This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Project Information:template Teachable Static Analysis Workbench

From OWASP
Revision as of 14:37, 15 June 2008 by Pauloc (talk | contribs) (New page: {| style="width:100%" border="0" align="center" ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''PROJECT IDENTIFICATION''' |- | style="width:...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
PROJECT IDENTIFICATION
Project Name OWASP Teachable Static Analysis Workbench Project
Short Project Description The research will be intended to answer the following questions:
  • Can we integrate existing open source static analysis tools (OWASP and third-party) to work altogether? We plan analysis to cover the following tools: LAPSE, Orizon, ESAPI, FindBugs.
  • How static analysis workbench can be taught by security analyst?
  • How static analysis workbench can support web-applications built using MVC frameworks?

Workbench prototype will be Java-based Eclipse plug-in which aim is to help security analyst/code reviewer validation of web application. At prototype step we suggest to analyze J2EE Web tier applications build on Java Servlets, JSP (without business logic in it) and one MVC framework (Apache Struts). We plan workbench prototype to have the following functionality:

  • Input validation vulnerabilities analysis: identification of web application entry points (aka attack surface in P024), call graph for each entry point (see “Packages -> Classes -> Methods -> callsites” in P023), identification of data validation routines, teachable taint analysis.
  • Authentification and access control analysis: identification of code related to access control and it’s analysis.
  • Pattern-based code analysis.
  • Teachability: analyst indicates security-related code (sources of tainted data, sensitive sinks, input validation and sanitizing functions, access control code, etc.) and workbench automatically recomputes possible vulnerabilities list. The second idea is to spread knowledge gathered from analyst to other web applications.
Email Contacts Project Leader
Dmitry Kozlov
Igor Konnov Email Address?
Project Contributors
(if applicable)
Name&Email
Project Mailing List First Reviewer
Alex Fry
(TBC)
Second Reviewer
Name
OWASP Board Member
(if applicable)
Name&Email
PROJECT MAIN LINKS
  • (If appropriate, links to be added)
SPONSORS & GUIDELINES
Sponsor - OWASP Summer of Code 2008 Sponsored Project/Guidelines/Roadmap
ASSESSMENT AND REVIEW PROCESS
Review/Reviewer Author's Self Evaluation
(applicable for Alpha Quality & further)
First Reviewer
(applicable for Alpha Quality & further)
Second Reviewer
(applicable for Beta Quality & further)
OWASP Board Member
(applicable just for Release Quality)
50% Review Objectives & Deliveries reached?
Yes/No (To update)
---------
See&Edit:50% Review/Self-Evaluation (A)
Objectives & Deliveries reached?
Yes/No (To update)
---------
See&Edit: 50% Review/1st Reviewer (C)
Objectives & Deliveries reached?
Yes/No (To update)
---------
See&Edit: 50%Review/2nd Reviewer (E)
X
Final Review Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Season of Code - (To update)
---------
See&Edit: Final Review/SelfEvaluation (B)
Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Season of Code - (To update)
---------
See&Edit: Final Review/1st Reviewer (D)
Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Season of Code - (To update)
---------
See&Edit: Final Review/2nd Reviewer (F)
X