|
|
| Line 1: |
Line 1: |
| | '''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]''' | | '''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]''' |
| − |
| |
| − |
| |
| − | '''AoC Candidate''': Paolo Perego
| |
| − |
| |
| − | '''Project coordinator''': Dinis Cruz
| |
| − |
| |
| − | '''Project Progress''': 45% Complete, [[SpoC 007 - Orizon Project - Progress Page|Progress Page]]
| |
| − |
| |
| − | == Paolo Perego - OWASP Orizon Project==
| |
| − |
| |
| − |
| |
| − | === Executive Summary ===
| |
| − |
| |
| − | Owasp Orizon [16] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.
| |
| − |
| |
| − | I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.
| |
| − |
| |
| − | Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.
| |
| − |
| |
| − | I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.
| |
| − |
| |
| − | === Objectives and Deliverables ===
| |
| − |
| |
| − | Completing the static code review API section:
| |
| − | * improving programming language to XML translator
| |
| − | * improving security best practices code review scan library
| |
| − | * improving secure coding fashion best practices library
| |
| − | * writing the pattern matching scan using the aformentioned libraries
| |
| − |
| |
| − | Writing the java source code enforment objects
| |
| − | * writing an object to handle form data values to avoid XSS
| |
| − | * writing an object to handle form data values to avoid SQL Injection
| |
| − | * writing an object to handle HttpRequest and HttpSession objects
| |
| − |
| |
| − | === Why I should be sponsored for the project ===
| |
| − |
| |
| − | Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.
| |
| − |
| |
| − | I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.
| |
| − |
| |
| − | I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.
| |
| − |
| |
| − |
| |
| − | '''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − | === News ===
| |
| − | 13<sup>th</sup> July 2007 - The project status as Spoc 2007 start is summarized in the following:
| |
| − | <ul>
| |
| − | <li>java sources are translated into XML using JDK6 APIs;</li>
| |
| − | <li>Orizon classes are in a refactoring stage in order to reflect a better approach in design phase;</li>
| |
| − | <li>library containing checks is now a Zip file instead of a plain XML file. The library file will contain "receipts", XML files containing security checks grouped by category.</li>
| |
| − | </ul>
| |
| − | What is missing by now is some checks. I'm looking the web in order to collect "coding best practices" and trying to formalize them in XML.
| |
| − |
| |
| − | === Next actions ===
| |
| − | <table border="1">
| |
| − | <tr>
| |
| − | <th>Id</th>
| |
| − | <th>Description</th>
| |
| − | <th>Priority</th>
| |
| − | <th>Blocking?</th>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>OR-1</td>
| |
| − | <td>Collecting safe coding best practices</td>
| |
| − | <td>High</td>
| |
| − | <td>No</td>
| |
| − | </tr>
| |
| − |
| |
| − | <tr>
| |
| − | <td>OR-2</td>
| |
| − | <td>Creating APIs for XML reports</td>
| |
| − | <td>Low</td>
| |
| − | <td>No</td>
| |
| − | </tr>
| |
| − |
| |
| − | <tr>
| |
| − | <td>OR-3</td>
| |
| − | <td>Creating code to handle dynamic test cases generation</td>
| |
| − | <td>Medium</td>
| |
| − | <td>No</td>
| |
| − | </tr>
| |
| − |
| |
| − | </table>
| |
| − |
| |
| − | === SpoC 2007 Goals ===
| |
| − | <table border="1">
| |
| − | <tr>
| |
| − | <th>Goal</th>
| |
| − | <th>Completeness (%)</th>
| |
| − | <th>Included in Orizon release</th>
| |
| − | <th>Estimated inclusion time</th>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Static analysis</td>
| |
| − | <td>30%</td>
| |
| − | <td>0.65</td>
| |
| − | <td>August 2007 (the beginning of)</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Dynamic analysis</td>
| |
| − | <td>0%</td>
| |
| − | <td>0.75</td>
| |
| − | <td>August 2007 (late, may be around 28-30)</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Creating a library with 30 checks included</td>
| |
| − | <td>5%</td>
| |
| − | <td>0.80</td>
| |
| − | <td>September 2007 (mid of)</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Support for C language</td>
| |
| − | <td>0%</td>
| |
| − | <td>0.80</td>
| |
| − | <td>September 2007 (mid of)</td>
| |
| − | </tr>
| |
| − | <tr>
| |
| − | <td>Capability to export results in XML with customizable CSS</td>
| |
| − | <td>0%</td>
| |
| − | <td>0.90</td>
| |
| − | <td>October 2007</td>
| |
| − | </tr>
| |
| − | </table>
| |
