This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Category:OWASP SASAP Project

From OWASP
Revision as of 14:26, 8 September 2009 by Paulo Coimbra (talk | contribs)

Jump to: navigation, search
Attention icon.png

This Project has been identified as an orphaned one. If you find interest in assuming its lead, please contact the Global Projects Committee.

Attention icon.png

Main

Overview

One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculum. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application. This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

Project Lead(s)

The OWASP Scholastic Application Security Assessment Project is co-lead by Eric Sheridan and Goran Trajkovski, PhD

Participants

The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.

  • Application Security Professional – Eric Sheridan Aspect Security
  • Towson University (TU) Partner – Dr. Goran Trajkovski Towson University
  • Students – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner
  • Web Application - The Open WebMail Project

OWASP Utilization

The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:

  • OWASP Top Ten 2004/2007 The security critical areas that the students will assess in the review
  • OWASP Testing Guide v2 The primary resource for building penetration testing cases
  • OWASP Guide The primary resource for technical details pertaining to a technology and/or vulnerability
  • OWASP WebScarab The primary proxy utility used throughout the assessment

The Final Report

Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

Completed Reports

  • Click here to download the entire SPoC 2007 assessment report of the Open WebMail application!

How does OWASP Benefit?

The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

The OWASP Community…

  • will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.
  • will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.
  • will be addressing the need to educate developers in the security critical areas.
  • will be seen as offering a professional level service to another open source project.
  • will be addressing one of the root causes of application software insecurity.

Open WebMail Assessment Progress - 100%

  • Student Training and Preparation, Day 1 - complete
  • Student Training and Preparation, Day 2 - complete
  • Student Training and Preparation, Day 3 - complete
  • Application Security Assessment Execution, 6 weeks - complete
  • Student Application Security Finding Write-ups, 2 weeks - complete
  • Draft Report - complete
  • Open WebMail Notification - complete
  • Final Report - complete

Feedback and Participation

We hope you find this project useful. Please contribute back to the project by writing your comments, questions, and suggestions on the OWASP SASAP talk page. Thanks!

Donations

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's spare time. If you have found this or any other project useful, please support OWASP with a donation.

Project Sponsors

The OWASP SASAP project is sponsored by the OWASP Spring of Code 2007
290px-OWASP SpoC2007 Logo.jpg
.

Project Identification

{{Template:{{{1}}} | project_name = OWASP Scholastic Application Security Assessment Project (SASAP) | project_description = | project_license = | leader_name = | leader_email = | leader_username = | past_leaders_special_contributions = Eric Sheridan, Goran Trajkovski | maintainer_name = | maintainer_email = | maintainer_username = | contributor_name1 = | contributor_email1 = | contributor_username1 = | contributor_name2 = | contributor_email2 = | contributor_username2 = | contributor_name3 = | contributor_email3 = | contributor_username3 = | contributor_name4 = | contributor_email4 = | contributor_username4 = | contributor_name5 = | contributor_email5 = | contributor_username5 = | contributor_name6 = | contributor_email6 = | contributor_username6 = | contributor_name7 = | contributor_email7 = | contributor_username7 = | contributor_name8 = | contributor_email8 = | contributor_username8 = | contributor_name9 = | contributor_email9 = | contributor_username9 = | contributor_name10 = | contributor_email10 = | contributor_username10 = | pamphlet_link = | presentation_link = | mailing_list_name = | links_url1 = | links_name1 = | links_url2 = | links_name2 = | links_url3 = | links_name3 = | links_url4 = | links_name4 = | links_url5 = | links_name5 = | links_url6 = | links_name6 = | links_url7 = | links_name7 = | links_url8 = | links_name8 = | links_url9 = | links_name9 = | links_url10 = | links_name10 = | project_road_map = :Category:OWASP XXXXXX - Roadmap | project_health_status = | current_release_name = First Release | current_release_date = | current_release_download_link = | current_release_rating = | current_release_leader_name = | current_release_leader_email = | current_release_leader_username = | current_release_details = :Category:OWASP O2 XXXXX - First Release | last_reviewed_release_name = | last_reviewed_release_date = | last_reviewed_release_download_link = | last_reviewed_release_rating = | last_reviewed_release_leader_name = | last_reviewed_release_leader_email = | last_reviewed_release_leader_username = | old_release_name1 = | old_release_date1 = | old_release_download_link1 = | old_release_name2 = | old_release_date2 = | old_release_download_link2 = | old_release_name3 = | old_release_date3 = | old_release_download_link3 = | old_release_name4 = | old_release_date4 = | old_release_download_link4 = | old_release_name5 = | old_release_date5 = | old_release_download_link5 = | last_GPC_update = 5/10/2009 | GPC_Notes = Empty, linked | project_home_page = Category:OWASP_SASAP_Project | project_details_wiki_page = GPC_Project_Details/OWASP_Scholastic_Application_Security_Assessment_Project

}}

This category currently contains no pages or media.