This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Secu-RT Project"

From OWASP
Jump to: navigation, search
(Volunteers)
(News and Events)
 
(4 intermediate revisions by the same user not shown)
Line 10: Line 10:
  
 
==Description==
 
==Description==
<span style="color:#ff0000">
+
This project aims to provide an invisible source-sink analyser/taint tracker. It will do this by knowing the various sources and sinks in each JVM language and displays the full trace of a string that entered through a source and exits unmanaged at a sink.  
This is where you need to add your more robust project description. A project description should outline the purpose of the project, how it is used, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, so project leaders should ensure that the description is meaningful.
 
</span>
 
  
The Code Project Template is simply a sample project that was developed for instructional purposes that can be used to create default project pages for a Code project.  After copying this template to your new project, all you have to do is follow the instructions in red, replace the sample text with text suited for your project, and then delete the sections in red.  Doing so should make it clearer to both consumers of this project, as well as OWASP reviewers who are trying to determine if the project can be promoted to the next category.  The information requested is also intended to help Project Leaders think about the roadmap and feature priorities, and give guidance to the reviews as a result of that effort.
+
This project is not intended to be used in a production environment, but as an aid in testing the security flow during the QA phase.
 
 
Creating a new set of project pages from scratch can be a challenging task.  By providing a sample layout, with instructional text and examples, the OWASP Code Project Template makes it easier for Project Leaders to create effective security projects and hence helps promote security.
 
  
 
==Licensing==
 
==Licensing==
Line 24: Line 20:
  
 
== Project Resources ==
 
== Project Resources ==
<span style="color:#ff0000">
+
[https://github.com/vdbaan/SecuRT Source Code]
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc.
 
</span>
 
 
 
[https://github.com/SamanthaGroves Compiled DLLs]
 
 
 
[https://github.com/SamanthaGroves Source Code]
 
 
 
[https://github.com/SamanthaGroves Documentation]
 
 
 
[https://github.com/SamanthaGroves Wiki Home Page]
 
 
 
[https://github.com/SamanthaGroves Issue Tracker]
 
 
 
[https://github.com/SamanthaGroves Slide Presentation]
 
 
 
[https://github.com/SamanthaGroves Video]
 
  
 
== Project Leader ==
 
== Project Leader ==
Line 46: Line 26:
  
 
== Related Projects ==
 
== Related Projects ==
<span style="color:#ff0000">
 
This is where you can link to other OWASP Projects that are similar to yours.
 
</span>
 
  
* [[OWASP_Code_Tool_Template]]
+
 
* [[OWASP_Documentation_Project_Template]]
+
* [https://www.owasp.org/index.php/Category:OWASP_Code_Crawler OWASP Code Crawler]
  
 
==Classifications==
 
==Classifications==
Line 70: Line 47:
  
 
== News and Events ==
 
== News and Events ==
<span style="color:#ff0000">
+
<!--
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.
 
</span>
 
 
* [18 Dec 2013] 1.0 Release Candidate is available for download.  This release provides final bug fixes and product stabilization.  Any feedback (good or bad) in the next few weeks would be greatly appreciated.
 
* [18 Dec 2013] 1.0 Release Candidate is available for download.  This release provides final bug fixes and product stabilization.  Any feedback (good or bad) in the next few weeks would be greatly appreciated.
 
* [20 Nov 2013] 1.0 Beta 2 Release is available for download. This release offers several bug fixes, a few performance improvements, and addressed all outstanding issues from a security audit of the code.
 
* [20 Nov 2013] 1.0 Beta 2 Release is available for download. This release offers several bug fixes, a few performance improvements, and addressed all outstanding issues from a security audit of the code.
 
* [30 Sep 2013] 1.0 Beta 1 Release is available for download.  This release offers the first version with all of the functionality for a minimum viable product.     
 
* [30 Sep 2013] 1.0 Beta 1 Release is available for download.  This release offers the first version with all of the functionality for a minimum viable product.     
 
+
-->
 
|}
 
|}
  

Latest revision as of 11:47, 6 November 2014

OWASP Project Header.jpg

OWASP Secu-RT Project

The OWASP Secu-RT Project is an attempt to use the JVM itself for taint tracking. This project started by a challenge given to me at Appsec EU conference in Hamburg as I said that it should be possible to do dynamic source-sink analysis in basic Java applications. My challengers then told me: "Prove it". It took a while, but fairly soon I had a simple setup in which I demonstrated simple Log manipulation on the commandline and that it was detectable. This project is the continuation of that proof and is aimed at developers to help them detect security vulnerabilities using live source-sink analysis. It is dependent on the code coverage and not aimed to be used in a production environment.

Description

This project aims to provide an invisible source-sink analyser/taint tracker. It will do this by knowing the various sources and sinks in each JVM language and displays the full trace of a string that entered through a source and exits unmanaged at a sink.

This project is not intended to be used in a production environment, but as an aid in testing the security flow during the QA phase.

Licensing

This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP XXX and any contributions are Copyright © by Steven van der Baan 2014

Project Resources

Source Code

Project Leader

Steven van der Baan

Related Projects

Classifications

Project Type Files CODE.jpg
Incubator Project Owasp-builders-small.png
Owasp-defenders-small.png
Affero General Public License 3.0

News and Events