge available inside the OWASP community. This is spread via the OWASP AppSec Conferences and the local chapter meetings, not to forget the books available now. Another, very important way to distribute the available knowledge is to teach! In plenty presentations knowledge is put into slides to share it. The next step is to reuse the information of those presentations and create training material. In a Boot Camp for example, it's not only about telling how to break stuff, but let the attendees break it themselves. Also let them fix the problems, with guidance of the experienced!
|}
{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OUTCOMES'''
|-
| style="width:7%; background:#6C82B5" align="center"|Statements, Initiatives or Decisions
| style="width:46%; background:#b3b3b3" align="center"|'''Proposed by Working Group'''
| style="width:47%; background:#b3b3b3" align="center"|'''Approved by OWASP Board'''
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|Educational Support on Winter of Code 2008.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|Guildeline about creating training material.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|Fill in here.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|}
== Working Session Participants ==
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION PARTICIPANTS'''
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:15%; background:#cccccc" align="center"|'''Name'''
| style="width:15%; background:#cccccc" align="center"|'''Company'''
| style="width:63%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''
|-
| style="width:7%; background:#7B8ABD" align="center"|1
| style="width:15%; background:#cccccc" align="center"| Sébastien GIORIA
| style="width:15%; background:#cccccc" align="center"| OWASP France
| style="width:63%; background:#cccccc" align="center"| I actually doing some training in government, company, school, training center oriented to Web security with some OWASP material (WebGoat, WebScarab) and want to see how we can "internationalize" the content for training and see what we can do a very good packages for OWASP. I could not be in Portugal, so I could participate (depending of Time) with Skype && Twitter or other tools
|-
| style="width:7%; background:#7B8ABD" align="center"|2
| style="width:15%; background:#cccccc" align="center"| Eduardo Neves
| style="width:15%; background:#cccccc" align="center"| OWASP Brazil
| style="width:63%; background:#cccccc" align="center"| To discuss how the educational initiatives can be liaised with Universities and other educational sources to use OWASP tools and documents on educational actions and market development.
|-
| style="width:7%; background:#7B8ABD" align="center"|3
| style="width:15%; background:#cccccc" align="center"| Colin Watson
| style="width:15%; background:#cccccc" align="center"| OWASP London
| style="width:63%; background:#cccccc" align="center"| Interested in how we spread the word to non-technology professions - business owners, procurement specialists, project managers, marketers, graphic designers.
|-
| style="width:7%; background:#7B8ABD" align="center"|4
| style="width:15%; background:#cccccc" align="center"| Andrzej Targosz
| style="width:15%; background:#cccccc" align="center"| OWASP Poland
| style="width:63%; background:#cccccc" align="center"| How to spread training in universities.
|-
| style="width:7%; background:#7B8ABD" align="center"|4
| style="width:15%; background:#cccccc" align="center"| Joaquim Marques
| style="width:15%; background:#cccccc" align="center"| OWASP Portugal
| style="width:63%; background:#cccccc" align="center"| How to spread training and educational initiatives in universities.
|-
| style="width:7%; background:#7B8ABD" align="center"|5
| style="width:15%; background:#cccccc" align="center"| James Walden
| style="width:15%; background:#cccccc" align="center"| Northern Kentucky University (NKU)
| style="width:63%; background:#cccccc" align="center"| Expand university awareness of web application security
|-
| style="width:7%; background:#7B8ABD" align="center"|6
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|7
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|8
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|9
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|10
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|}
If needed add here more lines.

[[Category:OWASP_Working_Session]]

Project Information:template Source Code Review OWASP Projects

2008-10-21T20:00:35Z

Walden:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Source Code Review OWASP-Projects Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The objectives of this project are: 1. Develop and document a workflow for FLOSS projects to incorporate static analysis into the Software Development Life Cycle (SDLC); 2. Apply the above workflow as a required step for OWASP projects; 3. Aid in auditing select FLOSS projects to create a baseline for comparing security amongst FLOSS projects.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:dan@denimgroup.com '''Dan Cornell'''] SoC's Project Leader [mailto:waldenj1@nku.edu '''James Walden''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors [mailto:jderry@owasp.org '''Justin Derry'''] 
[mailto:doylem3@nku.edu '''Maureen Doyle'''] 
[mailto:whelanm87@gmail.com '''Michael Whelan''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects '''Mailing List/Subscribe'''] [mailto:OWASP-SCode-Review-OWASP-Projects(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:afry(at)strongcrypto.biz '''Alex Fry'''] [http://www.linkedin.com/in/alexanderfry Profile]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:marco.m.morana(at)gmail.com '''Marco M. Morana'''] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Marco M Morana Curriculum|Curriculum]]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* Updated workflow [[Image:Workflow_July_11a.zip]]
* [[Image:Workflow_Draft1.pdf]]
* [[Image:CreateProjectExample.pdf]]
* [https://owasp.fortify.com/teamserver/welcome.fhtml Fortify OWASP Open Review Project]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|

|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Source Code Review OWASP Projects - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Source Code Review OWASP Projects 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

Project Information:template Source Code Review OWASP Projects

2008-10-21T19:59:11Z

Walden:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Source Code Review OWASP-Projects Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The objectives of this project are: 1. Develop and document a workflow for FLOSS projects to incorporate static analysis into the Software Development Life Cycle (SDLC); 2. Apply the above workflow as a required step for OWASP projects; 3. Aid in auditing select FLOSS projects to create a baseline for comparing security amongst FLOSS projects.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:dan@denimgroup.com '''Dan Cornell'''] SoC's Project Leader [mailto:waldenj1@nku.edu '''James Walden''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors [mailto:jderry@owasp.org '''Justin Derry'''] 
[mailto:doylem3@nku.edu '''Maureen Doyle'''] 
[mailto:whelanm87@gmail.com '''Michael Whelan''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects '''Mailing List/Subscribe'''] [mailto:OWASP-SCode-Review-OWASP-Projects(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:afry(at)strongcrypto.biz '''Alex Fry'''] [http://www.linkedin.com/in/alexanderfry Profile]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:marco.m.morana(at)gmail.com '''Marco M. Morana'''] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Marco M Morana Curriculum|Curriculum]]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* 7/11/08 - Updated workflow [[Image:Workflow_July_11a.zip]]
* replaced 7/11/08 - [[Image:Workflow_Draft1.pdf]]
* replaced 7/11/08 - [[Image:CreateProjectExample.pdf]]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
[https://owasp.fortify.com/teamserver/welcome.fhtml Fortify OWASP Open Review Project]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Source Code Review OWASP Projects - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Source Code Review OWASP Projects 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

OWASP Working Session - Code Review Guide

2008-10-21T19:39:39Z

Walden:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#b3b3b3; color:white"|'''Working Sessions Operational Rules''' - [[:Working Sessions Methodology|'''Please see here the general frame of rules''']].
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''Code Review Guide'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|TBD
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
[[:Category:OWASP Code Review Project|OWASP Code Review Project]]
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
| style="width:25%; background:#cccccc" align="center"|'''Chair''' [mailto:eoin.keary(at)owasp.org '''Eoin Keary''']
| style="width:25%; background:#cccccc" align="center"|'''Secretary''' [mailto:name(at)name '''TBD''']
| style="width:25%; background:#cccccc" align="center"|'''Mailing list''' [https://lists.owasp.org/mailman/listinfo/owasp-codereview '''Subscription Page''']
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION SPECIFICS'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
* Discuss next version of code review guide.
* Discuss industry requirements for code review.
* Discuss academic versus practical ramifications of guide.
* Brainstorm: Ideas for integration with other projects and tools.
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
| style="width:25%; background:#cccccc" align="center"|'''Venue''' [[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]
| style="width:25%; background:#cccccc" align="center"|'''Date&Time''' November 5 & 6, 2008 Time TBD
| style="width:25%; background:#cccccc" align="center"|'''Discussion Model''' "Everybody is a Participant"
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:white; color:white"|
|}

{|style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OPERATIONAL RESOURCES'''
|-
| style="width:100%; background:#cccccc" align="center"|Whteboard and Pens, Projector, Coffee :)
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:white; color:white"|
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION ADDITIONAL DETAILS'''
|-
| style="width:100%; background:#cccccc" align="left"|
Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution.
|}
{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OUTCOMES'''
|-
| style="width:7%; background:#6C82B5" align="center"|Statements, Initiatives or Decisions
| style="width:46%; background:#b3b3b3" align="center"|'''Proposed by Working Group'''
| style="width:47%; background:#b3b3b3" align="center"|'''Approved by OWASP Board'''
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|Develop a roadmap for the code review guide: Technologies, approaches.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting.
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|Fill in here.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|Fill in here.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|}
== Working Session Participants ==
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION PARTICIPANTS'''
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:15%; background:#cccccc" align="center"|'''Name'''
| style="width:15%; background:#cccccc" align="center"|'''Company'''
| style="width:63%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''
|-
| style="width:7%; background:#7B8ABD" align="center"|1
| style="width:15%; background:#cccccc" align="center"|Paolo Perego (aka thesp0nge)
| style="width:15%; background:#cccccc" align="center"|Spike Reply
| style="width:63%; background:#cccccc" align="center"|Owasp Orizon - Project Leader
|-
| style="width:7%; background:#7B8ABD" align="center"|2
| style="width:15%; background:#cccccc" align="center"|David Rook
| style="width:15%; background:#cccccc" align="center"|Realex Payments
| style="width:63%; background:#cccccc" align="center"|Contributor to Code Review Guide
|-
| style="width:7%; background:#7B8ABD" align="center"|3
| style="width:15%; background:#cccccc" align="center"|Giorgio Fedon
| style="width:15%; background:#cccccc" align="center"|Minded Security
| style="width:63%; background:#cccccc" align="center"|Very interested in the topic
|-
| style="width:7%; background:#7B8ABD" align="center"|4
| style="width:15%; background:#cccccc" align="center"| Matteo Meucci
| style="width:15%; background:#cccccc" align="center"| Minded Security
| style="width:63%; background:#cccccc" align="center"| Interested in integrating OWASP big 4: Dev, Code Review, Testing, ADSR
|-
| style="width:7%; background:#7B8ABD" align="center"|5
| style="width:15%; background:#cccccc" align="center"|Kuai Hinojosa
| style="width:15%; background:#cccccc" align="center"|OWASP (MSP) Chapter Leader
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|6
| style="width:15%; background:#cccccc" align="center"|James Walden
| style="width:15%; background:#cccccc" align="center"|NKU
| style="width:63%; background:#cccccc" align="center"|OWASP Source Code Analysis Project
|-
| style="width:7%; background:#7B8ABD" align="center"|7
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|8
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|9
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|10
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|}
If needed add here more lines.

[[Category:OWASP_Working_Session]]

Code Review Guide Frontispiece

2008-10-21T18:36:02Z

Walden:

==Welcome to the OWASP Code Review Guide 1.1==
“Thank Jaysus for the interweb” 
-- [[User:EoinKeary|Eoin Keary]]

OWASP thanks the authors, reviewers, and editors for their hard work in bringing this guide to where it is today. If you have any comments or suggestions on the Code review Guide, please e-mail the Code review Guide mail list:

https://lists.owasp.org/mailman/listinfo/owasp-codereview

==Copyright and License==

Copyright (c) 2008 The OWASP Foundation.

This document is released under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons 2.5 License]. Please read and understand the license and copyright conditions.

==Revision History ==

The Code review guide originated in 2006 and an splinter project from the testing guide. It was concieved by Eoin Keary in 2005 and transformed into a wiki.

; September 30, 2007
: "OWASP Code Review Guide", Version 1.0 (RC1)

; December 22, 2007
: ""OWASP Code Review Guide", Version 1.0 (RC2)

; November 01, 2008
: "OWASP Code Review Guide", Version 1.1 (Release)

== Editors ==
'''Eoin Keary''': OWASP Code Review Guide 2005- Lead

== Authors ==

Jenelle Chapman
Andrew van der Stock
Eoin Keary
Paolo Perego
David Lowry
David Rook
James Walden

== Reviewers ==
Jeff Williams
Rahim Jina

==Trademarks==

* Java, Java Web Server, and JSP are registered trademarks of Sun Microsystems, Inc.
* Microsoft is a registered trademark of Microsoft Corporation.
* OWASP is a registered trademark of the OWASP Foundation

All other products and company names may be trademarks of their respective owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.

{{Category:OWASP Code Review Project}}

OWASP EU Summit 2008 Paid Participants

2008-09-09T19:55:54Z

Walden: /* Provisory list of 'expenses paid' participants */

== Provisory list of 'expenses paid' participants ==

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECTED CONFERENCE PAID ATTENDEES AND/OR SPEAKERS - NEEDS OWASP BOARD CONFIRMATION'''
|-
| style="width:20%; background:#b3b3b3" align="center"|'''NAME'''
| style="width:40%; background:#b3b3b3" align="center"|'''POSITION/REASON OF ATTENDANCE'''
| style="width:20%; background:#b3b3b3" align="center"|'''COUNTRY'''
| style="width:20%; background:#b3b3b3" align="center"|'''DEPARTURE (AIRPORT/CITY)'''
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP BOARD MEMBERS & EMPLOYEES'''
|-
| style="width:20%; background:#cccccc" align="center"|Jeff Williams
| style="width:40%; background:#cccccc" align="center"|Board, Chair, Wiki, Management
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Washington, D.C.
|-
| style="width:20%; background:#cccccc" align="center"|Dave Wichers
| style="width:40%; background:#cccccc" align="center"|Board, Conferences, Financials
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Washington, D.C.
|-
| style="width:20%; background:#cccccc" align="center"|Dinis Cruz
| style="width:40%; background:#cccccc" align="center"|Board, Firehose of Ideas and Money spender
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Tom Brennan
| style="width:40%; background:#cccccc" align="center"|Board, OWASP Governance
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|New York, NY
|-
| style="width:20%; background:#cccccc" align="center"|Sebastien Deleersnyder
| style="width:40%; background:#cccccc" align="center"|Board, OWASP Chapters and Projects
| style="width:20%; background:#cccccc" align="center"|Belgium
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Paulo Coimbra
| style="width:40%; background:#cccccc" align="center"|Employee, Project Manager
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Kate Hartmann
| style="width:40%; background:#cccccc" align="center"|Employee, Operations Director
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Washington, D.C.
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Achim Hoffmann
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Skavenger Project, OWASP w3af Project
| style="width:20%; background:#cccccc" align="center"|Germany
| style="width:20%; background:#cccccc" align="center"|Frankfurt or Munich
|-
| style="width:20%; background:#cccccc" align="center"|Alexander Fry
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Source Code Review OWASP Projects OWASP Teachable Static Analysis Workbench OWASP WeBekci Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Arshan Dabirsiaghi
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP AntiSamy Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Baltimore, MD
|-
| style="width:20%; background:#cccccc" align="center"|Andrew Petukhov
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Access Control Rules Tester Project
| style="width:20%; background:#cccccc" align="center"|Russia
| style="width:20%; background:#cccccc" align="center"|Moscow
|-
| style="width:20%; background:#cccccc" align="center"|Dmitry Kozlov
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Teachable Static Analysis, OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project
| style="width:20%; background:#cccccc" align="center"|Russia
| style="width:20%; background:#cccccc" align="center"|Moscow
|-
| style="width:20%; background:#cccccc" align="center"|Arturo Alberto Busleiman
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Enigform and mod_Openpgp
| style="width:20%; background:#cccccc" align="center"|Argentina
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Carlo Pelliccioni
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Backend Security Project
| style="width:20%; background:#cccccc" align="center"|Italy
| style="width:20%; background:#cccccc" align="center"|Rome (FCO)
|-
| style="width:20%; background:#cccccc" align="center"|Deb, LX Studios
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Book Cover & Sleeve Design, OWASP Individual & Corporate Member Packs, Conference Attendee Packs
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Eduardo Vianna de Camargo Neves
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Positive Security
| style="width:20%; background:#cccccc" align="center"|Brazil
| style="width:20%; background:#cccccc" align="center"|Curitiba (CWB)
|-
| style="width:20%; background:#cccccc" align="center"|Wagner Elias
| style="width:40%; background:#cccccc" align="center"|Reviwer, OWASP Positive Security
| style="width:20%; background:#cccccc" align="center"|Brazil
| style="width:20%; background:#cccccc" align="center"|São Paulo(GRU)
|-
| style="width:20%; background:#cccccc" align="center"|Eoin Keary
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Code Review Guide, Chapter Leader
| style="width:20%; background:#cccccc" align="center"|Ireland
| style="width:20%; background:#cccccc" align="center"|Dublin (DUB)
|-
| style="width:20%; background:#cccccc" align="center"|Esteban Ribicic
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Backend Security Project OWASP Classic ASP Security Project OWASP AntiSamy .NET OWASP Interceptor Project - 2008 Update
| style="width:20%; background:#cccccc" align="center"|Croatia
| style="width:20%; background:#cccccc" align="center"|Wien
|-
| style="width:20%; background:#cccccc" align="center"|Fabio Cerullo
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Internationalization Guidelines Project OWASP Spanish Project
| style="width:20%; background:#cccccc" align="center"|Ireland
| style="width:20%; background:#cccccc" align="center"|Dublin (DUB)
|-
| style="width:20%; background:#cccccc" align="center"|Frederick Donovan
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Application Security Desk Reference (ASDR)
| style="width:20%; background:#cccccc" align="center"|United States
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Heiko Webers
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Ruby on Rails Security Project
| style="width:20%; background:#cccccc" align="center"|Germany
| style="width:20%; background:#cccccc" align="center"|Frankfurt
|-
| style="width:20%; background:#cccccc" align="center"|Anthony Shireman
| style="width:40%; background:#cccccc" align="center"|Project reviewer, OWASP Ruby on Rails Security Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Portland, OR (PDX)
|-
| style="width:20%; background:#cccccc" align="center"|Justin Derry
| style="width:40%; background:#cccccc" align="center"|Chapter leader & Project Leader, OWASP Interceptor Project
| style="width:20%; background:#cccccc" align="center"|Sydney Australia
| style="width:20%; background:#cccccc" align="center"|Sydney Australia
|-
| style="width:20%; background:#cccccc" align="center"|Kevin Fuller
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Testing Guide v3 OWASP SQL Injector Benchmarking Project (SQLiBENCH)
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Sacramento Ca
|-
| style="width:20%; background:#cccccc" align="center"|Leonardo Cavallari Militelli
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Application Security Desk Reference (ASDR)
| style="width:20%; background:#cccccc" align="center"|Brazil
| style="width:20%; background:#cccccc" align="center"|Sao Paulo (GRU)
|-
| style="width:20%; background:#cccccc" align="center"|Mark Roxberry
| style="width:40%; background:#cccccc" align="center"|Leader, OWASP .NET Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Matt Tesauro
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Live CD 2008
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Austin, TX or Dallas, TX
|-
| style="width:20%; background:#cccccc" align="center"|Matteo Meucci
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Testing Guide
| style="width:20%; background:#cccccc" align="center"|Italy
| style="width:20%; background:#cccccc" align="center"|Rome
|-
| style="width:20%; background:#cccccc" align="center"|Matthias Rohr
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Skavenger Project
| style="width:20%; background:#cccccc" align="center"|Germany
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Michael Coates
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP AppSensor
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Chicago
|-
| style="width:20%; background:#cccccc" align="center"|Nam Nguyen
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Testing Guide v3, Python Static Analysis, OWASP Education
| style="width:20%; background:#cccccc" align="center"|Vietnam
| style="width:20%; background:#cccccc" align="center"|Ho Chi Minh City
|-
| style="width:20%; background:#cccccc" align="center"|P.Satish Kumar
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Code Review Guide
| style="width:20%; background:#cccccc" align="center"|India
| style="width:20%; background:#cccccc" align="center"|Hyderabad/Mumbai/Chennai
|-
| style="width:20%; background:#cccccc" align="center"|Paolo Perego
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Orizon Project
| style="width:20%; background:#cccccc" align="center"|Italy
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Parvathy Iyer
| style="width:40%; background:#cccccc" align="center"|OWASP Corporate Application Security Guide
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Newark (New Jersey)or Newyork (Newyork city)
|-
| style="width:20%; background:#cccccc" align="center"|Pierre Parrend
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP OpenSign Server Project OWASP Application Security Verification Standard
| style="width:20%; background:#cccccc" align="center"|France
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Stephen Craig Evans
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Securing WebGoat using ModSecurity
| style="width:20%; background:#cccccc" align="center"|Singapore
| style="width:20%; background:#cccccc" align="center"|Singapore
|-
| style="width:20%; background:#cccccc" align="center"|Jason Li
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP JSP Testing Tool
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Baltimore
|-
| style="width:20%; background:#cccccc" align="center"|Gandhi Aryavalli Sriranga Narasimha
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Application Security Desk Reference (ASDR)
| style="width:20%; background:#cccccc" align="center"|India
| style="width:20%; background:#cccccc" align="center"|Bangalore
|-
| style="width:20%; background:#cccccc" align="center"|Rodrigo Marcos
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Internationalization Guidelines Project OWASP Spanish Project
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Marcin Wielgoszewski
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP AntiSamy.NET
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|New York, NY
|-
| style="width:20%; background:#cccccc" align="center"|James Walden
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Source Code Review OWASP Projects
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Cincinnati, OH
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008 SPECIAL PROJECT CONTRIBUTORS'''
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008/LOGISTICS'''
|-
| style="width:20%; background:#cccccc" align="center"|Sarah Cruz
| style="width:40%; background:#cccccc" align="center"|Project leader, Graphic Design
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SPRING OF CODE 2007 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Joshua Perrymon
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP LiveCD, OWASP Phishing Framework, Alabama Chapter Lead
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Birmingham,AL
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP AUTUMN OF CODE 2006 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Rogan Dawes
| style="width:40%; background:#cccccc" align="center"|Project leader, WebScarab-NG
| style="width:20%; background:#cccccc" align="center"|South Africa
| style="width:20%; background:#cccccc" align="center"|Johannesburg, South Africa
|-
| style="width:20%; background:#cccccc" align="center"|Simon Roses Femerling
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Pantera
| style="width:20%; background:#cccccc" align="center"|Spain
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''ACTIVE PROJECT LEADERS (NOT CURRENTLY PARTICIPATING ON SOC 08)'''
|-
| style="width:20%; background:#cccccc" align="center"|Alex Smolen
| style="width:40%; background:#cccccc" align="center"| Project leader, .NET ESAPI
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''ACTIVE CHAPTER LEADERS (NOT CURRENTLY PARTICIPATING ON SOC 08)'''
|-
| style="width:20%; background:#cccccc" align="center"|Steve Antoniewicz
| style="width:40%; background:#cccccc" align="center"|Chapter Board Member, NY/NJ Metro
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Kuai Hinojosa
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Twin-Cities
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Jim Manico
| style="width:40%; background:#cccccc" align="center"|Chapter leader/founder, Hawaii
| style="width:20%; background:#cccccc" align="center"|Hawaii, USA
| style="width:20%; background:#cccccc" align="center"|Anahola, Island of Kauai
|-
| style="width:20%; background:#cccccc" align="center"|Rex Booth
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Washington DC
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Washington DC
|-
| style="width:20%; background:#cccccc" align="center"|Andrzej Targosz
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Poland
| style="width:20%; background:#cccccc" align="center"|Poland
| style="width:20%; background:#cccccc" align="center"|Cracow
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''SIGNIFICANT PAST OWASP CONTRIBUTOR (NOT ALREADY COVERED BY ONE OF THE ABOVE CATEGORIES)'''
|-
| style="width:20%; background:#cccccc" align="center"|David Rook
| style="width:40%; background:#cccccc" align="center"|Code Review Guide Contributor, Irish Chapter Contributor
| style="width:20%; background:#cccccc" align="center"|Ireland
| style="width:20%; background:#cccccc" align="center"|Dublin (DUB)

|-
! colspan="7" align="left" style="background:white; color:black"|''''KEY INDUSTRY PLAYERS' INVITED TO THE WORKING SESSIONS (NOT ALREADY COVERED BY ONE OF THE ABOVE CATEGORIES)'''
|-
| style="width:20%; background:#cccccc" align="center"|Colin Watson
| style="width:40%; background:#cccccc" align="center"|OWASP Awards Contributor
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|?
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP NON-INDIVIDUAL MEMBERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
|}

OWASP EU Summit 2008 Paid Participants

2008-09-09T19:53:59Z

Walden: /* Provisory list of 'expenses paid' participants */

== Provisory list of 'expenses paid' participants ==

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECTED CONFERENCE PAID ATTENDEES AND/OR SPEAKERS - NEEDS OWASP BOARD CONFIRMATION'''
|-
| style="width:20%; background:#b3b3b3" align="center"|'''NAME'''
| style="width:40%; background:#b3b3b3" align="center"|'''POSITION/REASON OF ATTENDANCE'''
| style="width:20%; background:#b3b3b3" align="center"|'''COUNTRY'''
| style="width:20%; background:#b3b3b3" align="center"|'''DEPARTURE (AIRPORT/CITY)'''
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP BOARD MEMBERS & EMPLOYEES'''
|-
| style="width:20%; background:#cccccc" align="center"|Jeff Williams
| style="width:40%; background:#cccccc" align="center"|Board, Chair, Wiki, Management
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Washington, D.C.
|-
| style="width:20%; background:#cccccc" align="center"|Dave Wichers
| style="width:40%; background:#cccccc" align="center"|Board, Conferences, Financials
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Washington, D.C.
|-
| style="width:20%; background:#cccccc" align="center"|Dinis Cruz
| style="width:40%; background:#cccccc" align="center"|Board, Firehose of Ideas and Money spender
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Tom Brennan
| style="width:40%; background:#cccccc" align="center"|Board, OWASP Governance
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|New York, NY
|-
| style="width:20%; background:#cccccc" align="center"|Sebastien Deleersnyder
| style="width:40%; background:#cccccc" align="center"|Board, OWASP Chapters and Projects
| style="width:20%; background:#cccccc" align="center"|Belgium
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Paulo Coimbra
| style="width:40%; background:#cccccc" align="center"|Employee, Project Manager
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Kate Hartmann
| style="width:40%; background:#cccccc" align="center"|Employee, Operations Director
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Washington, D.C.
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Achim Hoffmann
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Skavenger Project, OWASP w3af Project
| style="width:20%; background:#cccccc" align="center"|Germany
| style="width:20%; background:#cccccc" align="center"|Frankfurt or Munich
|-
| style="width:20%; background:#cccccc" align="center"|Alexander Fry
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Source Code Review OWASP Projects OWASP Teachable Static Analysis Workbench OWASP WeBekci Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Arshan Dabirsiaghi
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP AntiSamy Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Baltimore, MD
|-
| style="width:20%; background:#cccccc" align="center"|Andrew Petukhov
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Access Control Rules Tester Project
| style="width:20%; background:#cccccc" align="center"|Russia
| style="width:20%; background:#cccccc" align="center"|Moscow
|-
| style="width:20%; background:#cccccc" align="center"|Dmitry Kozlov
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Teachable Static Analysis, OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project
| style="width:20%; background:#cccccc" align="center"|Russia
| style="width:20%; background:#cccccc" align="center"|Moscow
|-
| style="width:20%; background:#cccccc" align="center"|Arturo Alberto Busleiman
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Enigform and mod_Openpgp
| style="width:20%; background:#cccccc" align="center"|Argentina
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Carlo Pelliccioni
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Backend Security Project
| style="width:20%; background:#cccccc" align="center"|Italy
| style="width:20%; background:#cccccc" align="center"|Rome (FCO)
|-
| style="width:20%; background:#cccccc" align="center"|Deb, LX Studios
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Book Cover & Sleeve Design, OWASP Individual & Corporate Member Packs, Conference Attendee Packs
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Eduardo Vianna de Camargo Neves
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Positive Security
| style="width:20%; background:#cccccc" align="center"|Brazil
| style="width:20%; background:#cccccc" align="center"|Curitiba (CWB)
|-
| style="width:20%; background:#cccccc" align="center"|Wagner Elias
| style="width:40%; background:#cccccc" align="center"|Reviwer, OWASP Positive Security
| style="width:20%; background:#cccccc" align="center"|Brazil
| style="width:20%; background:#cccccc" align="center"|São Paulo(GRU)
|-
| style="width:20%; background:#cccccc" align="center"|Eoin Keary
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Code Review Guide, Chapter Leader
| style="width:20%; background:#cccccc" align="center"|Ireland
| style="width:20%; background:#cccccc" align="center"|Dublin (DUB)
|-
| style="width:20%; background:#cccccc" align="center"|Esteban Ribicic
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Backend Security Project OWASP Classic ASP Security Project OWASP AntiSamy .NET OWASP Interceptor Project - 2008 Update
| style="width:20%; background:#cccccc" align="center"|Croatia
| style="width:20%; background:#cccccc" align="center"|Wien
|-
| style="width:20%; background:#cccccc" align="center"|Fabio Cerullo
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Internationalization Guidelines Project OWASP Spanish Project
| style="width:20%; background:#cccccc" align="center"|Ireland
| style="width:20%; background:#cccccc" align="center"|Dublin (DUB)
|-
| style="width:20%; background:#cccccc" align="center"|Frederick Donovan
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Application Security Desk Reference (ASDR)
| style="width:20%; background:#cccccc" align="center"|United States
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Heiko Webers
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Ruby on Rails Security Project
| style="width:20%; background:#cccccc" align="center"|Germany
| style="width:20%; background:#cccccc" align="center"|Frankfurt
|-
| style="width:20%; background:#cccccc" align="center"|Anthony Shireman
| style="width:40%; background:#cccccc" align="center"|Project reviewer, OWASP Ruby on Rails Security Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Portland, OR (PDX)
|-
| style="width:20%; background:#cccccc" align="center"|Justin Derry
| style="width:40%; background:#cccccc" align="center"|Chapter leader & Project Leader, OWASP Interceptor Project
| style="width:20%; background:#cccccc" align="center"|Sydney Australia
| style="width:20%; background:#cccccc" align="center"|Sydney Australia
|-
| style="width:20%; background:#cccccc" align="center"|Kevin Fuller
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Testing Guide v3 OWASP SQL Injector Benchmarking Project (SQLiBENCH)
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Sacramento Ca
|-
| style="width:20%; background:#cccccc" align="center"|Leonardo Cavallari Militelli
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Application Security Desk Reference (ASDR)
| style="width:20%; background:#cccccc" align="center"|Brazil
| style="width:20%; background:#cccccc" align="center"|Sao Paulo (GRU)
|-
| style="width:20%; background:#cccccc" align="center"|Mark Roxberry
| style="width:40%; background:#cccccc" align="center"|Leader, OWASP .NET Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Matt Tesauro
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Live CD 2008
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Austin, TX or Dallas, TX
|-
| style="width:20%; background:#cccccc" align="center"|Matteo Meucci
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Testing Guide
| style="width:20%; background:#cccccc" align="center"|Italy
| style="width:20%; background:#cccccc" align="center"|Rome
|-
| style="width:20%; background:#cccccc" align="center"|Matthias Rohr
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Skavenger Project
| style="width:20%; background:#cccccc" align="center"|Germany
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Michael Coates
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP AppSensor
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Chicago
|-
| style="width:20%; background:#cccccc" align="center"|Nam Nguyen
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Testing Guide v3, Python Static Analysis, OWASP Education
| style="width:20%; background:#cccccc" align="center"|Vietnam
| style="width:20%; background:#cccccc" align="center"|Ho Chi Minh City
|-
| style="width:20%; background:#cccccc" align="center"|P.Satish Kumar
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Code Review Guide
| style="width:20%; background:#cccccc" align="center"|India
| style="width:20%; background:#cccccc" align="center"|Hyderabad/Mumbai/Chennai
|-
| style="width:20%; background:#cccccc" align="center"|Paolo Perego
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Orizon Project
| style="width:20%; background:#cccccc" align="center"|Italy
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Parvathy Iyer
| style="width:40%; background:#cccccc" align="center"|OWASP Corporate Application Security Guide
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Newark (New Jersey)or Newyork (Newyork city)
|-
| style="width:20%; background:#cccccc" align="center"|Pierre Parrend
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP OpenSign Server Project OWASP Application Security Verification Standard
| style="width:20%; background:#cccccc" align="center"|France
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Stephen Craig Evans
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Securing WebGoat using ModSecurity
| style="width:20%; background:#cccccc" align="center"|Singapore
| style="width:20%; background:#cccccc" align="center"|Singapore
|-
| style="width:20%; background:#cccccc" align="center"|Jason Li
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP JSP Testing Tool
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Baltimore
|-
| style="width:20%; background:#cccccc" align="center"|Gandhi Aryavalli Sriranga Narasimha
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Application Security Desk Reference (ASDR)
| style="width:20%; background:#cccccc" align="center"|India
| style="width:20%; background:#cccccc" align="center"|Bangalore
|-
| style="width:20%; background:#cccccc" align="center"|Rodrigo Marcos
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Internationalization Guidelines Project OWASP Spanish Project
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Marcin Wielgoszewski
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP AntiSamy.NET
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|New York, NY
|-
| style="width:20%; background:#cccccc" align="center"|James Walden
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Source Code Review OWASP Projects
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Highland Heights, KY
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008 SPECIAL PROJECT CONTRIBUTORS'''
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008/LOGISTICS'''
|-
| style="width:20%; background:#cccccc" align="center"|Sarah Cruz
| style="width:40%; background:#cccccc" align="center"|Project leader, Graphic Design
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SPRING OF CODE 2007 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Joshua Perrymon
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP LiveCD, OWASP Phishing Framework, Alabama Chapter Lead
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Birmingham,AL
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP AUTUMN OF CODE 2006 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Rogan Dawes
| style="width:40%; background:#cccccc" align="center"|Project leader, WebScarab-NG
| style="width:20%; background:#cccccc" align="center"|South Africa
| style="width:20%; background:#cccccc" align="center"|Johannesburg, South Africa
|-
| style="width:20%; background:#cccccc" align="center"|Simon Roses Femerling
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Pantera
| style="width:20%; background:#cccccc" align="center"|Spain
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''ACTIVE PROJECT LEADERS (NOT CURRENTLY PARTICIPATING ON SOC 08)'''
|-
| style="width:20%; background:#cccccc" align="center"|Alex Smolen
| style="width:40%; background:#cccccc" align="center"| Project leader, .NET ESAPI
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''ACTIVE CHAPTER LEADERS (NOT CURRENTLY PARTICIPATING ON SOC 08)'''
|-
| style="width:20%; background:#cccccc" align="center"|Steve Antoniewicz
| style="width:40%; background:#cccccc" align="center"|Chapter Board Member, NY/NJ Metro
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Kuai Hinojosa
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Twin-Cities
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Jim Manico
| style="width:40%; background:#cccccc" align="center"|Chapter leader/founder, Hawaii
| style="width:20%; background:#cccccc" align="center"|Hawaii, USA
| style="width:20%; background:#cccccc" align="center"|Anahola, Island of Kauai
|-
| style="width:20%; background:#cccccc" align="center"|Rex Booth
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Washington DC
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Washington DC
|-
| style="width:20%; background:#cccccc" align="center"|Andrzej Targosz
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Poland
| style="width:20%; background:#cccccc" align="center"|Poland
| style="width:20%; background:#cccccc" align="center"|Cracow
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''SIGNIFICANT PAST OWASP CONTRIBUTOR (NOT ALREADY COVERED BY ONE OF THE ABOVE CATEGORIES)'''
|-
| style="width:20%; background:#cccccc" align="center"|David Rook
| style="width:40%; background:#cccccc" align="center"|Code Review Guide Contributor, Irish Chapter Contributor
| style="width:20%; background:#cccccc" align="center"|Ireland
| style="width:20%; background:#cccccc" align="center"|Dublin (DUB)

|-
! colspan="7" align="left" style="background:white; color:black"|''''KEY INDUSTRY PLAYERS' INVITED TO THE WORKING SESSIONS (NOT ALREADY COVERED BY ONE OF THE ABOVE CATEGORIES)'''
|-
| style="width:20%; background:#cccccc" align="center"|Colin Watson
| style="width:40%; background:#cccccc" align="center"|OWASP Awards Contributor
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|?
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP NON-INDIVIDUAL MEMBERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
|}

OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers

2008-06-26T18:07:39Z

Walden:

This page contains Projects, Authors, Status Target and Reviewers of the sponsored programme [[OWASP Summer of Code 2008]].
== DOCUMENTATION PROJECTS ==
{| class="wikitable" style="text-align:center"
! width="600" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="220" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]'''
| align="CENTER" | Mike Boberski
| align="CENTER" | Beta
| align="CENTER" | [mailto:jeff.williams(at)owasp.org Jeff Williams] (Confirmed)
| align="CENTER" | [mailto:pierre.parrend(at)insa-lyon.fr Pierre Parrend] [http://www.rzo.free.fr Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP AppSensor Project|OWASP AppSensor - Detect and Respond to Attacks from Within the Application]]'''
| align="CENTER" | [mailto:michael.coates(at)aspectsecurity.com Michael Coates]
| align="CENTER" | Beta
| align="CENTER" | [mailto:eric.sheridan(at)aspectsecurity.com Eric Sheridan] (Confirmed)
| align="CENTER" | [mailto:thrynn404(at)gmail.com Randy Janinda] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Backend Security Project|OWASP Backend Security Project]]'''
| align="CENTER" | Carlo Pelliccioni
| align="CENTER" | Beta
| align="CENTER" |
| align="CENTER" |
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Classic ASP Security Project|OWASP Classic ASP Security Project]]'''
| align="CENTER" | Juan Carlos Calderon
| align="CENTER" | Beta
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (Confirmed)
| align="CENTER" | [mailto:rodrigo@rmarcos.com Rodrigo Marcos] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Code Review Project|OWASP Code review guide, V1.1]]'''
| align="CENTER" | Eoin Keary
| align="CENTER" | Quality
| align="CENTER" |
| align="CENTER" | [mailto:psatishkumar(at)gmail.com P.Satish Kumar]
| align="CENTER" | Jeff Williams
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:OWASP Corporate Application Security Rating Guide|OWASP Corporate Application Security Rating Guide]]'''
| align="CENTER" | Parvathy Iyer
| align="CENTER" | Quality
| align="CENTER" | Neal Kirschner Email address? (Confirmed)
| align="CENTER" | [mailto:Omar.Sherin(at)infosec2.com Omar Sherin] TBC
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Education Project|OWASP Education Project]]'''
| align="CENTER" | Martin Knobloch
| align="CENTER" | Quality
| align="CENTER" | [mailto:sebastien.gioria@owasp.fr Sebastien Gioria] (Confirmed)
| align="CENTER" | [mailto:namn(at)bluemoon.com.vn Nam Nguyen] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:OWASP Internationalization|OWASP Internationalization Guidelines Project]]'''
| align="CENTER" | Juan Carlos Calderon
| align="CENTER" | Beta
| align="CENTER" | [mailto:fabio.e.cerullo(at)aib.ie Fabio Cerullo] (Confirmed)
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP .NET Project#OWASP .NET Project Leader|OWASP .NET Project Leader]]'''
| align="CENTER" | Mark Roxberry
| align="CENTER" | Quality
| align="CENTER" | [mailto:eoinkeary(at)gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:dennis.hurst(at)hp.com Dennis Hurst] TBC
| align="CENTER" | Dinis Cruz
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Positive Security Project|OWASP Positive Security Project]]'''
| align="CENTER" | Eduardo Vianna de Camargo Neves
| align="CENTER" | Beta
| align="CENTER" | [mailto:welias(at)conviso.com.br Wagner Elias] (Confirmed)
| align="CENTER" | [mailto:ken(at)krvw.com Kenneth Wyk] TBC
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Ruby on Rails Security Guide V2|OWASP Ruby on Rails Security Guide v2]]'''
| align="CENTER" | Heiko Webers
| align="CENTER" | Quality
| align="CENTER" | [mailto:steve.jones(at)unf.edu Steve Jones] (Confirmed)
| align="CENTER" | [mailto:jeff.cabaniss(at)gmail.com Jeff Cabaniss] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Securing WebGoat using ModSecurity Project|OWASP Securing WebGoat using ModSecurity]]'''
| align="CENTER" | Stephen Evans
| align="CENTER" | Beta
| align="CENTER" | [mailto:ivan.ristic(at)breach.com Ivan Ristic] & Breach Group (Confirmed)
| align="CENTER" | [mailto:christian.folini(at)netnea.com Christian Folini] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE"|'''[[:Category:OWASP Source Code Review OWASP Projects Project|OWASP Source Code Review OWASP Projects]]'''
| align="CENTER" | James Walden
| align="CENTER" | Quality
| align="CENTER" | [mailto:afry(at)strongcrypto.biz Alexander Fry] [http://www.linkedin.com/in/alexanderfry Profile] (Confirmed)
| align="CENTER" | [mailto:marco.m.morana(at)gmail.com Marco M. Morana] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:OWASP Spanish|OWASP Spanish Project]]'''
| align="CENTER" | Juan Carlos Calderon
| align="CENTER" | Beta
| align="CENTER" | [mailto:fabio.e.cerullo(at)aib.ie Fabio Cerullo] (Confirmed)
| align="CENTER" | [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Testing Project|OWASP Testing Guide v3]]'''
| align="CENTER" | Matteo Meucci
| align="CENTER" | Quality
| align="CENTER" |
| align="CENTER" |
| align="CENTER" |
|}

{| class="wikitable" style="text-align:center"
! width="400" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="120" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''3rd Reviewer '''
! width="108" align="CENTER" | '''4th Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP ASDR Project|OWASP Application Security Desk Reference (ASDR)]]'''
| align="CENTER" | Leonardo Cavallari Militelli
| align="CENTER" | Quality
| align="CENTER" | [mailto:williamtsmith(at)gmail.com William Smith] [[OWASP SoC 2008 ASDR Reviewers#William Smith | Bio]] (Confirmed)
| align="CENTER" | [mailto:ken(at)krvw.com Kenneth Wyk] [[OWASP SoC 2008 ASDR Reviewers#Kenneth R. van Wyk| Bio]] (Confirmed)
| align="CENTER" | [mailto:kcfredman(at)gmail.com Frederick Donovan] [[OWASP SoC 2008 ASDR Reviewers#Frederick Donovan | Bio]] (Confirmed)
| align="CENTER" |
| align="CENTER" | Jeff Williams (Confirmed)
|}

== TOOLS PROJECTS ==
{| class="wikitable" style="text-align:center"
! width="600" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="220" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:GTK plus GUI for w3af Project|GTK+ GUI for w3af project]]'''
| align="CENTER" | Facundo Batista
| align="CENTER" | Beta
| align="CENTER" | [mailto:andres.riancho(at)gmail.com Andres Riancho] [http://www.linkedin.com/in/ariancho Profile] (Confirmed)
| align="CENTER" | [mailto:ah@securenet.de Achim Hoffmann] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Access Control Rules Tester Project|OWASP Access Control Rules Tester]]'''
| align="CENTER" | Andrew Petukhov
| align="CENTER" | Beta
| align="CENTER" | [mailto:caughron(at)gmail.com Mat Caughron] [http://www.linkedin.com/pub/1/A84/998 Profile] (Confirmed)
| align="CENTER" | [mailto:mg_chen(at)yahoo.com Min Chen] [http://www.linkedin.com/in/mgchen Profile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP AntiSamy Project .NET| OWASP AntiSamy .NET]]'''
| align="CENTER" | Arshan Dabirsiaghi
| align="CENTER" | Quality
| align="CENTER" | [mailto:dallasspohn(at)sbcglobal.net Dallas Spohn] TBC
| align="CENTER" |
| align="CENTER" | Jeff Williams
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project|OWASP Application Security Tool Benchmarking Environment and Site Generator refresh]]'''
| align="CENTER" | Dmitry Kozlov
| align="CENTER" | Quality
| align="CENTER" | [mailto:mark.roxberry(at)owasp.org Mark Roxberry] (Confirmed)
| align="CENTER" | [mailto:medelibero(at)gmail.com Mike de Libero] (Confirmed)
| align="CENTER" | Dinis Cruz
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Code Crawler|OWASP Code Crawler ]]'''
| align="CENTER" | Alessio Marziali
| align="CENTER" | Beta
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:dinis.cruz(at)owasp.org Dinis Cruz] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Interceptor Project|OWASP Interceptor Project - 2008 Update]]'''
| align="CENTER" | Justin Derry
| align="CENTER" | Quality
| align="CENTER" | [mailto:dallasspohn(at)sbcglobal.net Dallas Spohn] TBC
| align="CENTER" |
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP JSP Testing Tool Project|OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool)]]'''
| align="CENTER" | Jason Li
| align="CENTER" | Beta
| align="CENTER" | [mailto:markkerzner(at)gmail.com Mark Kerzner] (Confirmed)
| align="CENTER" | [mailto:fabricio.fujikawa(at)infoglobo.com.br Fabrício Fujikawa] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Live CD 2008 Project|OWASP Live CD 2008 Project]]'''
| align="CENTER" | Matt Tesauro
| align="CENTER" | Quality
| align="CENTER" | [mailto:admin@wirefall.com Dustin Dykes] [http://www.linkedin.com/pub/1/607/6b1 Curriculum] (Confirmed)
| align="CENTER" | [mailto:jkpoots(at)rogers.com Kent Poots] [http://www.linkedin.com/pub/5/25B/114 Curriculum] (Confirmed)
| align="CENTER" |
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP OpenSign Server Project|OWASP Online code signing and integrity verification service for open source community (OpenSign Server)]]'''
| align="CENTER" | Phil Potisk and Richard Conway
| align="CENTER" | Beta
| align="CENTER" | [mailto:pierre.parrend@insa-lyon.fr Pierre Parrend] [http://www.rzo.free.fr Curriculum] (Confirmed)
| align="CENTER" | [mailto:a_campani@yahoo.fr Antonio Campanile] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP OpenPGP Extensions for HTTP - Enigform and mod openpgp|OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp]]'''
| align="CENTER" | Arturo 'Buanzo' Busleiman
| align="CENTER" | Beta
| align="CENTER" | [mailto:mark.roxberry(at)owasp.org Mark Roxberry] (Confirmed)
| align="CENTER" | (need one)
| align="CENTER" | [mailto:dinis.cruz(at)owasp.org Dinis Cruz]
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Orizon Project|OWASP Orizon Project]]'''
| align="CENTER" | Paolo Perego
| align="CENTER" | Quality
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:seba@deleersnyder.eu Sebastien Deleersnyder] (Confirmed)
| align="CENTER" | [mailto:dinis.cruz@owasp.org Dinis Cruz] (Confirmed)
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Python Static Analysis Project|OWASP Python Static Analysis]]'''
| align="CENTER" | Georgy Klimov
| align="CENTER" | Beta
| align="CENTER" | [mailto:namn@bluemoon.com.vn Nam Nguyen] [[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]] (Confirmed)
| align="CENTER" | [mailto:diepvien00thayh@gmail.com P.Q.Huy] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Skavenger Project|OWASP Skavenger]]'''
| align="CENTER" | [mailto:mro(at)securenet.de Matthias Rohr]
| align="CENTER" | Beta
| align="CENTER" | Rogan Dawes Email address? (Confirmed)
| align="CENTER" | [mailto:ah@securenet.de Achim Hoffmann] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Sqlibench Project|OWASP SQL Injector Benchmarking Project (SQLiBENCH)]]'''
| align="CENTER" | [mailto:urgunb@hotmail.com Bedirhan Urgun] [mailto:mesut@h-labs.org Mesut Timur]
| align="CENTER" | Beta
| align="CENTER" | [mailto:ferruh@mavituna.com Ferruh Mavituna] [[Project Information:Sqlibench:Ferruh|background info]] (Confirmed)
| align="CENTER" | [mailto:kfuller@dmv.ca.gov Kevin Fuller] [[Project Information:Sqlibench:Kevin|background info]] (Confirmed)
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Teachable Static Analysis Workbench Project|OWASP Teachable Static Analysis Workbench]]'''
| align="CENTER" | [mailto:ddk(at)cs.msu.su Dmitry Kozlov] Igor Konnov
| align="CENTER" | Beta
| align="CENTER" | [mailto:afry(at)strongcrypto.biz Alex Fry] TBC
| align="CENTER" |
| align="CENTER" | Not applicable
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP WeBekci Project|OWASP WeBekci Project]]'''
| align="CENTER" | [mailto:bunyamin@owasp.org Bunyamin Demir]
| align="CENTER" | Beta
| align="CENTER" | [mailto:afry(at)strongcrypto.biz Alexander Fry] [http://www.linkedin.com/in/alexanderfry Profile] (Confirmed)
| align="CENTER" |
| align="CENTER" |
|}

== DESIGN/CORPORATE PROJECTS ==
{| class="wikitable" style="text-align:center"
! width="600" height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | Application
! width="220" align="CENTER" | '''Author'''
! width="60" align="CENTER" | [[:Category:OWASP Project Assessment|'''Status Target''']]
! width="108" align="CENTER" | '''1st Reviewer'''
! width="108" align="CENTER" | '''2nd Reviewer '''
! width="108" align="CENTER" | '''OWASP Board Reviewer
'''
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Book Cover & Sleeve Design|OWASP Book Cover & Sleeve Design]]'''
| align="CENTER" | LXstudios, [mailto:deb@lxstudios.com Deb Brewer]
| align="CENTER" | Quality
| align="CENTER" | [mailto:yiannis@owasp.org Yiannis Pavlosoglou] (Confirmed)
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | Dinis Cruz
|-
| height="18" bgcolor="#FFFFFF" align="CENTER" valign="MIDDLE" | '''[[:Category:OWASP Individual and Corporate Member Packs plus Conference Attendee Packs Brief|OWASP Individual & Corporate Member Packs, Conference Attendee Packs Brief]]'''
| align="CENTER" | LXstudios, [mailto:deb@lxstudios.com Deb Brewer]
| align="CENTER" | Quality
| align="CENTER" | [mailto:eoinkeary@gmail.com Eoin Keary] (Confirmed)
| align="CENTER" | [mailto:yiannis@owasp.org Yiannis Pavlosoglou] (Confirmed)
| align="CENTER" | Dinis Cruz
|-

Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A

2008-06-26T18:03:30Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Click here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''50% REVIEW PROCESS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25x%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. To what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
#Team finalized (Maureen Doyle, James Walden, Michael Whelan.)
#Projects selected for initial analysis (AntiSamy, WebScarab, OWASP Enterprise Security API (ESAPI) Project)
#Preliminary workflow.
#No projects submitted to Fortify Open Source Review, as Fortify is updating the application. We have talked extensively with Fortify and OWASP about the changes and how they match our workflow.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. To what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The current status of tasks planned for the end of June is:
#Team finalized (100%)
#Projects selected (100%)
#Preliminary workflow (100%)
#Projects submitted (0%)
Since the Fortify open source review is not currently accepting projects, we have not been able to submit any projects. However, we are currently analyzing the following tools using Fortify's commercial source code analyzer (SCA) tool.
#AntiSamy
#WebScarab
#OWASP Enterprise Security API (ESAPI) Project
The updated version of Fortify's web site will allow us to upload the FPR files generated by this tool to create projects immediately, instead of waiting a week. The following tasks remain to be done:
#Revise workflow based on reviews.
#Submit initial project to Fortify site once its online for testing.
#Submit 3 OWASP projects as continuously analyzed projects on Fortify site.
#Select additional OWASP and non-OWASP projects to analyze.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|We need feedback and direction on the preliminary workflow.
|}

Project Information:template Source Code Review OWASP Projects

2008-06-26T17:55:15Z

Walden:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Source Code Review OWASP-Projects Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The objectives of this project are: 1. Develop and document a workflow for open source projects to incorporate static analysis into the Software Development Life Cycle (SDLC); 2. Apply the above workflow as a required step for OWASP projects; 3. Aid in auditing select open source projects to create a baseline for comparing security amongst open source projects.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:dan@denimgroup.com '''Dan Cornell'''] SoC's Project Leader [mailto:waldenj1@nku.edu '''James Walden''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors [mailto:jderry@owasp.org '''Justin Derry'''] 
[mailto:doylem3@nku.edu '''Maureen Doyle'''] 
[mailto:whelanm87@gmail.com '''Michael Whelan''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects '''Mailing List/Subscribe'''] [mailto:OWASP-SCode-Review-OWASP-Projects(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:afry(at)strongcrypto.biz '''Alex Fry''']
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:marco.m.morana(at)gmail.com '''Marco M. Morana'''] 
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [[Image:Workflow_Draft1.pdf]]
* [[Image:CreateProjectExample.pdf]]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
[https://opensource.fortify.com/teamserver/welcome.fhtml Fortify Code Review Application]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template Source Code Review OWASP Projects - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template Source Code Review OWASP Projects 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

File:CreateProjectExample.pdf

2008-06-26T17:54:35Z

Walden: Example flow diagram for creating a new project to be reviewed.

Example flow diagram for creating a new project to be reviewed.

File:Workflow Draft1.pdf

2008-06-26T17:52:05Z

Walden: Draft source code review workflow.

Draft source code review workflow.

Project Information:template Source Code Review OWASP Projects

2008-06-26T17:33:57Z

Walden:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Source Code Review OWASP-Projects Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The objectives of this project are: 1. Develop and document a workflow for open source projects to incorporate static analysis into the Software Development Life Cycle (SDLC); 2. Apply the above workflow as a required step for OWASP projects; 3. Aid in auditing select open source projects to create a baseline for comparing security amongst open source projects.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:dan@denimgroup.com '''Dan Cornell'''] SoC's Project Leader [mailto:waldenj1@nku.edu '''James Walden''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors [mailto:jderry@owasp.org '''Justin Derry'''] 
[mailto:doylem3@nku.edu '''Maureen Doyle'''] 
[mailto:whelanm87@gmail.com '''Michael Whelan''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects '''Mailing List/Subscribe'''] [mailto:OWASP-SCode-Review-OWASP-Projects(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:afry(at)strongcrypto.biz '''Alex Fry''']
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:marco.m.morana(at)gmail.com '''Marco M. Morana'''] (TBC)
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* (If appropriate, links to be added)
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
[https://opensource.fortify.com/teamserver/welcome.fhtml Fortify Code Review Application]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template Source Code Review OWASP Projects - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template Source Code Review OWASP Projects 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Source Code Review OWASP Projects - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A

2008-06-24T20:11:12Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Click here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''50% REVIEW PROCESS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25x%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. To what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
#Team finalized (Maureen Doyle, James Walden, Michael Whelan.)
#Projects selected for initial analysis (AntiSamy, WebScarab, OWASP Enterprise Security API (ESAPI) Project)
#Preliminary workflow.
#No projects submitted to Fortify Open Source Review, as Fortify is updating the application. We have talked extensively with Fortify and OWASP about the changes and how they match our workflow.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. To what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
#Team finalized (100%)
#Projects selected (100%)
#Preliminary workflow (100%)
#Projects submitted (0%)
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|We need feedback and direction on the preliminary workflow.
|}

Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A

2008-06-24T19:41:10Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Click here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''50% REVIEW PROCESS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25x%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. To what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
#Team finalized (Maureen Doyle, James Walden, Michael Whelan.)
#Projects selected for initial analysis (WebScarab, OWASP Enterprise Security API (ESAPI) Project, OWASP CSRFGuard Project.)
#Preliminary workflow.
#No projects submitted to Fortify Open Source Review, as Fortify is updating the application. We have talked extensively with Fortify and OWASP about the changes and how they match our workflow.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. To what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
#Team finalized (100%)
#Projects selected (100%)
#Preliminary workflow (100%)
#Projects submitted (0%)
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|We need feedback and direction on the preliminary workflow.
|}

Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A

2008-06-24T19:39:27Z

Walden:

[[Project Information:template Source Code Review OWASP Projects|Click here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''50% REVIEW PROCESS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|OWASP Source Code Review OWASP-Projects Project's Deliveries & Objectives]]
|-
| style="width:25x%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. To what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|-Team finalized (Maureen Doyle, James Walden, Michael Whelan.)
-Projects selected for initial analysis (WebScarab, OWASP Enterprise Security API (ESAPI) Project, OWASP CSRFGuard Project.)
-Preliminary workflow.
-No projects submitted to Fortify Open Source Review, as Fortify is updating the application. We have talked extensively with Fortify and OWASP about the changes and how they match our workflow.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. To what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#Source Code Review OWASP Projects|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|-Team finalized (100%)
-Projects selected (100%)
-Preliminary workflow (100%)
-Projects submitted (0%)
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|We need feedback and direction on the preliminary workflow.
|}

Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A

2008-06-24T19:35:55Z

Walden:

Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A

2008-06-24T19:30:37Z

Walden:

Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A

2008-06-24T19:29:25Z

Walden:

Project Information:template Source Code Review OWASP Projects - 50 Review - Self Evaluation - A

2008-06-24T19:28:53Z

Walden:

OWASP Summer of Code 2008 Applications

2008-03-25T17:47:14Z

Walden:

'''This page contains project Applications to the [[OWASP_Summer_of_Code_2008|OWASP Summer Of Code 2008]]'''

= A few notes =
*'''If you want to apply for a SoC 2008 sponsorship you HAVE TO USE THIS PAGE for your application.'''
** See [[OWASP Summer of Code 2008#How To Participate (To Developers)|How To Participate]] for what to do once you completed your Application.
** Please remember that projects will be selected and funded based on how well they meet the [[OWASP Summer of Code 2008#Jury and Selection Criteria| Selection Criteria]].
** Please see [[OWASP Autumn of Code 2006 - Applications|AoC 06]] and [[OWASP Spring Of Code 2007 Applications|SpoC 07]] for examples of Applications.
* '''You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include [[OWASP Summer of Code 2008 Applications - Proposal Type|this information in your proposal]].
'''
= Applications - {Fill in below} =

== The Application Security Desk Reference - ASDR ==
* Leonardo Cavallari Militelli
* Proposal: Make [[OWASP ASDR Project|OWASP ASDR Project]] a release quality document.

The ASDR is a reference volume that contains basic information about all the foundational topics in application security. It intends to replace and refresh [[OWASP Honeycomb Project|Honeycomb Project]] with a new structure for articles and relationship between categories, thus making it a release quality doc.

This idea raised when finished the [[Attack|Attack Reference Guide]] for [[OWASP Spring Of Code 2007|OWASP Spring Of Code 2007]], where it was identified that OWASP reference articles need some special attention. Jeff Williams is totally supporting this project.

We already have defined which type of article we should include on Desk Reference, as follows:
* [[:Category:Principle|Principles]]
* [[:Category:Threat_Agent|Threat Agents]]
* [[:Category:Attack|Attacks]]
* [[:Category:Vulnerability|Vulnerabilities]]
* [[:Category:Countermeasure|Countermeasures]]
* [[:Category:Technical Impact|Technical Impacts]]
* [[:Category:Business Impact|Business Impacts]]

*Road Map: A complete project roadmap can be found on '''[[ASDR Table of Contents|ASDR Table of Contents]]'''. Basically, the following activities should be performed, some of them already started:
** Define articles templates for each reference type
** Define subcategories for articles classification
** Compile first DRAFT version of ASDR Book
** Articles development & Call for Volunteers
** Articles revision
** First version of OWASP ASDR book

== OWASP Code review guide, V1.1 ==
* Eoin Keary,
'''Code Review Guide Proposal''':

'''Introduction:'''The code review guide is currently at version RC 2.0 and the second best selling OWASP book.
I have received many positive comments regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.

It has even inspired individuals to build tools based on its information and I have convinced such people (Alessio Marziali) to open source their tool and make it an OWASP project.

The combination of a book on secure code review and a tool to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.

'''Proposal:'''
I am proposing that I improve the code review guide from a number of aspects. This should place the guide as a de facto secure code review guide in the application security industry.

'''Additional and expanded Chapters:''' 

'''Transactional analysis''' 
Expand chapter. 
Examples via diagrams. 

'''Threat Modeling and Analysis''' 
The approach to examining an application to be reviewed. 
Focusing on areas of interest. 

'''Example reports and how to write one''' 
How to determine the risk level of a finding. 

'''Automated code review''' 
Code crawler documentation and usage. 

'''Rich Internet Applications''' 
Expanded chapters on Flash, Ajax. 

'''The OWASP ESAPI (Enterprise Security API)''' 
What it is, Why use it. What to review. 

'''Code review Metrics:''' 
How to compile, use and analyse metrics. 
Rolling out metrics in the Enterprise. 

'''Integrating Code review with an existing SDLC'''
Integration of Secure Code review with an existing SDLC. 
Secure Code review roadmap definition. 
Documentation requirements. 
Scope definition. 
SDLC steering comittee establishment. 
Performace criteria, benchmarks and metrics. 
Integration of SDLC results into key IT governance areas. 
Critical success factors. 

== The OWASP Testing Guide v3 ==
* Matteo Meucci
* The OWASP Testing Guide v2 was a great success, with thousand downloads and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now it's time to begin a new project that is based on v2 but improve it and complete it.

In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:

* Information Gathering
* Business logic testing
* Authentication Testing
* Session Management Testing
* Data Validation Testing
* Denial of Service Testing
* Web Services Testing
* AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode analysis
3) Infrastructural test --> new category
4) Web Services section needs improvement
5) AJAX Testing section needs improvement
6) New category: Client side Testing. AJAX and Flash Testing

* This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.

== Code Crawler ==
* Alessio Marziali (aka nTze) 

'''Description''' 
This tool is aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code.
The aim of the tool is to accompany the OWASP Code review Guide and to implement a total code review solution for "everyone"; Where "everyone" means "more" companies performing secure software activities. 
Key areas of improvement: 
'''Reporting''' 
- PDF
- Microsoft Office Compatible Word Document
- HTML

'''Scanning''' 
- Multiple File scanned at the same time 
-- Open Microsoft Visual Studio's Solutions 

'''Bigger Database''' 
Which will provide more information about the threats such vulnerability type (XSS,SQL Injection, Remote File Inclusion etc). 
'''Security Software Life Cycle''' 
A feature that will let you save the threats for each project/document, so the reviewer can check how the development is going from a “security prospective” during the entire software lifecycle. 

Improvement of the code scan system. 

== The Owasp Orizon Project ==
* Paolo Perego (aka thesp0nge),
* The Owasp Orizon Project,

'''Introduction'''

The [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Owasp Orizon Project] born in 2006 in order to provide a framework to all Owasp projects developing code review services.

The project is in a quite stable stage and it is usable for Java static code review and some dynamic tests against XSS.
Owasp Orizon includes also APIs for code crawling, usable for code crawling tools.

[http://milk.sf.net Milk] project is a java code review tool I'm writing using Orizon as background engine. Its goal is to show engine capabilities.

'''Objectives and deliverables'''

* plugin architecture for static code review library: this planned feature will be announced (hopefully, if my CFP will be accepted) to next Owasp European App conf.
* starting C# support
* upgrade from Alpha quality project to Beta quality project in accord to [http://www.owasp.org/index.php/Category:OWASP_Project_Assessment Owasp Project Assessment criteria]

'''Why I should be sponsored for the project'''

Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

In the last year Owasp Orizon evolved a lot with a good static code review engine and a lot of code was written to give Owasp guys the best framework as possible to be used for writing code review tools. I hope to pursuit my goals again with SoC 2008.

== Skavenger ==
* Matthias Rohr

'''Introduction'''

Skavenger is a web application security assessment toolkit which arised from many years of professional experience in the web application assessment field and is the result of nearly one your of work.

It passively analyzes traffic logged by various MITM proxies (such as WebScarab and Burp) as well as other sources (like Firefox's LiveHTTPHeader plugin) and helps to identify various kinds of possible vulnerabilities (such as XSS, CRLF injection, an insecure session management and several kinds of information disclosure). Skavenger's modular design allows the integration of custom scanning modules without any knowledge about the tool at all.

Skavenger is completely written in Perl and can be downloaded from:
https://sourceforge.net/projects/skavenger/

'''Objectives and deliverables'''

Here are some ideas:
* A GUI to monitor and analyze scanning results
* More sophisticated scanner modules (e.g. for better backend identification and more platform specific tests)
* Database integration
* API's to integrate modules in other languages (such as Python or Java).
* Better source integration with custom Firefox, Burp or (of course) WebScarab plugins

== OWASP .NET Project Leader ==
* Mark Roxberry

'''Project Proposal'''

This proposal is to request approval for leading the OWASP .NET project. The project will contain information, materials and software that are relevant to building secure .NET web applications and services. The goal of the project is to provide deep content for all roles related to .NET web applications and services including:

*Architectural guidance
*Developer tools, information and checklists
*IT professional content (for those that deploy and maintain .NET websites)
*Penetration testing resources
*Incident response resources

The OWASP .NET Project Leader will actively recruit .NET contributors, including personnel from Microsoft, but others throughout the .NET ecosystem. Including experts from communities from large companies to ISVs, from enterprise architects to ALT.NET developers will be important for the overall reach of the OWASP .NET project. Other communities to consider include developers who use Mono (.NET for Linux), including Moonlight (Silverlight for Linux).

The OWASP .NET Project Leader will actively contribute to the OWASP projects that require .NET resources, by recruiting resources or contributing to the project.

'''Deliverables'''

April 2, 2008 - May 3, 2008
*Project site layout reorganization
*Presentation materials for OWASP chapters for integrating the OWASP .NET project tools and references into a project life cycle
*Bullet points for community and media outreach plans

April 13, 2008 - May 16, 2008
*Community outreach - contact .NET user groups, OWASP chapters to get feedback about tools and references that are needed for security in their fields of expertise. Distribute materials for integrating OWASP .NET into their project plans and toolboxes.
*Media outreach - contact .NET media resources to talk about the .NET project and request content and contributors
*Start a special projects section for emerging projects in the .NET space, including Silverlight (Moonlight), WPF XBAP applications, Windows Communication Foundation, ADO.NET Data Services, Enterprise Library 4.0, Policy and Dependency Injection, Agile methodologies.

May 17, 2008 - June 14, 2008
*Reach out to other SoC .NET projects, try to find resources if the projects need them.
*Contribute to other SoC .NET projects, where needed.
*Gather feedback and follow up from first round of outreach effort.

June 15, 2008
*Status report for Project

June 16, 2008 - August 31, 2008
*Expand community and media outreach efforts.
*Continue to recruit and help other OWASP projects with resources.
*Update promotional materials to include emerging projects.

August 31, 2008
*Retrospective of the first 5 months of the OWASP .NET Project.

'''Long Term Vision'''

The OWASP .NET Project will be a valuable resource for securing .NET applications and services. I want people to think of this project first when they need to gather information or find tools for designing, developing, maintaining, pen-testing software developed with .NET. This project will be the hub for all .NET security resources, and of course with content created and maintained by the Open Source community.

'''Why I should be sponsored for the project'''

I have previously contributed to the OWASP Test Guide v2 project, providing content and reviewed content. I have used the OWASP Top 10 to teach developers about vulnerabilities in web applications and the OWASP WebScarab tool for vulnerability analysis. As a security practictioner, I care about the OWASP mission and I want to contribute to securing the Internet for everyone.

I have 15 years of technical leadership experience using Microsoft technologies. I have lead software development teams as a technical lead, lead developer and architect on small and large projects. I am a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker (C|EH). I am on top of current trends and I am required to be up to speed regarding .NET web development and security. I am personally interested in providing security resources to .NET developers globally, specific and applicable to their projects.

== OWASP Backend Security Project ==
* Full name: Carlo Pelliccioni
* Project: OWASP Backend Security Project
* Project description:
:OWASP Backend Security Project is a new project created to improve and to collect the existant information about the backend security.
:The project is composed by three sections (security development, security hardening and security testing).
:The aim is to define the guidelines for the companies and IT professionals working in the security field into processes development and back-end components management/testing in the enterprise architecture.

* Objectives:

'''Overview'''
Create a section with an introduction about the project (high-level description) explaining the main
goals.

'''Development'''
Include the writings already existant in OWASP wiki concerning PHP,
JAVA and ASP.NET and extend the projects' sections with new contents.

'''Hardening'''
Create new guidelines about the dbms hardening

'''Testing'''
Include the writings already existant in OWASP wiki about security testing.
Create new articles about security testing.

== OWASP Classic ASP Security Project ==
* Juan Carlos Calderon
'''Executive Summary''' 
I am interested in making P018 - OWASP Classic ASP Security Project happen, Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place” and continue spreading the word on security. I have always be a passionate of the technology (regardless of its inconveniences such as being old and DLL-hell prone) and I am really exited on the idea of sharing my knowledge of this area to the world and what best that though OWASP.

'''Objectives and Deliverables''' 
Create a secure framework for Classic ASP application by complementing existing OWASP projects with documentation for this particular technology and the creation of security libraries. More specifically:
* Creation of a Common Object Repository for ASP applications based on OWASP ESAPI Project including objects and/or references to libraries for security applications all this aligned with OWASP Top10 and OWASP Guide .
* Create Documentation aligned to OWASP Code Review Project Checklist providing additional technology-specific checks.
* Addition of expression for Code Review Tool to support Classic ASP applications.
* Implementation of Version 1 of Stinger for ASP either by using an installable COM library or ISAPI.
* This same module will compliment the OWASP Validation Documentation Project.

'''Why should I be sponsored for the project?''' 
I have 10 years of experience on Web technologies. During 8 years I have performed and leaded hundreds of Security Source Code Reviews and Black box testing on Web Applications. On my current job I lead 30 people in diverse locations all of them working on the Application Security arena, so I am accustomed to execute and deliver.

Also I’ve had close contact with OWASP since 2005
[https://lists.owasp.org/pipermail/owasp-spanish/2005-March/000069.html] by making possible the translation of OWASP Top 10 2004 [http://www.owasp.org/index.php/Top_10_2004] and OWASP Testing Guide V1.17 [http://www.owasp.org/docroot/owasp/misc/testing_spanish.pdf] to Spanish.

== Internationalization Guidelines and OWASP-Spanish Project ==
* Juan Carlos Calderon
'''Executive Summary''' 
The main goal of OWASP is to spread the word about security (“Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.”) and OWASP has done great work so far :). And now it’s time for a next big step.

The number of native and secondary speakers in the world for Chinese, Spanish, French, Russian, Arabic and Indi languages are estimated in similar number to English speaking or even more (Some References at [http://en.wikipedia.org/wiki/Ethnologue_list_of_most_spoken_languages Ethnologue], [http://encarta.msn.com/media_701500404/Languages_Spoken_by_More_Than_10_Million_People.html Encarta], [http://en.wikipedia.org/wiki/List_of_languages_by_number_of_native_speakers Wikipedia]). I think is a good time for OWASP to reach those that do not speak English to have full access to all the OWASP materials, not just a couple of documents.

OWASP, while open to translations, do not have clear guidelines on how to translate OWASP contents and (AFAIK) there is no multi-language support in OWASP.org site. This is understandable as there is no formal project for internationalization so far.

'''Oportunity and Effort''' 
This is great opportunity to make Spanish the first language on which the OWASP site and documentation is fully translated and at the same time share the experience with other people interested in the same objective, Bring OWASP to the world. And this is something I’ve being pushing for some time ago and that could be possible “at once” via SoC 2008.

I understand this is significant effort so to have it done I will count with the help of 6 people (friend of mine, all of them Security auditors with excellent English level) plus a few well known contributors from OWASP-Spanish effort, so the founding will be divided among the people involved in the same proportion of the work they do for the completion of this effort. This, to encourage delivery.

'''Objectives and Deliverables''' 
* Team up with Larry Casey to implement Multilanguage support in OWASP.org Mediawiki.
* General Guidelines on minimum/recommended requirements to start a new language translation for OWASP Document and Site Pages
* General Guidelines on minimum/recommended requirements to implement internationalization and localization ([http://www.w3.org/International/ i18n]) on OWASP Software
* Full translation to Spanish of all the release-level document projects. Those are:
** Top 10 2007
** Guide 2 (Already translated)
** Testing Guide (Already Translated)
** Legal
** FAQ
* Full Translation of major sections of OWASP Site
** Project Main Pages (Release, Beta and Alpha levels for both documents and tools projects)
** Principles
** References Section
** Conferences
** News (Those currently displayed in OWASP site)
** About OWASP
* Evaluation of Spanish translation approach for WebGoat and WebScarab and delivery of this document to Bruce and Rogan for possible implementation in near future.
* Leverage for deploy of es.owasp.org, the domain already exists but is not redirecting correctly.
* Create a Communication strategy to help and keep track on new pages or changes in significant pages so all the translations are in sync.

'''Out of Scope''' 
Translation of the following sections are NOT in Scope
* Local Chapters Pages
* Presentations
* Conferences
* Videos
* Blogs
* All the projects deliverables in Alpha and Beta Stages
* All the documentation “on development” like Guide Version 3.0
* Translation of Pages, documentation or tools to other language other than Spanish according to the stated in above section.

'''Why should I be sponsored for the project?''' 
I’ve being part of contributions to OWASP documents on the translation arena since 2005 [https://lists.owasp.org/pipermail/owasp-spanish/2005-March/000069.html], a few of them by making possible the translation of OWASP Top 10 2004 [http://www.owasp.org/index.php/Top_10_2004] and OWASP Testing Guide V1.17 [http://www.owasp.org/docroot/owasp/misc/testing_spanish.pdf] to Spanish. It is time to make the full job done :).

I have 10 years of experience on Web technologies. During 8 years I have performed and leaded hundreds of Security Source Code Reviews and Black box testing on Web Applications. On my current job I lead 30 people in diverse locations all of them working on the Application Security arena, so I am accustomed to execute and deliver.

== The Ruby on Rails Security Guide v2 ==
Heiko Webers

The last security guide for Rails [http://www.owasp.org/index.php/Category:OWASP_Web_Application_Security_Put_Into_Practice] was a great success, with a lot of more secure web applications and continued awareness in the community of security issues. The Ruby on Rails Security Project [http://www.rorsecurity.info/] is the one and only source of information about Rails security topics, and I keep the community up-to-date with blog posts and conference talks in Europe. The Guide and the Project has been mentioned in several Rails books and web-sites.

Version 1 of the Ruby on Rails Security Guide was sponsored by the SpoC 07, set the standard for OWASP programming language specific guides in terms of the topic outline and has been published as a book [http://www.lulu.com/content/1412042]. Nevertheless I'm convinced that a more compact design and a "question-and-answer" style of writing will reach an even larger audience. Of course the new Guide will still include answers to the OWASP Top Ten security vulnerabilities.

A lot has changed since the publishing of the first Guide. Some new security holes have been found, there are new advises and most importantly Rails version 2.0 has been released. The new Ruby on Rails Security Guide aims at providing an up-to-date coding and configuration guide for the Rails community.

In the new Rails Security Guide I'd like to
* update the entire book to match Rails 2.0
* cover new topics, including, but not limited to:
** Intranet and administration interface security,
** phishing,
** real-world attack situations,
** short excursus on server monitoring,
** the new CookieStore session management,
** vulnerabilities in popular plug-ins,
** denial-of-service attacks
* cover all OWASP Top Ten security vulnerabilities
* a more compact writing style, more examples and "questions-and-answers"
* introduce the OWASP and Rails security to a greater audience

== OWASP Application Security Verification Standard ==

*Mike

'''OWASP Application Security Verification Standard Proposal'''

'''Educational and professional background'''

The applicant is a hands-on senior professional services manager with a trademark of
developing creative solutions to complex application security-related technical problems.

'''Application security experience and accomplishments'''

The applicant has a background in trusted product evaluation:

*CC evaluation
*CC evidence development, including operating system test code development
*CC project management
*TCSEC evaluation
*TCSEC project management
*TEF management
*CCTL management

The applicant also has a background in security-related software development and integration:

*PKI toolkit development
*PK-E application integration
*Secure web portal application development
*Secure web portal integration
*Secure instant messaging application development, including three patents

The applicant also has a background in cryptomodule testing:

*FIPS 140 evaluation
*FIPS 140 evidence development

'''Participation and leadership in open communities'''

The applicant does not have experience in contributing to open communities.

'''The opportunity, challenges, issues or need your proposal addresses'''

OWASP is looking for a commercially-workable open standard for performing application security verification efforts. The problem is that there is a huge range in the coverage and level of rigor available in the market, and consumers have no way to tell the difference between someone just running a grep tool, and someone doing painstaking code review and manual testing. So, a standard is needed.

'''Objectives or ways in which you will meet the goal(s)'''

The applicant’s proposal will address the above challenges as follows:

*The applicant will define an evaluation framework that may be used to conduct OWASP Application Security Verification Standard certifications.
*The applicant will define an OWASP Application Security Verification Standard which defines levels that applications may be certified against.

'''Specific activities and who will carry out these activities'''

The applicant will carry out these activities. Please see below for a proposed list of specific deliverables.

'''Specific deliverables and a rough project schedule so we can track progress'''

The applicant proposes the following deliverables:

*'''Scheme Overview document.''' This will define the overall framework with roles, responsibilities, and processes.
*'''Evaluation and Certification document.''' This will describe the evaluation and certification process.
*'''Conditions for the Use of Trademarks.''' This will describe OWASP’s name, logo, and certificate may be used and referenced.
*'''Evaluation Report Content Requirements.''' This will describe the content requirements of evaluation reports.
*'''OWASP Application Security Verification Standard.''' This will define the levels that applications may be certified against.
*'''OWASP Application Security Verification Standard Appendix A.''' This will define the required content of the OWASP Application Security Verification Standard Security Policy.
*'''Policy Letter #1. Acceptance of Security Policies into OWASP Evaluation''' This will define the requirements to be listed as in evaluation on the OWASP web site.

The applicant proposes the following rough project schedule:

*2nd April. Project kickoff.
*15th June. Alpha Quality drafts of Scheme Overview document and of OWASP Application Security Verification Standard document completed.
*31st August. Project completion. Beta Quality drafts of all documents completed.

'''Long-term vision for the project'''

The long-term vision for the project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing application security verification.

'''Any other reasons why you and your project should be selected.'''

The applicant has a uniquely-qualified perspective given his experience with TCSEC, TTAP, CC, FIPS 140-1, and FIPS 140-2 evaluation programs, and his real-world perspective as a developer and integrator of security-related applications.

== GTK+ GUI for w3af project ==

''Facundo Batista''

'''Your educational and professional background'''

I'm Electronic Engineer with a Master in Engineer Innovation in
Bologna University, Italy. I live in Buenos Aires, Argentina, and love
reading books, playing tennis, and programming Python.

I worked in a mobile company for six years, in the Network Management
department, then I was Chief Developer of a Mobile Content Provider,
and now I'm Solution Architect in Multimedia & Systems Integration in
Ericsson. Also I was professor in several universities, high schools
and other institutions.

'''Application security experience and accomplishments'''

None, more than working in w3af. However, my proposal here is not
related to the security part of the product, but to its graphical
interface and usability.

'''Participation and leadership in open communities'''

I'm very involved in the free software and open source community. I'm
a Python Core Developer and member of the Python Software Foundation
by merit. I have a long history of talks given in several
international (PyCon, EuroPython) and national (a lot!) conferences. I
also teach Python in educational institutions, enterprises and as a
private instructor. I founded Python Argentina, the national users
groups, and I'm a very active member of it.

I also lead other open source projects (SMPPy, SiGeFi, etc.) and
particpate in others (Docutils, w3af itself, etc.).

'''The opportunity, challenges, issues or need your proposal addresses'''

My main objective is to minimize the effort and learning curve of
using w3af, providing a very usable graphical interface.

Note that as the interface is cross platform, being usable also in the
win32 environment, it will help to popularize the w3af project.

This will allow users without information security knowledge to verify
that their web applications are correctly programmed and configured.

'''Specific activities and who will carry out these activities'''

I will carry the following activities, detailed later in smaller steps:

- Design and code new windows and interfaces to increase the functionality of the project.

- Tuning of the process workflow, allowing a more intuitive way of working.

- Visual polishing for a more pleasant and intuitive tool.

- Usability tests and improvements.

'''Specific deliverables and a rough project schedule so we can track progress'''

''New features implemented in the pyGTK user interface:''

- Local proxy to trap and modify requests and responses sent from a browser.

- Manually send a request and analyze the response.

- Manually create a fuzzed requests based on tokens, so user can construct easily differents HTTP request with a regex-like semantics.

- Wizard to perform a vulnerability assessment.

- Graphical display of site map and vulnerabilities.

- Reload a plugin after its edited from within the pyGTK user interface.

- Embebed tool to encode/decode URL/Base64 and to hash sha1/md5.

- HTTP response side by side content compare.

''Usability improvements in the pyGTK user interface:''

- Meetings with a usability expert that the w3af team leader has already contacted and worked with.

- Kill all pending bugs and make a stable release.

''Documentation:''

- Users guide for the pyGTK user interface.

- Help system for the GUI itself

'''Long-term vision for the project'''

To provide the web application security community with a stable and fully
featured framework to perform all the tasks included in a penetration test
from within the project.

'''Any other reasons why you and your project should be selected'''

w3af is one of the most active web application security projects;
the community that supports it is growing and we need the support of
already established organizations like OWASP to keep working at the
rate that we want to.

== P025 OWASP Positive Security Project ==

by Eduardo Vianna de Camargo Neves

'''Executive Summary'''

A common approach on most companies is to increase the protection of their assets after the occurrence of a considerable impact. However some companies learned that a positive approach on IT Security is most effective and can reduce the financial costs on responses to security incidents. Benchmarking the application security practices on the corporate world will allow us to understand what steps are required to keep the IT environment protected, using this knowledge to support the development of a campaign to spread a positive security posture in the market. The liaison with companies that maintain good security practices will help to start this initiative from a higher degree and involve several actors on the security stage for the same direction to a market were security is understood as a business value.

'''Approach'''

Assessing results from the Corporate Application Security Rating Guide Project and other public sources will be used to support the development of the Positive Security Project with facts from a real analysis.

'''Benefits'''

The whole community will be benefited from this initiatives. With the adequate support from OWASP to maintain the project active and liaise with big players on the market, we can expect the following:

• The community will receive a guide to practice the "Positive Approach" that will allow them to compare their own security practices within the market. As this will be a public document, suppliers and buyers worldwide will share the same information allowing them to adequate the expectations on the usage of security services and tools.

• Compliance and alignment with Positive Approach can be used as a marketing tool by the companies, allowing them to sell security as a business value and avoiding the old-fashion and inadequate FUD approach.

• The knowledge and relationship developed during the development will support the Positive Security Project with real information, increasing the credibility of the initiative for the market.

• The Security Rating Guide and the Positive Security Project can be walk in parallel, merging their information to support a concise and continuous marketing campaign to encourage a positive approach on the market.

• As an open community free from commercial pressures, OWASP can use both projects to support the evaluation of security products for the market, allowing the organization to receive profits from these services and support current and future projects.

'''Summarized Work Breakdown Structure (WBS)'''

All the activities will be leaded by Eduardo V. C. Neves, which will be responsible as a single point of contact with the sponsors and to manage a team of compromised volunteers from OWASP community and participants from security communities and associations (i.e. ISSA, SANS and ISC2).

The activities will be carried on WBS summarized bellow. Dates presented should be considered as deadlines for the activities:

• Criteria establishment and definition of the marketing material and support documents (April 11)

• Approval of marketing templates for Positive Security Project (April 25) (1)

• Development of the Positive Security Project material (i.e. blog and marketing sheets) (May 30)

• Liaison with the OWASP Members and analyzed companies to present the project and negotiate their participation as supporters, sponsors or contributors. (June 27)

• Update on Positive Security approach deliverables(July 4)

• Presentation of the Positive Security Project approach on the market (July 31) (2)

• Conference calls with team members to evaluate the results of the initiatives in all countries and produce project´s documents (i.e. lessons learned, update on marketing material and evaluation of alternative approaches for the future steps). (August 15)

• Prepare project documentation and present to the OWASP community on the web site (August 31)

''(1) Support from OWASP Foundation and community are required to evaluate adequate marketing templates and translate original documents for their own languages''

''(2) Support from OWASP community is required to spread the word on all countries were OWASP members are located.''
'''''

'''Project Control'''

The project will be managed following PRINCE2 Process Model and all control documents published for the OWASP community. The following mandatory project control documents are planned:

• Project Initiation Document: To document project´s background, definition, objectives, approach, etc.

• Communication Plan: To assure that OWASP Community are being continuous communicated about project status and deliverables achievement.

• Highlight Report: To provide the OWASP Community with a summary of the project status, progress and potential problems or areas where help may be required.

• End Project Report: To present project achievements. Should be considered the final project report.

More documents may be included during project development to support the control and assure a high quality level (i.e. issue log, project approach).

'''Long Range Plan'''

The project should be used as a tool to support efforts to encourage and make the positive approach a reality on the IT Security field. These initiatives shall be supported by OWASP as long term plans and grow to a continuous world-wide campaign in this direction that must achieve big players on the market and be recognized by the community as a tool that must be used to evaluate security enabled companies and products.

'''Why me?'''

Can be me, you or anyone that carries this project in a professional fashion and assure that all deliverables are being achieved. The most important parts is to make it happen, talk and get the support from reputable associations and large companies (OWASP Members are a good start) and lead it as a long range responsibility.

I am running to win this project because I believe in all of this. I see both as very valuable initiatives that can help companies to make more business; people to get more jobs and the whole community to win in a scenario where our contributions on the security market are recognized as business tools.

'''About me'''

Information Security professional and enthusiastic with 15 years dedicated to achieve expressive results in the areas of IT, Information Security, Compliance and Project Management. A CISSP in good stand and Officer at the ISSA Brazilian Chapter, my professional career gave me extensive knowledge in several fields of Information Security with accumulated experience at consulting firms, as CSO at a world player company on consumer goods market and now as an entrepreneur at Latin American market.

''Application security experience and accomplishments''

My work experience is on Security Management, Risk Assessment, Business Continuity and Disaster Recovery, Security Awareness and other managed-related fields on our industry. I don’t have hands-on experience on application security and this is the main reason why I am running to be qualified on the project described bellow, where I believe that my skills can be used to achieve an excellent result for the community.

''Participation and leadership in open communities''

• Member of OWASP Brazil where I made some small contributions in a recent past.

• Member of ABNT/CB-21/SC02 committee, Brazilian ISO representative for 27001 and 17799 standards

• Officer of ISSA Brazil Chapter where I am responsible for the South Region and as the editor of Antebellum, the ISSA Brazil Journal

• Founder and member of GISI-PR, an open community focused on discuss and promote Information Security initiatives within Paraná State, Brazil

== P017 - OWASP AppSensor - Detect and Respond to Attacks from Within the Application ==
'''Name'''

Michael Coates

'''Project'''

P017 - OWASP AppSensor - Detect and Respond to Attacks from Within the Application

'''The opportunity, challenges, issues or need your proposal addresses, '''

As critical applications continue to become more accessible and inter-connected, it is paramount that the information be protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application. In addition to implementing layers of defense within an application, it is critical that we identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself.
Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. The application itself is the best place to identify and respond to malicious activity.
This project will create the framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application

'''Objectives or ways in which you will meet the goal(s), '''

I plan to use a methodical approach throughout the creation of this resource. I will reference my own professional experience, OWASP resources, ESAPI, and academic materials to identify a robust set of potential attacks and identification methods. Thresholds will be recommended for each of the detected attacks. Each recommended threshold value and response recommendation will be accompanied with additional information to describe the purpose of the threshold and recommendation. This additional information will allow the reader to determine if the threshold is appropriate for their implementation.

'''Specific activities and who will carry out these activities, '''

I will complete the following activities:
1. Identify and define attack patterns against applications
2. Document points of detection within the application for the attack patterns & identify key information to log
3. Create thresholds for generating security alerts
4. Define recommended response actions for the security alerts

'''Specific deliverables and a rough project schedule so we can track progress, '''

April 2, 2008 - Project Begins

April 2, 2008-April 12, 2008 - High level planning & design

April 12, 2008-May 1, 2008 - Identify and define attack patterns against applications

May 1, 2008-June 1, 2008 - Document points of detection within the application for the attack patterns & identify key information to log

June 1, 2008-June 13, 2008 - Pier Review & Revisions

June 15, 2008 - Status Report

June 16, 2008-Aug 15, 2008 - Create thresholds for generating security alerts

June 16, 2008-Aug 15, 2008 - Define recommended response actions for the security alerts

Aug 16, 2008-Aug 30, 2008 - Pier Review & Revisions

Aug 31, 2008 - Project Complete

'''Long-term vision for the project, '''

1. I’d like to include a tiered type approach of thresholds and responses. This is would be similar to the approach used by FISMA of defining different controls for High, Medium, and Low systems.

2. Building on item #1, I want to eventually include a system which lets the user provide information about their system. This information could include rating or prioritizing different security concerns. a customized set of monitoring points, thresholds and response actions can be recommended for the application based on the provided data.

'''About Me'''

'''Education & Professional Background'''

Masters of Science in Computer, Information and Network Security – DePaul University
(Expected Graduation 2009)
Bachelor of Science in Computer Science – University of Illinois
Extensive experience in conducting black and white box security reviews of complex applications and networks for major financial organizations and international telecoms. I also have experience working as the primary investigator of attacks against a multi-national organization with IDS sensors in networks throughout the world. In addition, I have experience working with several regulatory controls and security standards (FISMA, NIST, GLBA etc). My experience as an ethical hacker and incident responder puts me in an excellent position to tackle this project.

'''Application security experience and accomplishments'''

I am a Senior Computer Security Engineer with Aspect Security where I perform security code reviews and application security testing against a variety of platforms. Prior to working with Aspect Security, I was heavily involved in the discovery and exploitation of application vulnerabilities during black box ethical hacking assessments for numerous clients.

'''Participation and leadership in open communities'''

I am a member of OWASP and attend Chicago OWASP chapter meetings. I also attend ChiSec, an informal meet-up of security professionals in the Chicago area. In addition, I interact with the community through my security blog. http://michaelcoates.wordpress.com.

'''Any other reasons why you and your project should be selected. '''

I created a similar framework while working within a Security Operation Center. I created attack scenarios, identified relevant IDS events, defined thresholds and appropriate response action for the Security analysts.

'''Requested Reviewer - Eric Sheridan, Application Security Consultant at Aspect Security, Inc.'''

Eric Sheridan is an Application Security Consultant at Aspect Security, a consulting services company specializing in application security. At Aspect Security, Eric specializes in execution of security verification assessments and the establishment of security activities throughout the development lifecycle. In addition, Eric is an instructor in Aspect’s portfolio of Application Security Courses. Eric is also an active participant in OWASP whose contributions include work with projects such as WebGoat, Stinger, CSRFGuard, CSRFTester, and the SASAP project from OWASP SPoC 2007. Eric was also a featured speaker at the 2007 OWASP/WASC San Jose conference.

Contact Information: eric dot sheridan 'at' owasp dot org

== OWASP Interceptor Project - 2008 Update ==

by Justin Derry

http://www.owasp.org/index.php/Category:OWASP_Interceptor_Project

'''Executive Summary'''

The OWASP Interceptor project was originally written by myself and donated to the OWASP project. Since it has been online numerous people have downloaded the tools and used the code/toolkit. Currently the industry has very limited “XML” or SOAP client testing tools that are designed specifically to perform XML interception and manipulation. The Objective of the Interceptor project is to provide a strong tool for performing XML penetration tests against Web Service (or XML/SOAP) endpoints. The tool should not replace other proxy interception tools such as Charles, Web Scarab and so on, but be purely focused on handling and reading XML structures from clients.

The Interceptor tool includes a “swiss-army” knife of features that will help with decoding/hash generation and interpretation of XML code. The key objective is to make a tool that can assist with the collection, inspection and attack replay of XML requests against service endpoints. This year it’s time for an update. The tool doesn’t run on Vista and needs a number of back-end features addressed as well as some help files etc. (Help to get the tool out of BETA status).

'''Objectives this year'''

This year I see the following objectives in the application code base.
• Get the Interface to run on all Window Platforms (.NET) Win2000, XP and Vista;

• Update the TCP handle libraries to be faster

• Update the XML Parser engine to support the latest structures

• Provide a “default” attack database of known XML attack methods (this is a big one)

• Write a number of help files on how to use the tool

• Update the toolkit BASE64 Decoder, XML Generators etc with further tools

• Write a better “reporting” engine to show the result of simulated attack responses

• Better HTTP support for Manipulation, Authentication and Header Injection etc

• Better support for interception and handling AJAX XML requests

These are the core features I would like to introduce, with also further to probably come as a part of the project.

'''Why should I be sponsored for the project?'''

The current development cycle stopped due to limited time and the need to purchase the IDE tools to develop the interface in .NET. As a Summer of Code 2008 sponsored project we can get the IDE interface tools to implement “Vista” features that will see the tool run on all .NET platforms (Win2000, XP and Vista). Recent changes in my job will allow me to spend more time on developing the toolkit.

Over a number of years I have been involved with OWASP, whilst most recently getting involved with running the OWASP Australia Security Conference for 2008, as well as the Brisbane Chapter. I am also working in the Asia Pacific RIM to further increase the awareness of OWASP and Application Security. My Conference duties for the year have finished up (till planning starts again in a couple of months) so my time can be invested in updating the toolkit.

I believe during the previous years, i have shown OWASP that i am willing and able to produce a quality outcome and i am prepared to put the effort into OWASP to acheive the goals set out for this project.

Some of the Sponsorship money for the project would go to purchasing a specific toolkit for the UI. (The UI is important simply because we want the application to be user friendly). Xceed Components provide a Smart UI as well as some of the decoding and compression features the tool needs. This would require us to approach them upfront for a “free” licence or use some of the Sponsorship money to buy the toolkit. But we can tackle that problem when we come to it.

== SQL Injector Benchmarking Project (SQLiBENCH) ==

by Mesut Timur & Bedirhan Urgun

'''Prelude'''

There're a lot of and great open source tools (takeover/dumpers/hybrid) for taking advantage of an sql injection vulnerability both used by web application security specialists and attackers.
Techniques used, databases supported, algorithms employed and abilities implemented by these "sql injectors" greatly varies. Standardization is one of the abstract goals of OWASP and we think it's important to standardize general vulnerability techniques exists in web applications and one of the biggest one is sql manipulation.
In our effort, we aim to produce a standardization of techniques used in exploiting sql injection by automatic tools.

'''Proposal'''

The goal of the project is to create a detailed set of benchmarking criterias for automatic sql injection tools and applying these to a set of open source sql injectors, producing analysis/benchmarking reports.
Additionaly, in a semi-academic manner, algorithms used by several sql injectors will be analyzed both implementation and complexity vise.

'''Deliverables And Project Schedule Milestones'''

Two set of documents will be produced. One of them will include the benchmarking criterias and the other will comprise of analysis of selected sql injectors against the benchmarking criterias.
Moreover, an interactive visual data flow diagram, giving hints to testers about which tool should be used under which circumstances, will be implemented with web-based technologies such as jquery library.

April 03 Project Kickoff

April 03-30 Determination of the benchmarking criterias

May 01-15 Producing a test environment image with 5-6 rdbms (MSSQL Express, Oracle Express, DB2 Express, MySQL, PgSQL, etc.) and a vulnerable application (which will support different sql injection types, databases and include logging capabilities)

May 15-31 Selecting and installing automatic sql injectors onto the test system and starting to use them on vulnerable application

June 01-30 Analysing tools and applying benchmarking criterias, contacting the authors as we proceed

July 01-31 Producing reports for benchmarking criterias and tool analysis

'''About Us'''

We're part of OWASP-Turkey. [http://www.h-labs.org Mesut Timur] is a junior in the Computer Engineering Dept. of [http://www.gyte.edu.tr University of GYTE] and [http://www.webguvenligi.org Bedirhan Urgun] is a web/application security specialist in [http://www.uekae.tubitak.gov.tr TUBITAK-UEKAE].

== OWASP-WeBekci Project ==

by Bunyamin Demir

http://www.owasp.org/index.php/Category:OWASP_WeBekci_Project

'''Executive Summary'''

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

'''Objectives and Deliverables'''

* '''Configuration''' : Most of the configuration parameters will be managed through the web interface
* '''Rule Generator''' : Basic rules will be generated using the web interface
* '''Core Rule Integration''': Core rules will be added to the database for use
* '''Logging and Reporting''': Apache error log and modsec_audit log will be parsed and presented to the user thru the web interface
* '''DB Support''' : MySQL

'''Why I should be sponsored for the project'''
Being a SpoC2007 project, it couldn't be implemented mainly due to a job change and therefore lack of time. With the help of Bedirhan Urgun we'll be able to produce a quality web admin panel GUI for a same host modsec installation infrastructure. We are both part of OWASP Turkey [http://www.owasp.org/index.php/Turkey] and tried to produce a great deal of awareness both about web security and OWASP with both documents/chapter meetings/email list and mini-conferences.

== Teachable Static Analysis Workbench ==

By Dmitry Kozlov, Igor Konnov

'''Introduction:'''

This application covers two OWASP Project proposals: P002 Teachable Static Analysis Workbench and P023 Code Review Tree. These project proposals look complementary and the key idea was to create ONE tool for code review instead of number non-integrated tools.
Note: this project is very close to P024 Attack Surface Metric too – based on web application entry points and used backends it is easy to compute such a metric.

'''Project objectives and deliverables:'''

Project is intended two deliverables: research technical report (publication ready article) and a workbench prototype.

The research will be intended to answer the following questions:
* Can we integrate existing open source static analysis tools (OWASP and third-party) to work altogether? We plan analysis to cover the following tools: LAPSE, Orizon, ESAPI, FindBugs.
* How static analysis workbench can be taught by security analyst?
* How static analysis workbench can support web-applications built using MVC frameworks?

Workbench prototype will be Java-based Eclipse plug-in which aim is to help security analyst/code reviewer validation of web application. At prototype step we suggest to analyze J2EE Web tier applications build on Java Servlets, JSP (without business logic in it) and one MVC framework (Apache Struts). We plan workbench prototype to have the following functionality:
* Input validation vulnerabilities analysis: identification of web application entry points (aka attack surface in P024), call graph for each entry point (see “Packages -> Classes -> Methods -> callsites” in P023), identification of data validation routines, teachable taint analysis.
* Authentification and access control analysis: identification of code related to access control and it’s analysis.
* Pattern-based code analysis.
* Teachability: analyst indicates security-related code (sources of tainted data, sensitive sinks, input validation and sanitizing functions, access control code, etc.) and workbench automatically recomputes possible vulnerabilities list. The second idea is to spread knowledge gathered from analyst to other web applications.

Project budget: $10K (note: this project combines two OWAPS Project Proposals)

'''Future development:'''

Further, workbench can be extended to support various Java web application frameworks and to support Python web applications (it seems to us that teachable tool is much more valuable for Python and other languages where the notion of web application is not so formal as in J2EE).

'''Background: '''

Dmitry Kozlov is a postdoc researcher at Moscow State
University. Since 2003 he leads a group performing research in the area of web
application security. In 2007 this group took part in OWASP Spring of
Code on project "Python Dynamic Analysis". This project was implemented
mostly by Dmitry’s PhD student Andrew Petukhov. Also in 2007 this group created static analysis tool for Python language, based on Pixy PHP analyser (publication is upcoming).

Igor Konnov is PhD student at Moscow State University he has strong background in program analysis and verification.

== OpenPGP Extensions for HTTP - Enigform and mod_openpgp ==
By Arturo 'Buanzo' Busleiman

=== Introduction to the project ===
My name is Arturo Busleiman, a.k.a Buanzo. Last year I worked with OWASP to take Enigform (The OpenPGP Firefox Extension) and mod_openpgp (The Apache counterpart) to an usable level. This year, I want to focus on mod_openpgp and Secure Session Management, presenting a working web-site using this new authentication methodology in such a way that it will attract security professionals and web-developers to this new mix of two good'ol protocols: HTTP and OpenPGP.

For that to happen, OWASP support is essential. I'm very happy to submit my application for Summer of Code 2008.

=== About Buanzo ===

I am a 26 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of information systems security since 1994. Linux and Security are my life.

A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204] or my "Customer Comments" page at [http://www.buanzo.com.ar/pro/].

I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005, 2006 and 2007. I've developed
tools and written documentation that can be found in Freshmeat, mozdev.org and addons.mozilla.org. Also I've written
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v1.0 [http://www.oissg.org/content/view/71/71/].

In my free time, I "run" the 2600 Argentina meetings, write articles, give talks and play the guitar.

I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs, answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].

=== About Enigform ===

The project has draw attention from the IETF OpenPGP Working Group, and even Vinton Cerf (The Father of the Internet) said that Enigform and mod_openpgp "[this] strikes me as a really interesting idea and I hope you (Buanzo) will pursue it with the W3C." (February 18, 2008). [http://en.wikipedia.org/wiki/Enigform]

== OWASP AntiSamy .NET ==
* Arshan Dabirsiaghi 

'''Executive Summary''' 
The OWASP AntiSamy Project was well received at the OWASP/WASC San Jose 2007 conference, and the momentum carried forward as the project was noted in several popular blogs and had its various distributions downloaded in aggregate thousands of times. 

All the platforms, not just Java, need this functionality. The Zend group is currently working on getting a PHP version started, so naturally the only platform remaining for major sites is .NET. Therefore, I propose that OWASP sponsor me in creating a .NET version of the OWASP AntiSamy Project. It should also be noted that the OWASP ESAPI .NET project requires this API to be created.

'''Background''' 
I'm currently a Senior Application Security Engineer at Aspect Security, an industry leading application security company. I've delivered tutorials all over the country at various commercial organizations and conferences like OWASP and Blackhat.

'''Proposed Project Reviewer: Jeff Williams/Dinis Cruz''' 
Jeff Williams will be the easiest reviewer due to proximity, but Dinis Cruz's or another OWASP .NET project member's knowledge of .NET may prove useful to the project.

'''Objectives and Deliverables''' 
The aim of the project would be to deliver a functionally identical version of the AntiSamy project in .NET. Secondarily, we would hope to deliver a Release quality product by the end of the Summer of Code timeframe in line with the Java version.

== Online code signing and integrity verification service for open source community (OpenSign Server) ==

by ''Phil Potisk'' and ''Richard Conway''

It is the opinion of this pair that there is a decided lack of code signing and integrity checking support for the open source community. The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules.

'''Summary''' 

The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs.

There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.

'''Problem domain''' 

- Current download of portable executables inherently insecure with only a CRC/MD5 check 
- No open source standard for code signing and delivery of portable executables between developers to test for tamper evidence 
- No managed service for code signing outside of verisign or other paid for X509 signing service 
- Process currently very mechanical with use of command line tools or PKCS#10 software requests which should be abstracted from developer 

'''Ideal Solution''' 

- Ensure third party verification of code modules through a dedicated PKI backbone 
- Educate the OWASP and wider open source community in the use of code signing 
- Replace standard CRC/MD5 hash usage with some more secure that can be repudiated if challenged
- Use an internet infrastructure to allow the dissemination of certificates (potentially multipurpose in later versions) 
- Ensure accountability through actions logging and authentication 
- Standardise a set of open source client tools for the creation of keys and manipulation of certificates 

'''Graphical Interfaces''' 

- Client tool to generate RSA key pair and request signing certificate by return via a secure connection, secure connection will authenticate user after a dedicated registration process and also use mutual authentication SSL to avoid man-in-the-middle - returning certificate to user in real time. Registered developer can then submit their SPC online to verify the SPC. 
- Client tool to download software that will do a proper verification on the software against the code signing service 
- Website interface for the code signing service 
- Set of Admin tools to manage the code signing service, user and certificate repository 

'''Added advantage''' 

Environment can be secured and tested regularly by members of Owasp to ensure the security of the server and infrastructure haven't been hijacked! The project will only be as secure the server environment!

'''Breakdown of tasks''' 

- Server setup and installation of OpenLDAP 
- Installation of Mock HSM (eAladdin token) 
- Creation of PKCS#11 for key management and key creation activities 
- Installation of Java/.NET SDKs 
- Development of codebase for signing using SDK tools (later versions will reverse engineer this into jar/assemblies directly) 
- Library for creating SPC (CA) 
- User registration, authentication, activity logging, database support 
- OpenLDAP user/certificate repository, access using mutual-authentication SSL 
- Development of client tool suite 
- Development of administrator tools 
- Procurement of FIPs compliant HSM and installation 
- Administrator/user manuals 
- Pen testing of solution by OWASP members 
- Go live! 

'''Post July completion tasks''' 

- Support for Microsoft office documents with macros and others 
- Full support for community management (i.e. OWASP differentiated from other developer communities) 

'''Background and Experience of project team''' 

Richard Conway has 13 years commercial development experience in messaging and financial/investment banking systems having managed teams to deliver complex Agile solutions. He has degrees and PGDip in computer science and another in physics (finishing 2009) and has taught at Westminster university and written 7 books 3 of which are on security related topics (and numerous articles).

Phil Potisk has an academic background from Graz university, degree and masters and is currently looking at doing a pHD in the UK all on computer science/information security. He has several years commercial experience all in the security space for major companies in Austria and the UK.

Both Richard and Phil have worked together for 4 years in the space of ePassports/smart cards where they have an impact on ICAO standards and have fulfilled consultancy and product development in the area of passport inspection, cryptography, ePassport/smart card protocols testing and more. They have a wealth of knowledge and experience in PKI and development of applications using secure hardware and cryptography.

== Lockpick ==
*Mark Roxberry

'''Summary'''

Lockpick is an open source penetration testing project management tool. There are plenty of tools that do specific functions, or a range of technical functions (NMAP, Nessus). However, there are not many open source tools to help manage the scope of the testing a system. Lockpick will fill that role. When I start a penetration test, Lockpick will provide my checklists and script resources and update my tools. For intelligence gathering, Lockpick will let me create profiles for target companies and persons. I can shell out to my normal tool suite and organize my log files and other output with the tool. Eventually, I can use Lockpick to pull all of the testing data together and generate an executive summary and detail report with the logs and profiles for addenda.

'''Project Roadmap'''

April 2, 2008 - April 30, 2008 (Sprint 1)
*Architecture, technical design (use cases, db design) and UI design

May 1, 2008 - May 31, 2008 (Sprint 2)
*Project framework (modular design - use an dependency injection (IoC) architecture, so we can rip and replace components)
*GUI framework
*GUI for pen-test overview (use NIST or OSSTMM for process milestones)

June 1, 2008 - June 30, 2008 (Sprint 3)
*Competitive intelligence feature (Company and individual profile builder)

July 1, 2008 - July 31, 2008 (Sprint 4)
*Checklist and scripting repository feature (with rss synchronization feed)
(Unit Tests, Code, and QA)

July 15, 2008
Project Status Report

August 1, 2008 - August 31, 2008 (Sprint 5)
*3rd Party tool integration (shell out and log management)

'''Project Wishlist'''

*Report generator (integrated with open office, google docs)
*OVAL (Open Vulnerability and Assessment Language) database reader
*Testing log GUI

'''Project Team'''

Mark Roxberry, CISSP, CEH, MCP - independent software vendor. I've been writing code since infancy. It would be great to have OWASP sponsor the project and give me the opportunity to create something that other testers can use.

== OWASP Live CD 2008 Project ==

* Matt Tesauro

'''Introduction'''

The previous OWASP Live CD project distributions have laid a good foundation for the 2008 Project. I'd like to take the existing Live CD and further enhance it. I see the 2008 Live CD as filling the Web App Sec niche not the more general Pen Tester niche. I'd concede general Pen Testing to Backtrack [http://www.remote-exploit.org/backtrack.html]. However, Backtrack has a different audience and is not specifically tailored for web application security professionals. This is the role I think this Live CD could fulfill with great success. I'd like to take the OWASP Live CD 2008 Project in that direction and see the OWASP Live CD become to Web App Sec what Backtrack is to Pen Testing.

'''Proposal'''

I'd like to take the existing applications and documentation in the current Live CD and add significantly more tools and documentation specifically focused on Web application security. I think OWASP's Phoenix/Tools page [http://www.owasp.org/index.php/Phoenix/Tools] would be a good starting point for potential tools. I'd also like to use WASC [http://www.webappsec.org/] and ISECOM/OSSTMM [http://www.isecom.org/] as sources for material.

The project would first enumerate a list of tools to include on the CD where licensing, supported OS and space will determine what is included on the Live CD. After determining a reasonable list of tools, the next phase would be to create modules for the tools and merge these modules with the Live CD. Then documentation and tutorials would be added (also as space allows) followed by any remaining OWASP branding. Additional polishing could include pre-installation (license permitting) of the VMware tools.

'''Deliverables'''

April 2 to May 15, 2008
* Enumerated tools and reference material for installation verifying that the software license allows permits distribution.

May 16 to July 4, 2008
* Create modules for each tool and begin to merge the modules with the base distribution.
* Begin testing of the Live CD.

July 5 to August 31, 2008
* Complete the merging of modules and install any remaining documentation.
* Further testing of the Live CD particularly installation of new/updated modules.

'''Challenges / Outstanding Issues'''

While the current Live CD is base on Morphix – a Knoppix derivative created to allow easy creation of custom Live CDs, I'm not sure it it provides the flexibility needed to keep the CD tools updated. While I'm fine with keeping the Live CD on Morphix, I also see value in switching to another distribution: SLAX. Here's the brief pros and cons of each as I see them.

Pros of Mophix:
* no change to current LiveCD - principally just updates to existing and augment.
* Modular Live CD
* Based on Knoppix which is the granddaddy of live CDs (tons of documentation)

Cons of Morphix:
* While modular, uses a modular structure which isn't compatible with other well established live CDs - particularly Backtrack
* Modules are not as granular as SLAX (lower ease of updating)

Pros of SLAX:
* Modular Live CD (more modular then Morphix though I'm more familiar with SLAX then Morphix from using/modifying Backtrack)
* Same modular format as Backtrack and other SLAX variants. This allows module sharing between OWASP and other live CDs
* As tools are updated, only the module for that tools would need to be updated - not the entire live CD.

Con of SLAX:
* Would have to re-do the work done for the current Live CD

As said above, I'm not sold on either distro but I do think going forward, the more granular modules of SLAX will allow for easier updates of the included tools and documentation. Backtrack is a good example of this. I think the migration would represent a short term loss for a long term gain.

'''A bit about me'''

I've been using Linux since somewhere around 1996 when I got my first “Mega Distro pack” which included 6+ distro CDs, a bumper sticker and a t-shirt for $29.95. I think it was in the RedHat 5.2 time frame. I've had Linux as my primary OS since 2000 and have used many, many different distros. Also, I am a RHCE (#803005588313799) as well as Linux+ certified so I believe I'm qualified the Linux aspects of the project.

I got started with creating static HTML pages in 1999 and my first job out of college was a Web application developer for an international telecom company in 2000. Later, I took a developer job at Texas A&M University and also taught Web application development courses at the undergraduate and graduate level. Next, I spent some time as a Pen Tester where I discovered WHAX, Auditor and Backtrack live CDs and realized how useful they can be. Currently, I work on Web Application Security for an agency with ~75 internally developed web apps and 500,000+ users. I'm involved in application development from preliminary design reviews to pre-production security testing. I also have a CISSP (Cert # 67636) and CEH (Certified Ethical Hacker) security certifications. I've been enjoying OWASP since I first discovered Web Goat (then at version 3.7) and thought it was high time I gave something back to OWASP.

== OWASP Education Project ==

*Martin Knobloch
'''OWASP Education Project / OWASP Boot Camp'''

The project will continuously deliver education material about OWASP tooling and documentation. This aims to create an easy entrance towards understanding application security and usage of the OWASP tooling. By creating education documentation papers, screen scrape video courses and setting up an OWASP Boot camp, a controlled education process of a standardized quality can be created continuously. With the setup of a OWASP Boot camp, the OWASP word can be spread in a controlled manner and deliver high quality training., both inside and outside of the OWASP community. The OWASP Education Project will setup and standardize OWASP trainings manuals and materials to ensure a certain level of quality of the trainings. Trainings about the OWASP tooling and projects will have to be reviewed by the Projects.

'''Complexity - What is the project Complexity and Size? '''

Deliverables to focus on are, in first place, to set up an OWASP Boot camp. For this the project will create a training and video (screen scrape) training material about Application Security basics, using the OWASP WebGoat and OWASP WebScarab tooling on the OWASP Top Ten vulnerabilities. Next, creating training material on the main OWASP Project's as the OWASP Guide and OWASP Testing Guide.

'''Member Value - How big is the potential added value to OWASP Members? '''

The OWASP Education project ensures a common shared set of knowledge about application security in general and the OWASP tooling in detail. The OWASP Boot camp helps new OWASP members to get on track fast and on a guaranteed quality level.

'''Brand Value - How big is the potential added value to the OWASP Brand? '''

The OWASP Education projects Boot camp deliverable can help to spread the OWASP word beyond the OWASP community. Holding OWASP Boot camps can generate additional venue. The OWASP Education project will extend the knowledge about the OWASP tooling and the usage of those. In the current discussion of the OWASP certification, the OWASP Education project can support and certify training. The OWASP certification can be supported by special OWASP Certification Boot camps.

'''On the Candidate: '''

Past Work - Value of past contributions to OWASP Projects; previously, as OWASP On The Move project lead, I was involved in setting up the OWASP On The Move rules. I am involved in the Dutch local chapter inside the chapter board, focusing on the content, speakers and feedback of the local chapter meeting. On the AppSec Australia conference I was speaker on the subject on what to consider when implementing a Secure Development Process. On my daily job, being Software Architect at Sogeti Nederland B.V., I have set up a Secure Development Taskforce. I have succeeded to make Sogeti Nederland B.V. and member of the OWASP community. Sogeti sponsored previous local Dutch chapter meetings and my trip to Australia. The deliverables of the Sogeti Secure Development Taskforce (PaSS, Proactive Security Strategy) are given to the OWASP community, as we will continue to do in the future.

== Fortify Code Review Project ==

'''Your educational and professional background: '''

I have worked in IT for over 8 years now with 5 years Information Security experience. I have obtained and taught many IT certifications in my career so far.

'''Application security experience and accomplishments: '''

Work experience as an Information Security Analyst implementing application security in a highly sensitive environment. I'm currently contributing to an OWASP project (Code Review guide) and spoken on the subject of Application Security at a developers conference.

'''Participation and leadership in open communities: '''

As mentioned above I'm currently contributing to one other OWASP project.

'''The opportunity, challenges, issues or need your proposal addresses: '''

My proposal is to help Fortify and OWASP achieve the goals set out in the objectives for this project. The project has the ability to deliver a clear guide on static analysis and subsequently how to add this into the SDLC. The auditing of open source software can help to enhance the security of this software and possibly improve its ability to increase its user base.

'''Milestones and objectives: '''

Process all OWASP Java developments through the Fortify scanner
Review the output of the Fortify scans on the OWASP projects that have been submitted
Produce the first draft of the three documents that need to be delivered
Liaise with OWASP/major Java Open Source project contacts to involve them in reviewing the output of Fortify scans of their developments
Provide final documentation

'''Specific activities and who will carry out these activities: '''

I will carry out all the activities for this project myself.

Research current methods of static analysis in the application security arena and combine this with my own knowledge. This research will allow me to define a workflow which illustrates how static analysis will be integrated into the SDLC.

Identify which OWASP applications have been submitted for analysis and identify which other projects can be scanned. I will contact the relevant project leads to get them to submit the projects for review.

Review the results of the scans and analyse any issues found. I will provide feedback on any issues found to the relevant project lead.

Identify major Open Source Java projects and liaise with these projects to involve them in scans of their code. We will provide feedback on the results and ensure that future code revisions are also scanned by the Fortify system.

Provide revised guides based on feedback from the draft documents and the use of the Fortify system.

'''Specific deliverables and a rough project schedule so we can track progress: '''

The deliverables for this project would see me firstly provide draft guides once I have used the Fortify system to review any recently scanned OWASP projects.

I would also seek to involve major java Open Source projects in the Fortify project which will help the Fortify Scanner become part of many Open Source developments.

Providing report documents to the relevant OWASP project leads which would explain any issues found in the Fortify scan of their code

Deliver the final guides for review

'''Long-term vision for the project: '''

I would see this project firstly serving as a focal point for anyone wishing to implement Static Analysis into their own SDLC. Secondly I see this project as a launching pad for the Fortify scanner to increase its use by Open Source projects.

'''Any other reasons why you and your project should be selected: '''

I'm very passionate about Application Security and I want to use this passion to help the Application Security community. I think the project should be selected so that the objectives of both the OWASP and Fortify can be achieved.

== Source Code Review OWASP Projects ==
* James Walden

'''Educational and professional background: '''

I am an assistant professor of computer science at Northern Kentucky University, and I previously worked as a visiting assistant professor at the University of Toledo. Before entering academia, I worked for Intel as a software engineer for five years. I hold a Ph.D. in theoretical physics from Carnegie Mellon University.

'''Application Security experience: '''

My primary area of interest in research and teaching is application security. I have worked with application security issues since 1993 when I was developing secure CGI scripts in perl at CMU, and much of my work at Intel involved application security. I have used Fortify's Source Code Analysis tool in my teaching and research since 2005, and I served as a technical reviewer for the book ''Secure Programming with Static Analysis'' by Brian Chess and Jakob West.

I have developed workshops on secure programming, software security, and web application security, including both slides and demonstration web applications, which I have taught to computer science faculty at conferences since 2005 and to software developers through my university since 2006. I have given many talks on application security during the last three years to local professional groups like IEEE, ISACA, and ISSA and at conferences such as the Ohio Information Security Conference and Recent Advances in Information Assurance, Network and Software Security 2007.

'''Open Communities: '''

I have contributed to the OWASP Guide and OWASP Code Review Guide, and I participate in the OWASP Cincinnati chapter. I have also submitted a number of small patches to fix bugs in open source projects over the years.

'''Opportunity and Challenges'''

There will be other contributors to this project, including one professor and several students. Dr. Maureen Doyle will work with one student to develop and document the workflow to incorporate Fortify Java Open Source static analysis into the SDLC. Anticipated issues include detecting false positives that result from the analysis and reporting the security errors to the appropriate developers for future correction (e.g., through Bugzilla or similar system). It is uncertain how much of the workflow can be automated. The workflow documentation will require that static analysis be a part of the SDLC.

Dr. Doyle has twenty years of industry experience working with various development lifecycles and has implemented software processes at General Electric and Alphatech, Inc. Dr. Doyle keeps current on software development paradigms as part of her course preparation for graduate and undergraduate software engineering courses. Dr. James Walden, whose background is described above, will lead the auditing task and collaborate on the workflow development.

'''Milestones and Objectives'''

The objectives of this project are:
* Develop and document a workflow for open source projects to incorporate static analysis into the Software Development Life Cycle (SDLC).
* Apply the above workflow as a required step for OWASP projects.
* Aid in auditing select open source projects to create a baseline for comparing security amongst open source projects.

The milestones for this project are:
* '''Three projects''' selected for initial analysis by May 1.
* '''Project 1''' submitted to Fortify Java Open Review Project by June 1
* '''Workflow''' sent out for review by June 1
* '''Projects 2 and 3''' submitted to Fortify Java Open Review Project by July 1
* '''Additional projects''' identified for analysis with the revised workflow by July 1.
* '''Workflow''' available at OWASP by August 15
* '''Additional projects''' submitted to Fortify Java Open Review by August 15

'''Project Schedule'''

* May 1, 2008: Team finalized, three projects selected for initial analysis.
* June 1, 2008: Team of workflow reviewers finalized, preliminary workflow sent out for review, project 1 analysis complete using initial workflow.
* July 1, 2008: Project 2 and 3 analysis completed, workflow finalized, additional projects selected for creating baseline.
* August 15, 2008: Analysis of projects for baseline security measures complete, workflow documented on OWASP web site.

'''Long Term Vision'''

We would like to analyze the classes of security bugs found through static analysis to determine if patterns exist, so that we could develop measures to prevent the introduction of such bugs into projects. We would also like to implement a security metrics collection process for projects, recording data on static analysis usage, number of security bugs, lifetime of security bugs, and so forth.

'''Supporting Information'''

Dr. Walden and Dr. Doyle bring a combination of industrial and academic experience to this task. They both regularly mentor undergraduate students working on research projects, and they have already recruited students to work on a project using static analysis tools. The funds offered by OWASP will be used solely to fund our undergraduate students.