This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SpoC 007 - Inspekt"
| Line 1: | Line 1: | ||
''''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]''' | ''''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]''' | ||
| + | |||
| + | |||
| + | '''AoC Candidate''': EdFinkler | ||
| + | |||
| + | '''Project coordinator''': Dinis Cruz | ||
| + | |||
| + | '''Project Progress''': 0% Complete, [[SpoC 007 - Inspekt: Input filtering and validation library for PHP - Progress Page|Progress Page]] | ||
| + | |||
| + | == EdFinkler - Inspekt: Input filtering and validation library for PHP == | ||
| + | |||
| + | |||
| + | === About Me === | ||
| + | |||
| + | I received a Bachelor's Degree in English from Indiana University in 1997. I've been a web developer since 1996, and a PHP developer since 1999. I worked for four years as Supervisor of Web Development at Golden Dome Media, and have spent my last six years as Web and Security Archive Administrator for CERIAS, the [http://www.cerias.purdue.edu Center for Education and Research in Information Assurance and Security], at Purdue University. | ||
| + | |||
| + | I am a member of the [http://phpsec.org PHP Security Consortium], and creator/project lead on PHPSecInfo, a [http://phpsecinfo.com PHP environment security auditing tool]. I regularly speak on web application security issues, and am an advocate of secure programming practices via CERIAS and as a member of the PHP and larger web development community. | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | === Objectives and Deliverables === | ||
| + | |||
| + | Completing the static code review API section: | ||
| + | * improving programming language to XML translator | ||
| + | * improving security best practices code review scan library | ||
| + | * improving secure coding fashion best practices library | ||
| + | * writing the pattern matching scan using the aformentioned libraries | ||
| + | |||
| + | Writing the java source code enforment objects | ||
| + | * writing an object to handle form data values to avoid XSS | ||
| + | * writing an object to handle form data values to avoid SQL Injection | ||
| + | * writing an object to handle HttpRequest and HttpSession objects | ||
| + | |||
| + | === Why I should be sponsored for the project === | ||
| + | |||
| + | Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices. | ||
| + | |||
| + | I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind. | ||
| + | |||
| + | I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with. | ||
| + | |||
| + | |||
| + | '''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]''' | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
Most info about Inspekt, including usage docs and '''downloads''', is available at [http://code.google.com/p/inspekt/ the Inspekt Google Code page]. | Most info about Inspekt, including usage docs and '''downloads''', is available at [http://code.google.com/p/inspekt/ the Inspekt Google Code page]. | ||
Revision as of 12:03, 14 July 2007
'Back to SpoC 007 Selection page
AoC Candidate: EdFinkler
Project coordinator: Dinis Cruz
Project Progress: 0% Complete, Progress Page
EdFinkler - Inspekt: Input filtering and validation library for PHP
About Me
I received a Bachelor's Degree in English from Indiana University in 1997. I've been a web developer since 1996, and a PHP developer since 1999. I worked for four years as Supervisor of Web Development at Golden Dome Media, and have spent my last six years as Web and Security Archive Administrator for CERIAS, the Center for Education and Research in Information Assurance and Security, at Purdue University.
I am a member of the PHP Security Consortium, and creator/project lead on PHPSecInfo, a PHP environment security auditing tool. I regularly speak on web application security issues, and am an advocate of secure programming practices via CERIAS and as a member of the PHP and larger web development community.
Objectives and Deliverables
Completing the static code review API section:
- improving programming language to XML translator
- improving security best practices code review scan library
- improving secure coding fashion best practices library
- writing the pattern matching scan using the aformentioned libraries
Writing the java source code enforment objects
- writing an object to handle form data values to avoid XSS
- writing an object to handle form data values to avoid SQL Injection
- writing an object to handle HttpRequest and HttpSession objects
Why I should be sponsored for the project
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.
I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.
I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.
Back to SpoC 007 Selection page
Most info about Inspekt, including usage docs and downloads, is available at the Inspekt Google Code page.
Milestones
- (Completed) Untethering the Zend_Filter_Input code from the Zend Framework
- (Completed) Rewriting PHP5-specific portions to work in PHP4
- (Completed) Development of approach to address scoping issues (a big plus of the $_* superglobals is that they are always available in all scopes automatically)
- (Completed) Initial release of code (continues throughout at appropriate points)
- (Completed) Addition of a variety of "helper" methods to make filtered input object creation and interaction easier
- Addition of automatic input "restriction" filters
- Addition of input filtering system configuration via external config files
- (Completed) Full API doc generated from phpDoc-style documentation
- (25%) Detailed usage documentation, including examples of bootstrapping and methods of integration with various frameworks. Example source code included.
- PEAR channel for packaged distribution
Ongoing Work
- Advocacy. PR via interviews and news items about releases; writing articles demonstrating the system for various sources; presentations via the web and at major PHP conferences.
- Work with major PHP app devs and framework devs to integrate the system -- or encourage the development of similar approaches -- within their projects.
