This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Open Review Project"

From OWASP
Jump to: navigation, search
(Get involved)
(Open review process)
Line 25: Line 25:
 
The high level process is as follows:
 
The high level process is as follows:
 
* Proposal
 
* Proposal
** Proposals for open source projets to be reviewed can be sent to the ORPRO project lead
+
** Proposals for open source projets to be reviewed can be sent to the ORPRO project lead.  The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
* Entry criteria
+
* Team Development
** Project lead checks entry criteria for open source projects
+
** The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
* Team
 
** Project lead assigns review project lead
 
** Review project lead assign team of reviewers
 
 
* Review
 
* Review
** Review project is managed by Review project leader
+
** Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis.  Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation.
** Progress reports are published
+
** Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
** Communication with developer project
+
** Either reviewers or the open source project leaders responsibly disclose the identified security issues
** Responsible disclosure of bugs/defects
+
 
 +
 
 +
The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.
  
 
== News ==
 
== News ==

Revision as of 13:20, 12 September 2008

Click here to return to OWASP Projects page.
Click here to see (& edit, if wanted) the template.

PROJECT IDENTIFICATION
Project Name OWASP Open Review Project (ORPRO)
Short Project Description The OWASP Open Review Project (ORPRO) is a project to openly check open source libraries and software that are vital to most commercial and non-commercial apps around.
Email Contacts Project Leaders
Mario de Boer
Dan Cornell
Project Contributors
(if applicable)
Name&Email
Mailing List/subscribe

Mailing List/Use

First Reviewer
Name
Second Reviewer
Name
OWASP Board Member
(if applicable)
Name&Email
PROJECT MAIN LINKS
  • (If appropriate, links to be added)
SPONSORS & GUIDELINES
Fortify Software Guidelines/Roadmap
ASSESSMENT AND REVIEW PROCESS
Review/Reviewer Author's Self Evaluation
(applicable for Alpha Quality & further)
First Reviewer
(applicable for Alpha Quality & further)
Second Reviewer
(applicable for Beta Quality & further)
OWASP Board Member
(applicable just for Release Quality)
First Review Objectives & Deliveries reached?
Not yet (To update)
---------
Which status has been reached?
Alpha Status - (To update)
---------
See&Edit: First Review/SelfEvaluation (A)
Objectives & Deliveries reached?
Not yet (To update)
---------
Which status has been reached?
Alpha Status - (To update)
---------
See&Edit: First Review/1st Reviewer (B)
Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Alpha Status - (To update)
---------
See&Edit: First Review/2nd Reviewer (C)
Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Alpha Status - (To update)
---------
See/Edit: First Review/Board Member (D)

Overview

We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

The OWASP Open Review Project (ORPRO) exists to act as a resource for open source projects and for the community in general. The goal is to provides facilities for both automated and manual review of open source applications and libraries - starting with OWASP projects but also serving all of the open source world.

Fortify Software has made their Source Code Analyzer (SCA) technology available to open source projects at owasp.fortify.com

Project Goals

  • Provide an independent security review of open source projects with a record of what has been reviewed and by whom in order to best communicate the security state of the open source projects. This will include both automated and manual review of source code as well as analysis of algorithms such as compression, crypto, etc
  • Provide resources to the community to centrally manage the review of open source projects
  • Engage in responsible disclosure of any security vulnerabilities discovered

Project Planning

  • Settle overlap between OWASP projects: August 2008 (completed)
  • Initial tool selection and implementation: September 2008 (completed)
  • Roll out automated review capabilities for a limited set of projects: September 2008
  • First reviews: October 2008

Open review process

The high level process is as follows:

  • Proposal
    • Proposals for open source projets to be reviewed can be sent to the ORPRO project lead. The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
  • Team Development
    • The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
  • Review
    • Assuming the project uses a platform supported by owasp.fortify.com, the source code is run through automated analysis. Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation.
    • Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
    • Either reviewers or the open source project leaders responsibly disclose the identified security issues


The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.

News

  • 5 June 2008 OWASP ORPRO launched
  • 12 September 2008 owasp.fortify.com made available as a public beta for automated source code review of open source projects

Get involved

Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, PHP, etc who also have the audacity to review some of the most popular open source projects around.

We also need open source project leaders to submit their projects for review. If you run an open source project and are interested in participating, please email the mailing list.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [email protected].

People

Project leads: Mario de Boer, Dan Cornell.

Contributors: Fortify Software has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at owasp.fortify.com.

This category currently contains no pages or media.