This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Spring Of Code 2007 Applications"
Dinis.cruz (talk | contribs) (New page: This page contains project Applications to the OWASP_Spring_Of_Code_2007 '''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application''' See [[OW...) |
(→{Your first name or Alias} - {Project name}) |
||
| Line 15: | Line 15: | ||
* '''Why you should be sponsored for the project''': ... | * '''Why you should be sponsored for the project''': ... | ||
* '''More details''': ... | * '''More details''': ... | ||
| + | |||
| + | == Eoin Keary - Code review Project == | ||
| + | * '''Executive Summary''': | ||
| + | I am proposing that I complete the OWASP Code review guide during this period. | ||
| + | The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners. | ||
| + | |||
| + | I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain. | ||
| + | |||
| + | There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world. | ||
| + | Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices. | ||
| + | |||
| + | The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done. | ||
| + | Code review methodologies also need to be discussed. | ||
| + | |||
| + | |||
| + | * '''Objectives and Deliverables''': | ||
| + | |||
| + | Update of the code review guide: | ||
| + | * Add additional areas relating to the code review process such as: | ||
| + | ** Benefits and pitfalls | ||
| + | ** Methodology | ||
| + | ** The code review process | ||
| + | *** Transactional analysis | ||
| + | *** Managing the code review process | ||
| + | *** Assigning risk to findings | ||
| + | |||
| + | ** Technical guides | ||
| + | *** Language specific best practice | ||
| + | *** Java | ||
| + | *** .NET | ||
| + | *** PHP | ||
| + | *** MySQL | ||
| + | *** Stored Procs | ||
| + | *** C/C++ | ||
| + | |||
| + | ** Code review by vulnerability: | ||
| + | *** Reviewing Code for Buffer Overruns and Overflows | ||
| + | *** Reviewing Code for OS Injection | ||
| + | *** Reviewing Code for SQL Injection | ||
| + | *** Reviewing Code for Data Validation | ||
| + | *** Reviewing code for XSS issues | ||
| + | *** Reviewing Code for Error Handling | ||
| + | *** Reviewing Code for Logging Issues | ||
| + | *** Reviewing The Secure Code Environment | ||
| + | *** Reviewing code for Authorization Issues | ||
| + | *** Reviewing code for Authentication Issues | ||
| + | *** Reviewing code for Session Integrity | ||
| + | *** Reviewing code for Cross Site Request Forgery | ||
| + | *** Reviewing code for Cryptography implementation issues | ||
| + | *** Reviewing code Dangerous HTTP Methods (Deployment) | ||
| + | *** Race Conditions | ||
| + | |||
| + | The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix. | ||
| + | |||
| + | |||
| + | |||
| + | * '''Why I should be sponsored for the project''': | ||
| + | |||
| + | I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process. | ||
| + | I also was the lead of the Testing guide until V2 was published via the Autumn of Code. | ||
| + | |||
| + | I have always delivered any work I have volunteered for on time. | ||
| + | |||
| + | I have been involved in OWASP projects for 2/3 years now and have always been an active contributor. | ||
Revision as of 12:22, 14 March 2007
This page contains project Applications to the OWASP_Spring_Of_Code_2007
If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application
See OWASP_Spring_Of_Code_2007#How_To_Participate for what do to one you completed your Application
Proposed template: {for longer proposals, in addition to these details you can create a PDF}:
{Your first name or Alias} - {Project name}
- Executive Summary: ...
- Objectives and Deliverables: ...
- Why you should be sponsored for the project: ...
- More details: ...
Eoin Keary - Code review Project
- Executive Summary:
I am proposing that I complete the OWASP Code review guide during this period. The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners.
I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.
There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world. Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.
The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done. Code review methodologies also need to be discussed.
- Objectives and Deliverables:
Update of the code review guide:
- Add additional areas relating to the code review process such as:
- Benefits and pitfalls
- Methodology
- The code review process
- Transactional analysis
- Managing the code review process
- Assigning risk to findings
- Technical guides
- Language specific best practice
- Java
- .NET
- PHP
- MySQL
- Stored Procs
- C/C++
- Technical guides
- Code review by vulnerability:
- Reviewing Code for Buffer Overruns and Overflows
- Reviewing Code for OS Injection
- Reviewing Code for SQL Injection
- Reviewing Code for Data Validation
- Reviewing code for XSS issues
- Reviewing Code for Error Handling
- Reviewing Code for Logging Issues
- Reviewing The Secure Code Environment
- Reviewing code for Authorization Issues
- Reviewing code for Authentication Issues
- Reviewing code for Session Integrity
- Reviewing code for Cross Site Request Forgery
- Reviewing code for Cryptography implementation issues
- Reviewing code Dangerous HTTP Methods (Deployment)
- Race Conditions
- Code review by vulnerability:
The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.
- Why I should be sponsored for the project:
I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process. I also was the lead of the Testing guide until V2 was published via the Autumn of Code.
I have always delivered any work I have volunteered for on time.
I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.
