Category:OWASP Open Review Project RoadMap - Revision history

Paulo Coimbra at 17:09, 18 July 2008

2008-07-18T17:09:49Z

Njama: Removed contents: was old mail, now on main page

2008-06-05T19:00:40Z

Removed contents: was old mail, now on main page

Pauloc at 16:43, 2 June 2008

2008-06-02T16:43:38Z

Pauloc at 16:40, 2 June 2008

2008-06-02T16:40:29Z

Pauloc at 16:37, 2 June 2008

2008-06-02T16:37:36Z

Pauloc: New page: Test

2008-06-02T16:28:03Z

New page: Test

New page

Test

← Older revision	Revision as of 17:09, 18 July 2008
Line 1:	Line 1:
−	+	* Independent security review of open source projects;
	+	* Centrally managed review projects;
	+	* Independent statement on what is reviewed and by whom, resulting in a form of assurance that the software is free from security bugs;
	+	* Analysis not limited to code review, including digging into hard algorithms (compression, crypto, etc);
	+	* Responsible disclosure of any security vulnerabilities discovered.

← Older revision		Revision as of 19:00, 5 June 2008
Line 1:		Line 1:
−	~~[[:Category:OWASP Open Review Project\|Previous page - click here]]~~	+
−	* I have been reviewing popular open source common libraries and apps (zlib,truecrypt, etc). We all have many 10's or 100's of these on our machines, in our routers, in our web servers, etc. The quality is sometimes appalling, and as a consequence I am worried about the security. What, for example, if there were an exploitable bug in zlib? Patch Windows in 200 places, Cisco routers, etc etc. But how many people understand the source of zlib, and take the effort to check, write it down, and make the results available to everyone?
−	* So, it seemed a good idea to start the Open Review PROject(ORPRO).
−	* Opposed to other initiatives, the idea is:
−	~~# Independent review, not led by development project, but by software security professionals,~~
−	~~#Centrally managed,~~
−	~~# Leading to independent statement what is reviewed, why it is reviewed,why it is considered secure, and in the end some assurance that the software is free from security bugs,~~
−	~~# Not afraid of digging into hard algorithms (compression, crypto, etc).~~
−	* Key is openness, responsible disclosure, without leaking vulns to each and everyone.
−	* I heard Mark Roxberry's talk on his .NET initiatives at Appsec Belgium. It seems he is thinking along the same line on this. Why not combine the review approaches in ORPRO, irrespective of the language?
−	* I am experienced in project management, enthusiastic, and a vivid public speaker. I have a PhD in math, reverse engineered professionally for many years, was cryptographic researcher, performed pentesting, taught secure development training and reverse engineering, etc. Currently I am security consultant, mainly in governance an compliance at multinationals. In my spare time I analyze code.
−	* Please let me know what you think of my proposal. I think many organization would be extremely glad that OWASP openly checks open source libraries and software that are vital to most commercial and noncommercial apps around.

@@ Line 1: / Line 1: @@
-[[OWASP_Open_Review_Project|Previous page - click here]]
+[[:Category:OWASP Open Review Project|Previous page - click here]]
 * I have been reviewing popular open source common libraries and apps (zlib,truecrypt, etc). We all have many 10's or 100's of these on our machines, in our routers, in our web servers, etc. The quality is sometimes appalling, and as a consequence I am worried about the security. What, for example, if there were an exploitable bug in zlib? Patch Windows in 200 places, Cisco routers, etc etc. But how many people understand the source of zlib, and take the effort to check, write it down, and make the results available to everyone?
 * So, it seemed a good idea to start the Open Review PROject(ORPRO).

← Older revision		Revision as of 16:40, 2 June 2008
Line 1:		Line 1:
		+	[[OWASP_Open_Review_Project\|Previous page - click here]]
	* I have been reviewing popular open source common libraries and apps (zlib,truecrypt, etc). We all have many 10's or 100's of these on our machines, in our routers, in our web servers, etc. The quality is sometimes appalling, and as a consequence I am worried about the security. What, for example, if there were an exploitable bug in zlib? Patch Windows in 200 places, Cisco routers, etc etc. But how many people understand the source of zlib, and take the effort to check, write it down, and make the results available to everyone?		* I have been reviewing popular open source common libraries and apps (zlib,truecrypt, etc). We all have many 10's or 100's of these on our machines, in our routers, in our web servers, etc. The quality is sometimes appalling, and as a consequence I am worried about the security. What, for example, if there were an exploitable bug in zlib? Patch Windows in 200 places, Cisco routers, etc etc. But how many people understand the source of zlib, and take the effort to check, write it down, and make the results available to everyone?
	* So, it seemed a good idea to start the Open Review PROject(ORPRO).		* So, it seemed a good idea to start the Open Review PROject(ORPRO).

← Older revision		Revision as of 16:37, 2 June 2008
Line 1:		Line 1:
−	~~Test~~	+	* I have been reviewing popular open source common libraries and apps (zlib,truecrypt, etc). We all have many 10's or 100's of these on our machines, in our routers, in our web servers, etc. The quality is sometimes appalling, and as a consequence I am worried about the security. What, for example, if there were an exploitable bug in zlib? Patch Windows in 200 places, Cisco routers, etc etc. But how many people understand the source of zlib, and take the effort to check, write it down, and make the results available to everyone?
		+	* So, it seemed a good idea to start the Open Review PROject(ORPRO).
		+	* Opposed to other initiatives, the idea is:
		+	# Independent review, not led by development project, but by software security professionals,
		+	#Centrally managed,
		+	# Leading to independent statement what is reviewed, why it is reviewed,why it is considered secure, and in the end some assurance that the software is free from security bugs,
		+	# Not afraid of digging into hard algorithms (compression, crypto, etc).
		+	* Key is openness, responsible disclosure, without leaking vulns to each and everyone.
		+	* I heard Mark Roxberry's talk on his .NET initiatives at Appsec Belgium. It seems he is thinking along the same line on this. Why not combine the review approaches in ORPRO, irrespective of the language?
		+	* I am experienced in project management, enthusiastic, and a vivid public speaker. I have a PhD in math, reverse engineered professionally for many years, was cryptographic researcher, performed pentesting, taught secure development training and reverse engineering, etc. Currently I am security consultant, mainly in governance an compliance at multinationals. In my spare time I analyze code.
		+	* Please let me know what you think of my proposal. I think many organization would be extremely glad that OWASP openly checks open source libraries and software that are vital to most commercial and noncommercial apps around.