This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Project Information:template Source Code Flaws Top 10 Project"

From OWASP
Jump to: navigation, search
 
(19 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''  
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''  
 
  | colspan="7" style="width:85%; background:#cccccc" align="left"|  
 
  | colspan="7" style="width:85%; background:#cccccc" align="left"|  
* While trying to build a taxonomy for source code flaw categories to be applied to both Code Review Guide than to Owasp Orizon project, I proposed Eoin Keary (Code Review Guide's Leader) a sort of Top 10 of flaw categories that can be used to match vulnerabilities found during a code review.
+
This project is about giving a taxonomy to describe the categories of the most dangerous security flaws you can find during a code review. For dynamic code review (web based application ethical hacking) the original Owasp Top 10 is the must have over each desk, in order to manage all the findings during the reporting phase. With the Source code flaws Top 10, you will have the same document but focused to source code.
* I started hacking over the venerable work of Gary McGraw and his "Seven kingdoms" but I found that something can be extendend to match a sort of Top 10 document also for Code Review assessement.
+
 
* This project deliverable will be a document with an outline very close to the "Owasp Top 10" one.
+
I started from venerable Gary McGraw work about the "seven kingdoms" trying to extend it to match the Top 10 schema and to include some ideas that came out to me during code reviews or static analysis.
 +
 
 +
This project delivery will be a document very similar as outline to Owasp Top 10 most critical vulnerabilities in web applications. This taxonomy will be used in official Owasp Guide for static analysis, the Code review guide leaded by Eoin Keary and it will be used as cookbook list for Owasp Orizon static analysis engine default library.  
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''
  | style="width:12%; background:#cccccc" align="center"|Licensed under<br>[[:OWASP Licenses|Choose here & replace link with license name]]
+
  | style="width:12%; background:#cccccc" align="center"|Licensed under<br>[http://creativecommons.org/licenses/by-sa/3.0/:Creative Commons Attribution ShareAlike 3.0 license]
 
  | style="width:12%; background:#cccccc" align="center"|Project Leader<br>[[User:Thesp0nge|'''Paolo Perego''']]
 
  | style="width:12%; background:#cccccc" align="center"|Project Leader<br>[[User:Thesp0nge|'''Paolo Perego''']]
  | style="width:12%; background:#cccccc" align="center"|Project Contributors<br>[[User:name|'''Name''']]
+
  | style="width:12%; background:#cccccc" align="center"|Project Contributors<br>[[User:Rba|'''Brad Andrews''']]
  | style="width:12%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp-yasca-project '''To Subscribe''']<br>[mailto:owasp-yasca-project(at)lists.owasp.org '''To Use''']
+
  | style="width:12%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp-source-code-flaws-top-10 '''Subscribe here''']<br>[mailto:owasp-source-code-flaws-top-10(at)lists.owasp.org '''Use here''']
 
  | style="width:12%; background:#cccccc" align="center"|First Reviewer<br>[[User:name|'''Name''']]
 
  | style="width:12%; background:#cccccc" align="center"|First Reviewer<br>[[User:name|'''Name''']]
 
  | style="width:12%; background:#cccccc" align="center"|Second Reviewer<br>[[User:name|'''Name''']]
 
  | style="width:12%; background:#cccccc" align="center"|Second Reviewer<br>[[User:name|'''Name''']]
Line 24: Line 26:
 
  |-
 
  |-
 
  | style="width:100%; background:#cccccc" align="center"|
 
  | style="width:100%; background:#cccccc" align="center"|
* Add here.
+
[[:OWASP Source Code Flaws Top 10 Project Index|'''Source Code Flaws Top 10 Index''']]
 
  |}
 
  |}
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
Line 36: Line 38:
 
  ! colspan="6" align="center" style="background:#4058A0; color:white"|<font color="white">'''SPONSORS & GUIDELINES'''  
 
  ! colspan="6" align="center" style="background:#4058A0; color:white"|<font color="white">'''SPONSORS & GUIDELINES'''  
 
  |-
 
  |-
  | style="width:50%; background:#cccccc" align="center"|Sponsor name, if applicable  
+
  | style="width:50%; background:#cccccc" align="center"|No sponsors yet, drop [mailto:[email protected]|'''me'''] a line if you want to be the first  
  | style="width:50%; background:#cccccc" align="center"|[[:Category:OWASP Yasca Project Roadmap|'''Guidelines/Roadmap''']]
+
  | style="width:50%; background:#cccccc" align="center"|[[:Category:OWASP Source Code Flaws Top 10 Project Roadmap|'''Roadmap''']]
 
  |}
 
  |}
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
Line 49: Line 51:
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"|'''First Review'''  
 
  | style="width:15%; background:#7B8ABD" align="center"|'''First Review'''  
  | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Not yet''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Status''' - (To update)<br>---------<br>[[Project Information:template Yasca Project - First Review - Self Evaluation - A|See&Edit: First Review/SelfEvaluation (A)]]
+
  | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Not yet''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Status''' - (To update)<br>---------<br>[[Project Information:template Source Code Flaws Top 10 Project - First Review - Self Evaluation - A|See&Edit: First Review/SelfEvaluation (A)]]
  | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Not yet''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Status''' - (To update)<br>---------<br>[[Project Information:template Yasca Project - First Review - First Reviewer - B|See&Edit: First Review/1st Reviewer (B)]]
+
  | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Not yet''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Status''' - (To update)<br>---------<br>[[Project Information:template Source Code Flaws Top 10 Project - First Review - First Reviewer - B|See&Edit: First Review/1st Reviewer (B)]]
  | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Status''' - (To update)<br>---------<br>[[Project Information:template Yasca Project - First Review - Second Reviewer - C|See&Edit: First Review/2nd Reviewer (C)]]
+
  | style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Status''' - (To update)<br>---------<br>[[Project Information:template Source Code Flaws Top 10 Project - First Review - Second Reviewer - C|See&Edit: First Review/2nd Reviewer (C)]]
  | style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Status''' - (To update)<br>---------<br>[[Project Information:template Yasca Project - First Review - OWASP Board Member - D|See/Edit: First Review/Board Member (D)]]
+
  | style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Alpha Status''' - (To update)<br>---------<br>[[Project Information:template Source Code Flaws Top 10 Project - First Review - OWASP Board Member - D|See/Edit: First Review/Board Member (D)]]
 
  |-
 
  |-
 
  |}
 
  |}
 
 
 
[[Category:OWASP Project]]
 

Latest revision as of 17:04, 30 April 2009

PROJECT IDENTIFICATION
Project Name OWASP Source Code Flaws Top 10 Project
Short Project Description

This project is about giving a taxonomy to describe the categories of the most dangerous security flaws you can find during a code review. For dynamic code review (web based application ethical hacking) the original Owasp Top 10 is the must have over each desk, in order to manage all the findings during the reporting phase. With the Source code flaws Top 10, you will have the same document but focused to source code.

I started from venerable Gary McGraw work about the "seven kingdoms" trying to extend it to match the Top 10 schema and to include some ideas that came out to me during code reviews or static analysis.

This project delivery will be a document very similar as outline to Owasp Top 10 most critical vulnerabilities in web applications. This taxonomy will be used in official Owasp Guide for static analysis, the Code review guide leaded by Eoin Keary and it will be used as cookbook list for Owasp Orizon static analysis engine default library.

Key Project Information Licensed under
Commons Attribution ShareAlike 3.0 license
Project Leader
Paolo Perego
Project Contributors
Brad Andrews
Mailing List
Subscribe here
Use here
First Reviewer
Name
Second Reviewer
Name
OWASP Board Member
(if applicable)
Name
PROJECT MAIN LINKS

Source Code Flaws Top 10 Index

RELATED PROJECTS
SPONSORS & GUIDELINES
No sponsors yet, drop me a line if you want to be the first Roadmap
ASSESSMENT AND REVIEW PROCESS
Review/Reviewer Author's Self Evaluation
(applicable for Alpha Quality & further)
First Reviewer
(applicable for Alpha Quality & further)
Second Reviewer
(applicable for Beta Quality & further)
OWASP Board Member
(applicable just for Release Quality)
First Review Objectives & Deliveries reached?
Not yet (To update)
---------
Which status has been reached?
Alpha Status - (To update)
---------
See&Edit: First Review/SelfEvaluation (A)
Objectives & Deliveries reached?
Not yet (To update)
---------
Which status has been reached?
Alpha Status - (To update)
---------
See&Edit: First Review/1st Reviewer (B)
Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Alpha Status - (To update)
---------
See&Edit: First Review/2nd Reviewer (C)
Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Alpha Status - (To update)
---------
See/Edit: First Review/Board Member (D)