This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Orizon Project"

From OWASP
Jump to: navigation, search
(Overview)
 
(49 intermediate revisions by 9 users not shown)
Line 1: Line 1:
[[:Category:OWASP Project|Click here to return to OWASP Projects page.]]<br>
+
=Main=
[[:Project Information:template Orizon Project|Click here to see (& edit, if wanted) the template.]]  
+
{|
{{:Project Information:template Orizon Project}}
+
|-
 +
! width="700" align="center" | <br>
 +
! width="500" align="center" | <br>
 +
|-
 +
| align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]]  
 +
| align="right" |
  
== Overview ==
+
|}
  
The quest for secure code is what all developers want (I hope so) to achieve. Software must be reliable. Software must be strong. Software must be '''secure'''.
+
==OWASP Orizon Project==
  
How much my software has to be ''secure''? The correct answer is hard to find. But security is a problem that even a development team must take care for.
+
OWASP Orizon is a source code security scanner designed to spot vulnerabilities in J2EE web applications, Android code and generally speaking in Java written source code.
Must be a skilled developer also a security guru? Don't know, not necessarly. But it's important that someone give him the tools to merge security know how to his development skills, and so our quest for secure code starts...
 
  
Orizon borns with the aim to provide a common ground to safe coding and code review methodologies applied to software. The code is approaching the first major release and it will be able to be used in a production environment very soon.
+
==Description==
  
Orizon must give thanks di LAPSE Project (that you may find between OWASP Projects) RATS, Flawfinder for ideas and
+
Owasp Orizon is a source code static analyzer tool designed to spot security issues in Java applications.
inspiration.
 
  
Orizon page at sourceforge is [http://orizon.sourceforge.net this].
+
Owasp Orizon mission is to provide people an opensource tool, helping them in reviewing:
  
== Goals ==
+
* single Java classes
Owasp Orizon goal is to provide a set of APIs to:
+
* Java standalone tools packed in JAR files
* manage a safe coding rules library
+
* web applications packed in EAR / WAR files
* apply these rules to a generic source file
+
* Android APK applications
* support the widespread used programming language (Java, C#, ASP.NET, C, C++, ...)
 
* create report to show source code assessment results
 
* let developers build code review tools
 
* help people understand how much important is applying safe coding rules while making software
 
  
Owasp Orizon will implement all security checks described in the [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Code review Guide].
+
It was a dark and stormy night in Milan, Italy. It was 2006 and I felt the need of something helping me in reviewing other people java source code. So Owasp Orizon born and grew up as security tool trying to parse Java source code, building an Abstract Syntax Tree and spot for unsafe calls in the code.
  
== Documentation ==
+
In the very beginning Owasp Orizon was a sort of enhanced grep tool. In 2008, I started supporting PHP programming language but the initial boost disappeared. After being in love with other programming languages and technolgies, eight years later, in 2017 I kickstarted the project again from scratch.
  
Available online it is the [http://downloads.sourceforge.net/orizon/The_Owasp_Orizon_Project_Internals_v2.2.ppt?use_mirror=osdn slideshow] used during [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2008_-_Belgium Owasp AppSec EU 2008 in Ghent, May 2008].
+
==Licensing==
 +
OWASP Orizon is an opensource tool. It is licensed under the [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License].
  
== Download ==
+
== Quick Start ==
By now all the code is in subversion repository hosted at sourceforge.net.
 
  
Last release is: [http://downloads.sourceforge.net/orizon/orizon-0.90.jar?use_mirror=heanet 0.90]
+
See project [https://github.com/thesp0nge/owasp-orizon GitHub home page]  
  
=== Dawn ===
+
== Project Resources ==
In September 2007, while hacking around release 0.50, I decided to introduce dynamic code review facilities, just for Java language by now.
 
Looking for a name of this Orizon's piece of code, I choosed ''dawn''.
 
  
I think this will be the most cutting edge technology inside Orizon. It will help developers to ''raise'' from a buggy and unsafe code into an hardened one... so that's because of the name ''dawn'' for all related to dynamic code review.
+
[https://owasporizon.wordpress.com Blog]
  
Dawn is contained in Orizon since release 0.45pre1.
+
[https://github.com/thesp0nge/owasp-orizon  Code] | [https://github.com/thesp0nge/owasp-orizon/releases Binaries]
  
=== Bastion ===
+
[https://github.com/thesp0nge/owasp-orizon/issues Issue Tracker]
Sometimes around March 2007, looking to the results in tell people how good would be reviewing their code for security issues, I realized that a quick workaround has to be provided for whom scared about a full code review activity or simply for whom who want to have a quick fix meanwhile the security review has been completed.
 
  
For such a reason I realized a parallel project, called Bastion, in order to provide to Java developers, classes that embed security checks in their core in order to have a quick fix without changing so much in the code.
+
== Project Leader ==
  
Please, let me explain, that this won't substitute a security code review at all. Bastion would give a primer help meanwhile effort has been spent over source code to leverage security branches.
+
Paolo Perego<br/>
 +
[mailto:thesp0nge@owasp.org email] [https://twitter.com/thesp0nge/ twitter] [https://codiceinsicuro.it blog ]
  
Starting from Orizon v0.25, Bastion is a separated JAR file.
+
== News and Events ==
Latest Bastion version is:
+
* [Spring 2017] - [http://owaspsummit.org/Working-Sessions/Project-Summit/Owasp-Orizon-Reboot.html Owasp Orizon kickstart session]
[http://downloads.sourceforge.net/orizon/bastion-0.42-b193.jar?use_mirror=heanet 0.42 Build 193]
+
* [13 September 2016] - Paolo Perego take back project leadership, kickstarting Owasp Orizon again
 +
* [February, 2014] - Greg Disney-Leugers adopted the OWASP Orizon project.
 +
* [November 2009] - we started moving from current release to the next major bump (v2.0) that will happen next June 2010 during Owasp AppSEC conference in Stockholm.
  
I realized also a very simple web application that shows how to use bastion in order to fix a very dummy Cross Site Scripting attack with a single line of code changed.
+
== Roadmap and Getting Involved==
The WAR file containing the aforementioned web application could be found
 
[http://downloads.sourceforge.net/orizon/bastion_test.war?use_mirror=heanet here]
 
  
The base url is setted up to bastion_test, so after starting up your preferred application server, run your browser to ''http://url/bastion_test'' and follow the instructions.
+
Owasp Orizon kickstart is scheduled during the upcoming [http://owaspsummit.org/Working-Sessions/Project-Summit/Owasp-Orizon-Reboot.html Owasp Summit 2017]
  
The application is built against a very old orizon version, indeed bastion was still contained inside orizon. Since my latest work is related to Orizon APIs, Bastion code is the same from April to nowadays.
+
Some intended milestones to be putted in roadmap are:
  
A few words need to be spent here. I'm not reinventing the wheel. The Web is full of library sanitizing source code trying to mitigate an attack over a web application. Bastion is just my small contribute to the community, I really hope you'll appreciate this.
+
* Spring 2017 - Defining the team and overall goals
 +
* Autumn 2017 - First alpha release
 +
* Winter 2017 - Second alpha release
 +
* January 2018 - First beta
  
== The library ==
 
For a code review tool the most important thing is the knowledge, the security checks being applied to the source code.
 
No matter how good is your tool or fancy is your UI, a poor security check library means your tool is useless.
 
  
Orizon organizes safe coding best practices in XML rules contained in files called recipes. The mantra I choose is that "coding is like cooking", the goal is to choose the right recipe.
+
==Classifications==
  
Recipes are gathered togheter in a zip file called Library.
+
  {| width="200" cellpadding="2"
 +
  |-
 +
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
 +
  |-
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_TOOL.jpg|link=]]
 +
  |}
  
This is the layout of the knowledge inside orizon.
+
|}
  
=== The XML schema ===
 
Orizon XML schema used to describe secure coding checks can be hard to read. In this [http://www.owasp.org/index.php/OWASP_Orizon_Project_XML page] you can find more details about how an XML rule is built.
 
  
== Blog ==
 
Owasp blog is now proudly hosted by sourceforge [http://orizon.sourceforge.net/blog here].
 
  
  
  
== Future Development ==
 
This is the updated project RoadMap. I was too optimistic in my first roadmap draft. This is a more realistic timeline...
 
 
For an up to date roadmap you have to refer to official Orizon Roadmap [http://orizon.sourceforge.net/roadmap.html page]
 
  
== Speeches ==
+
=Project About=
 +
{{:Project Information:template Orizon Project}} 
  
'''Owasp Orizon Internals @ Owasp AppSec NY 2008, New York 22-25th September 2008'''
+
__NOTOC__ <headertabs />
[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Orizon@AppSec NY 2008]
 
  
'''Owasp Orizon Internals @ Owasp AppSec EU 2008, Ghent 21-22nd May 2008'''
+
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]
[http://www.owasp.org/index.php/AppSecEU08_The_OWASP_ORIZON_project Orizon@AppSec EU 2008]
 
 
 
'''Owasp Orizon Internals @ Owasp Day Italy 2008, Rome 31st March 2008'''
 
[http://www.owasp.org/images/5/54/Owaspday2Perego.ppt Orizon@Owasp Day in Italy]
 
 
 
'''OWASP Orizon Project @ SMAU eAcademy, Milan 4-7th October 2006'''
 
I will talk to [http://www.webb.it SMAU eAcademy2006] next saturday 7th October 2006 about code review and safe coding. [http://webb.it/event/eventview/5772/1/0,0/code_review_e_principi_di_programmazione_sicura Here] you can find more informations in italian only by now.
 
Last part of the speech will be about introducing Orizon project, giving development roadmap
 
 
 
== 2.10.2006 ==
 
 
 
'''OWASP Orizon Project Created! - 09:24, 2 October 2006 (EDT)'''
 
 
 
The Open Web Application Security Project is proud to announce the OWASP Orizon Project!
 
 
 
== Feedback and Participation: ==
 
 
 
Orizon wants you
 
Of course, as opensource project, '''anyone''' is welcome tho join Orizon, and please do it.
 
If you are a C#, Java or ASP skilled developer and you want to share your experience with such languages feel free to use mailing list to contribute in Orizon supported languages.
 
 
 
If you are a Java skilled developer why don't you think about writing some bunch of codes for Orizon?
 
 
 
If you write quite well or, it's not so difficult, better than me, please think about joining the project for documentation, advertising, blog maintenance ...
 
 
 
We hope you find the OWASP Orizon Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to [email protected]. To join the OWASP Orizon Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-orizon subscription page.]
 
 
 
== Project Contributors ==
 
--[[User:Thesp0nge|thesp0nge]] 09:47, 2 October 2006 (EDT)
 
 
 
== Project Sponsor ==
 
 
 
 
 
[[Category:OWASP Project]]
 
[[Category:OWASP Tool]]
 
[[Category:OWASP Download]]
 

Latest revision as of 15:15, 11 May 2017



OWASP Inactive Banner.jpg

OWASP Orizon Project

OWASP Orizon is a source code security scanner designed to spot vulnerabilities in J2EE web applications, Android code and generally speaking in Java written source code.

Description

Owasp Orizon is a source code static analyzer tool designed to spot security issues in Java applications.

Owasp Orizon mission is to provide people an opensource tool, helping them in reviewing:

  • single Java classes
  • Java standalone tools packed in JAR files
  • web applications packed in EAR / WAR files
  • Android APK applications

It was a dark and stormy night in Milan, Italy. It was 2006 and I felt the need of something helping me in reviewing other people java source code. So Owasp Orizon born and grew up as security tool trying to parse Java source code, building an Abstract Syntax Tree and spot for unsafe calls in the code.

In the very beginning Owasp Orizon was a sort of enhanced grep tool. In 2008, I started supporting PHP programming language but the initial boost disappeared. After being in love with other programming languages and technolgies, eight years later, in 2017 I kickstarted the project again from scratch.

Licensing

OWASP Orizon is an opensource tool. It is licensed under the Apache 2 License.

Quick Start

See project GitHub home page

Project Resources

Blog

Code | Binaries

Issue Tracker

Project Leader

Paolo Perego
email twitter blog

News and Events

  • [Spring 2017] - Owasp Orizon kickstart session
  • [13 September 2016] - Paolo Perego take back project leadership, kickstarting Owasp Orizon again
  • [February, 2014] - Greg Disney-Leugers adopted the OWASP Orizon project.
  • [November 2009] - we started moving from current release to the next major bump (v2.0) that will happen next June 2010 during Owasp AppSEC conference in Stockholm.

Roadmap and Getting Involved

Owasp Orizon kickstart is scheduled during the upcoming Owasp Summit 2017

Some intended milestones to be putted in roadmap are:

  • Spring 2017 - Defining the team and overall goals
  • Autumn 2017 - First alpha release
  • Winter 2017 - Second alpha release
  • January 2018 - First beta


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files TOOL.jpg

|}





PROJECT IDENTIFICATION
Project Name OWASP Orizon Project
Short Project Description This project born in 2006 in order to provide a framework to all Owasp projects developing code review services. The project is in a quite stable stage and it is usable for Java static code review and some dynamic tests against XSS. Owasp Orizon includes also APIs for code crawling, usable for code crawling tools.
Key Project Information Project Leader
Paolo Perego
Project Contributors
See here
Mailing list
Subscribe here
Use here

License
Creative Commons Attribution Share Alike 3.0

Project Type
Tool

Sponsor
OWASP SoC 08
Release Status Main Links Related Projects

Beta Quality
Please see here for complete information.

The Owasp OrizonProject in Power Point
Orizon Safe coding and beyond - Word File
Orizon 1.19 - The Latest Release
Orizon internal draft
Orizon site at sourceforge
Orizon blog

OWASP Code Review Guide


Pages in category "OWASP Orizon Project"

This category contains only the following page.