OWASP student projects
These projects require some research, thinking, and some hard work, but I think they would be very valuable in getting students to really understand software security. Please contact us at [email protected].
- AppSec Principles - do some research and flesh out one of the OWASP principles. Talk about how the principle works in general, and then examine how it is applied in various contexts.
- Attacks - flesh out the list of attacks, develop each one with content and links.
- Vulnerabilities - work to fill out writeups of vulnerabilities and clean up the vulnerability lists. There's lots of linking to other articles here needed. We're integrating CLASP, CWE, Fortify, and other sources of vulnerabilities to make the best resource anywhere.
- Countermeasures - general cleanup and linking of these articles. Probably some stubs in there that need significant writing.
- Java Project - great opportunity to do research and bring together all the best information in one place for Java developers
Long Term Projects (or Thesis)
- AppSec Metrics - this project is harder, but desperately needed. Could involve paper exercises or actual tools. Currently people stop at SLOC count. Build a tool that generates something like this label (http://www.owasp.org/index.php/Types_of_application_security_metrics) and it could get a lot of attention.
- Static Analysis to Pentest - Write a tool that takes the output of static analysis and turns it into penetration test cases
- Security Test Automation - Make WebScarab generate, record, and playback security test cases (think JUnit) so that you can do regression security testing
- Open Threat Modeling - Build an open threat modeling tool like Microsoft's but not so ridiculous
- Data Flow - Adding true data flow analysis to LAPSE. Check out the jDFA project at sourceforge to see whether that can be applied to find tainted data attacks like XSS and SQL injection (as well as others)
- Security Across the SDLC - Integrated security activities across the lifecycle. Currently people are talking about “touchpoints” and “activities” but there’s no unifying line of sight or theme.
- Honeycomb - It seems simple, but when you start trying to organize ALL the information that’s out there it gets incredibly difficult. The simple taxonomies are wrong, bad, and misleading. Honeycomb is using a folksonomy approach that I hope will allow us to do something new here. But it really needs someone to think it through – perfect for a thesis.
- Honeycomb+Tools - Integrating the Honeycomb information into tools would be incredibly helpful. Things like the OWASP report generator need it. Threat modeling tools need it. Scanners need it. We need to prepare the information there for tool use.
Many of these projects are research projects that will help students develop their understanding of how application security works. Students who want to participate should:
- Choose an article topic from the Principle or Attack page
- Contact [email protected] to get guidance on your project
- Research everything you can find about that topic on the internet (and books)
- Ensure that you’re not overlapping with other existing OWASP articles
- Create a clear, well-organized, comprehensive article
- You can't just copy other people's work -- you have to think and write in your own words
- Be sure to link with articles you use and any other applicable articles
You can use the "talk" pages associated with each article to propose ideas, ask questions, etc… Members of the OWASP community will respond and guide your work.