How can I participate in your project?

All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

If I am not a programmer can I participate in your project?

Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

Contributors

The OWASP Secure Software Development Lifecycle Project is developed by a worldwide team of volunteers. A live update of project contributors is found here.

The first contributors to the project were:

• RIP (Sub-project Owner)
• Silver Zhang(Sub-project Owner)
• Kevin (Sub-project Owner)
• Xia Tianze (Sub-project Owner)
• Yu Kan(Sub-project Owner)
• Lance Li (Sub-project Owner)
• Bao Yuezhong (Participant)
• Ricky Xu (Participant)
• Wang Jie (Participant)

Base on the current estimation, the roadmap of the OWASP Secure Software Development Life Cycle Project is below:

Involvement in the development and promotion of the OWASP Secure Software Development Lifecycle Project is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

• Helping find references to some of the principles.
• Project administration support.
• Wiki editing support.
• Writing support for the book.

This Page includes S-SDLC releated stuffs. Categorized as a.)Tools b.) Libraries c.)Technical Docs

Tools

• OpenRASP

OpenRASP is an open-source, free and self-adapting security tool made for OWASP S-SDLC Security Deployment & SecDevOps phase.

It can provide functions like threat detection, data stream monitor, quick-response to production by the deep integration of its protection engine.

Unlike other perimeter control solutions like WAF, OpenRASP directly integrates its protection engine into the application server by instrumentation. It can monitor various events including database queries, file operations and network requests etc.

When an attack happens, WAF matches the malicious request with its signatures and blocks it. OpenRASP takes a different approach by hooking sensitive functions and examines/blocks the inputs fed into them. As a result, this examination is context-aware and in-place. It brings in the following benefits:

1. Only successful attacks can trigger alarms, resulting in lower false positive and higher detection rate;

2. Detailed stack trace is logged, which makes the forensic analysis easier;

3. Insusceptible to malformed protocol.

OpenRASP FAQ

1. List of supported web applicationBelow table shows the recent updates of the project.Below tables shows recent updates. servers

Only Java based web application servers are supported for now. The support of other web application servers will also be soon included in the coming releases.

OpenRASP on the following application servers for both Linux and Windows platforms has been tested.

• Tomcat 6-8
• JBoss 4.X
• WebLogic 11/12

2. Performance impact on application servers

Multiple intense and long-lasting stress tests has been taken. Even in the worst-case scenario (where the hook point got continuously triggered) the server’s performance was only reduced by 10%

3. Integration with existing SIEM or SOC

OpenRASP logs alarms in JSON format, which can be easily picked up by LogStash, rsyslog or Flume.

4. How to develop a new plugin?

A plugin receives a callback when an event occurs. It then determines if the current behavior is malicious or not and blocks the associated request if necessary.

Detailed documents available on github.

Libraries

To be added.

Technical Docs

To be added.