This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Orizon Project"

From OWASP
Jump to: navigation, search
(Documentation: enhancing English grammar)
(Download: enhance English grammar)
Line 33: Line 33:
  
 
== Download ==
 
== Download ==
By now all the code is in subversion repository hosted at sourceforge.net.
+
The source code is in a Subversion repository and hosted at sourceforge.net.
  
Last release is: [http://downloads.sourceforge.net/orizon/orizon-1.0.jar?use_mirror=heanet 1.0]
+
The latest release is [http://downloads.sourceforge.net/orizon/orizon-1.0.jar?use_mirror=heanet 1.0].
  
 
=== Dawn ===
 
=== Dawn ===
In September 2007, while hacking around release 0.50, I decided to introduce dynamic code review facilities, just for Java language by now.
 
Looking for a name of this Orizon's piece of code, I choosed ''dawn''.
 
  
I think this will be the most cutting edge technology inside Orizon. It will help developers to ''raise'' from a buggy and unsafe code into an hardened one... so that's because of the name ''dawn'' for all related to dynamic code review.
+
In September 2007, while hacking around release 0.50, a decision was made to introduce dynamic code review facilities – first for the Java language. ''Dawn'' was chosen as the name of this new feature in Orizon.  
  
Dawn is contained in Orizon since release 0.45pre1.
+
The project team believes that this will be the most cutting edge technology inside of Orizon; it will help developers ''rise'' from buggy and unsafe code to hardened and secure code; hence, the name ''dawn'' for all related dynamic code review.
 +
 
 +
Dawn was implemented in Orizon release 0.45pre1.
  
 
=== Bastion ===
 
=== Bastion ===
Sometimes around March 2007, looking to the results in tell people how good would be reviewing their code for security issues, I realized that a quick workaround has to be provided for whom scared about a full code review activity or simply for whom who want to have a quick fix meanwhile the security review has been completed.
 
  
For such a reason I realized a parallel project, called Bastion, in order to provide to Java developers, classes that embed security checks in their core in order to have a quick fix without changing so much in the code.
+
Around March 2007, feedback from stressing the importance of reviewing code for security issues brought about the realization that a more lightweight solution needed to be provided for those that were afraid of undertaking a full code review activity, or simply for those who wanted a quickie until the security review was completed..
 +
 
 +
For this reason, a parallel project called Bastion was realized in order to provide Java developers with classes that embed security checks in their core, giving them a quick fix without having to change too much code.
  
Please, let me explain, that this won't substitute a security code review at all. Bastion would give a primer help meanwhile effort has been spent over source code to leverage security branches.
+
Please understand that Bastion will not come close to substituting for robust security coding, but it will provide some minimal secure coding functionality while full-fledged secure coding is being undertaken in other parts of the application.
  
Starting from Orizon v0.25, Bastion is a separated JAR file.
+
Starting from Orizon v0.25, Bastion is a separate JAR file.The latest Bastion version is
Latest Bastion version is:
+
[http://downloads.sourceforge.net/orizon/bastion-0.42-b193.jar?use_mirror=heanet 0.42 Build 193].
[http://downloads.sourceforge.net/orizon/bastion-0.42-b193.jar?use_mirror=heanet 0.42 Build 193]
 
  
I realized also a very simple web application that shows how to use bastion in order to fix a very dummy Cross Site Scripting attack with a single line of code changed.
+
A very simple web application that demonstrates how to use Bastion to fix a very generic  Cross Site Scripting attack by changing a single line of code can be found
The WAR file containing the aforementioned web application could be found  
+
[http://downloads.sourceforge.net/orizon/bastion_test.war?use_mirror=heanet here]. To use it, point your browser to ''http://<domain name>/bastion_test'' and follow the instructions.
[http://downloads.sourceforge.net/orizon/bastion_test.war?use_mirror=heanet here]
 
  
The base url is setted up to bastion_test, so after starting up your preferred application server, run your browser to ''http://url/bastion_test'' and follow the instructions.
 
  
The application is built against a very old orizon version, indeed bastion was still contained inside orizon. Since my latest work is related to Orizon APIs, Bastion code is the same from April to nowadays.
+
The Bastion test application is built against a very old Orizon version when Bastion was still contained inside of Orizon. Because the current focus of the project is on the Orizon APIs, the Bastion code remains unchanged since April.
  
A few words need to be spent here. I'm not reinventing the wheel. The Web is full of library sanitizing source code trying to mitigate an attack over a web application. Bastion is just my small contribute to the community, I really hope you'll appreciate this.
+
A few words need to be said here; there is no intention to reinvent the wheel. The Web is full of libraries that sanitize source code in order to mitigate an attack on a web application. Bastion is just our small contribution to the community; we really hope that you'll appreciate it.
  
 
== The library ==
 
== The library ==

Revision as of 03:30, 2 December 2008

Click here to return to OWASP Projects page.
Click here to see (& edit, if wanted) the template.


PROJECT IDENTIFICATION
Project Name OWASP Orizon Project
Short Project Description This project born in 2006 in order to provide a framework to all Owasp projects developing code review services. The project is in a quite stable stage and it is usable for Java static code review and some dynamic tests against XSS. Owasp Orizon includes also APIs for code crawling, usable for code crawling tools.
Key Project Information Project Leader
Paolo Perego
Project Contributors
See here
Mailing list
Subscribe here
Use here

License
Creative Commons Attribution Share Alike 3.0

Project Type
Tool

Sponsor
OWASP SoC 08
Release Status Main Links Related Projects

Beta Quality
Please see here for complete information.

The Owasp OrizonProject in Power Point
Orizon Safe coding and beyond - Word File
Orizon 1.19 - The Latest Release
Orizon internal draft
Orizon site at sourceforge
Orizon blog

OWASP Code Review Guide


Overview

The quest for secure code is what all developers want to achieve (at least we hope so). Software must be reliable. Software must be strong. Software must be secure.

How secure does my software have to be? The correct answer is hard to find. But security is a problem that even a development team must consider.

Should skilled developers also be security gurus? Not necessarily, but it is important to provide security tools that will augment their development skills. And so our quest for secure code begins...

The OWASP Orizon project was created with the aim of providing a common ground for safe coding and code review methodologies to be applied to software. The project is approaching its first major release and it will be able to be used in a production environment in the near future.

Orizon must give thanks to Findbugs, the OWASP LAPSE Project, RATS, and Flawfinder for ideas and inspiration.

The Orizon project, hosted by Sourceforge, is here.

Goals

Orizon’s goal is to provide a set of APIs to:

  • Manage a safe coding rules library
  • Apply these rules to a generic source file
  • Support the most widely used programming languages (e.g. Java, JSP, C#, ASP.NET, C, C++)
  • Create reports that shows source code assessment results
  • Allow developers to build code review tools
  • Help people understand how important it is to apply safe coding rules while making software

One of OWASP’s newly created goals is to “eat its own dog food” and Orizon contributes to this goal by implementing the security checks described in the OWASP Code Review Guide.

Documentation

Available online is an Orizon presentation given at OWASP AppSec EU 2008 in Ghent, May 2008.

Download

The source code is in a Subversion repository and hosted at sourceforge.net.

The latest release is 1.0.

Dawn

In September 2007, while hacking around release 0.50, a decision was made to introduce dynamic code review facilities – first for the Java language. Dawn was chosen as the name of this new feature in Orizon.

The project team believes that this will be the most cutting edge technology inside of Orizon; it will help developers rise from buggy and unsafe code to hardened and secure code; hence, the name dawn for all related dynamic code review.

Dawn was implemented in Orizon release 0.45pre1.

Bastion

Around March 2007, feedback from stressing the importance of reviewing code for security issues brought about the realization that a more lightweight solution needed to be provided for those that were afraid of undertaking a full code review activity, or simply for those who wanted a quickie until the security review was completed..

For this reason, a parallel project called Bastion was realized in order to provide Java developers with classes that embed security checks in their core, giving them a quick fix without having to change too much code.

Please understand that Bastion will not come close to substituting for robust security coding, but it will provide some minimal secure coding functionality while full-fledged secure coding is being undertaken in other parts of the application.

Starting from Orizon v0.25, Bastion is a separate JAR file.The latest Bastion version is 0.42 Build 193.

A very simple web application that demonstrates how to use Bastion to fix a very generic Cross Site Scripting attack by changing a single line of code can be found here. To use it, point your browser to http://<domain name>/bastion_test and follow the instructions.


The Bastion test application is built against a very old Orizon version when Bastion was still contained inside of Orizon. Because the current focus of the project is on the Orizon APIs, the Bastion code remains unchanged since April.

A few words need to be said here; there is no intention to reinvent the wheel. The Web is full of libraries that sanitize source code in order to mitigate an attack on a web application. Bastion is just our small contribution to the community; we really hope that you'll appreciate it.

The library

For a code review tool the most important thing is the knowledge, the security checks being applied to the source code. No matter how good is your tool or fancy is your UI, a poor security check library means your tool is useless.

Orizon organizes safe coding best practices in XML rules contained in files called recipes. The mantra I choose is that "coding is like cooking", the goal is to choose the right recipe.

Recipes are gathered togheter in a zip file called Library.

This is the layout of the knowledge inside orizon.

The XML schema

Orizon XML schema used to describe secure coding checks can be hard to read. In this page you can find more details about how an XML rule is built.

Blog

Owasp blog is now proudly hosted by sourceforge here.


Future Development

This is the updated project RoadMap. I was too optimistic in my first roadmap draft. This is a more realistic timeline...

For an up to date roadmap you have to refer to official Orizon Roadmap page

Speeches

Owasp Orizon Internals @ Owasp AppSec NY 2008, New York 22-25th September 2008

Orizon@AppSec NY 2008

Owasp Orizon Internals @ Owasp AppSec EU 2008, Ghent 21-22nd May 2008

Orizon@AppSec EU 2008

Owasp Orizon Internals @ Owasp Day Italy 2008, Rome 31st March 2008

Orizon@Owasp Day in Italy

OWASP Orizon Project @ SMAU eAcademy, Milan 4-7th October 2006

I will talk to SMAU eAcademy2006 next saturday 7th October 2006 about code review and safe coding. Here you can find more informations in italian only by now. Last part of the speech will be about introducing Orizon project, giving development roadmap

2.10.2006

OWASP Orizon Project Created! - 09:24, 2 October 2006 (EDT)

The Open Web Application Security Project is proud to announce the OWASP Orizon Project!

Feedback and Participation:

Orizon wants you Of course, as opensource project, anyone is welcome tho join Orizon, and please do it. If you are a C#, Java or ASP skilled developer and you want to share your experience with such languages feel free to use mailing list to contribute in Orizon supported languages.

If you are a Java skilled developer why don't you think about writing some bunch of codes for Orizon?

If you write quite well or, it's not so difficult, better than me, please think about joining the project for documentation, advertising, blog maintenance ...

We hope you find the OWASP Orizon Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to [email protected]. To join the OWASP Orizon Project mailing list or view the archives, please visit the subscription page.

Project Contributors

--thesp0nge 09:47, 2 October 2006 (EDT)

Project Sponsor

Pages in category "OWASP Orizon Project"

This category contains only the following page.