This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Category:OWASP Teachable Static Analysis Workbench Project

From OWASP

Jump to: navigation, search

PROJECT IDENTIFICATION
Project Name	OWASP Teachable Static Analysis Workbench Project
Short Project Description	The research will be intended to answer the following questions: Can we integrate existing open source static analysis tools (OWASP and third-party) to work altogether? We plan analysis to cover the following tools: LAPSE, Orizon, ESAPI, FindBugs. How static analysis workbench can be taught by security analyst? How static analysis workbench can support web-applications built using MVC frameworks? Workbench prototype will be Java-based Eclipse plug-in which aim is to help security analyst/code reviewer validation of web application. At prototype step we suggest to analyze J2EE Web tier applications build on Java Servlets, JSP (without business logic in it) and one MVC framework (Apache Struts). We plan workbench prototype to have the following functionality: Input validation vulnerabilities analysis: identification of web application entry points (aka attack surface in P024), call graph for each entry point (see “Packages -> Classes -> Methods -> callsites” in P023), identification of data validation routines, teachable taint analysis. Authentification and access control analysis: identification of code related to access control and it’s analysis. Pattern-based code analysis. Teachability: analyst indicates security-related code (sources of tainted data, sensitive sinks, input validation and sanitizing functions, access control code, etc.) and workbench automatically recomputes possible vulnerabilities list. The second idea is to spread knowledge gathered from analyst to other web applications.
Key Project Information	Project Leader Dmitry Kozlov Igor Konnov	Project Contributors (if applicable)	Mailing List Subscribe here Use here	License GNU General Public License v2	Project Type Tool	Sponsors OWASP SoC 08

PROJECT IDENTIFICATION

Project Name

OWASP Teachable Static Analysis Workbench Project

Short Project Description

The research will be intended to answer the following questions:

Can we integrate existing open source static analysis tools (OWASP and third-party) to work altogether? We plan analysis to cover the following tools: LAPSE, Orizon, ESAPI, FindBugs.
How static analysis workbench can be taught by security analyst?
How static analysis workbench can support web-applications built using MVC frameworks?

Workbench prototype will be Java-based Eclipse plug-in which aim is to help security analyst/code reviewer validation of web application. At prototype step we suggest to analyze J2EE Web tier applications build on Java Servlets, JSP (without business logic in it) and one MVC framework (Apache Struts). We plan workbench prototype to have the following functionality:

Input validation vulnerabilities analysis: identification of web application entry points (aka attack surface in P024), call graph for each entry point (see “Packages -> Classes -> Methods -> callsites” in P023), identification of data validation routines, teachable taint analysis.
Authentification and access control analysis: identification of code related to access control and it’s analysis.
Pattern-based code analysis.
Teachability: analyst indicates security-related code (sources of tainted data, sensitive sinks, input validation and sanitizing functions, access control code, etc.) and workbench automatically recomputes possible vulnerabilities list. The second idea is to spread knowledge gathered from analyst to other web applications.

Key Project Information

Project Leader
Dmitry Kozlov
Igor Konnov

Project Contributors
(if applicable)

Mailing List
Subscribe here
Use here

License
GNU General Public License v2

Project Type
Tool

Sponsors
OWASP SoC 08

Release Status	Main Links	Related Projects
Beta Quality Please see here for complete information.	http://code.google.com/p/teachablesa/ PowerPoint Presentation	If any, add link here

This category currently contains no pages or media.

Retrieved from "https://wiki.owasp.org/index.php?title=Category:OWASP_Teachable_Static_Analysis_Workbench_Project&oldid=166500"

Categories:

Category:OWASP Teachable Static Analysis Workbench Project

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools