Category:OWASP Orizon Project

Overview
The quest for secure code is what all developers want (I hope so) to achieve. Software must be reliable. Software must be strong. Software must be secure.

How much my software has to be secure? The correct answer is hard to find. But security is a problem that even a development team must take care for. Must be a skilled developer also a security guru? Don't know, not necessarly. But it's important that someone give him the tools to merge security know how to his development skills, and so our quest for secure code starts...

Orizon borns with the aim to provide a common ground to safe coding and code review methodologies applied to software. By now Orizon is still a bunch of ideas and few lines of code. In a year I hope Orizon will be the common engine in which security code review related tools are built upon

Orizon must give thanks di LAPSE Project (that you may find between OWASP Projects) RATS, Flawfinder for ideas and inspiration.

Orizon page at sourceforge is this.

Download
By now all the code is in subversion repository hosted at sourceforge.net.

Last development release is: 0.49 Build 465 A first internal architecture document is available at sourceforge.net for download. This is the first document I'm reviewing by now (thanks to Zeb and Prashant for the feedbacks). Check it out and send me a note about your opinion... my English grammar is bad so a English language review is still appreciated.

Dawn
In September 2007, while hacking around release 0.50, I decided to introduce dynamic code review facilities, just for Java language by now. Looking for a name of this Orizon's piece of code, I choosed dawn.

I think this will be the most cutting edge technology inside Orizon. It will help developers to raise from a buggy and unsafe code into an hardened one... so that's because of the name dawn for all related to dynamic code review.

Dawn is contained in Orizon since release 0.45pre1.

Bastion
Sometimes around March 2007, looking to the results in tell people how good would be reviewing their code for security issues, I realized that a quick workaround has to be provided for whom scared about a full code review activity or simply for whom who want to have a quick fix meanwhile the security review has been completed.

For such a reason I realized a parallel project, called Bastion, in order to provide to Java developers, classes that embed security checks in their core in order to have a quick fix without changing so much in the code.

Please, let me explain, that this won't substitute a security code review at all. Bastion would give a primer help meanwhile effort has been spent over source code to leverage security branches.

Starting from Orizon v0.25, Bastion is a separated JAR file. Latest Bastion version is: 0.42 Build 193

I realized also a very simple web application that shows how to use bastion in order to fix a very dummy Cross Site Scripting attack with a single line of code changed. The WAR file containing the aforementioned web application could be found here

The base url is setted up to bastion_test, so after starting up your preferred application server, run your browser to http://url/bastion_test and follow the instructions.

The application is built against a very old orizon version, indeed bastion was still contained inside orizon. Since my latest work is related to Orizon APIs, Bastion code is the same from April to nowadays.

A few words need to be spent here. I'm not reinventing the wheel. The Web is full of library sanitizing source code trying to mitigate an attack over a web application. Bastion is just my small contribute to the community, I really hope you'll appreciate this.

Blog
Available to web surfers there are two blogs, updated by me with in topic issues. The main Orizon blog where all posts are orizon and bastion related and my own blog where both security related than personal consideration was merged.

Future Development
This is the updated project RoadMap. I was too optimistic in my first roadmap draft. This is a more realistic timeline... Oct 2006 - PoC code will be showed at SMAU - eAcademy 2006. No features. No XML written tests. Just a Proof of Concept introducing Orizon.

30th Nov 2006 - Orizon design phase. Before start coding like a rolling stone, a good design phase must be completed. Documents to be released in this phase are:
 * "orizon architecture": this document will explain how Orizon has to be built, the modules and how they interact
 * "writing orizon test": this document will explain how to write an XML document describing a security check and how integrate it in Orizon
 * "orizon coding guideline": this document draw some basics about coding standard to be used inside the project

Jul 2007 v0.50 - Orizon API consolidation must be completed for static code review analisys and JavaDOC has to be generated. Here there will be a freeze in API subversion trunk and development will be focused over dynamic analysis.

Oct 2007 v1.00 - First major release: Orizon must be fully usable for writing security tools supporting Java and maybe C, languages natively. Starting by now Orizon supported languages will grown up as well the security tests implemented.

News
Blogs and translation Orizon has got its own blog and that will be the news dispatcher for all of you orizon aficionados. I'm really late in our roadmap... btw I've to change something accordingly. Design phase finished In my Moleskine, release 1 of Orizon Architecture documentation has been completed. In few days an electronic version of the document will be available in english language. Design phase has begun I started working on documentation. Please consider joining orizon mailing list and contributing to project. OWASP Orizon Project @ SMAU eAcademy, Milan 4-7th October 2006 I will talk to SMAU eAcademy2006 next saturday 7th October 2006 about code review and safe coding. Here you can find more informations in italian only by now. Last part of the speech will be about introducing Orizon project, giving development roadmap

'''OWASP Orizon Project Created! - 09:24, 2 October 2006 (EDT)'''

The Open Web Application Security Project is proud to announce the OWASP Orizon Project!

Feedback and Participation:
Orizon wants you Of course, as opensource project, anyone is welcome tho join Orizon, and please do it. If you are a C#, Java or ASP skilled developer and you want to share your experience with such languages feel free to use mailing list to contribute in Orizon supported languages.

If you are a Java skilled developer why don't you think about writing some bunch of codes for Orizon?

If you write quite well or, it's not so difficult, better than me, please think about joining the project for documentation, advertising, blog maintenance ...

We hope you find the OWASP Orizon Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Orizon Project mailing list or view the archives, please visit the subscription page.

Project Contributors
--thesp0nge 09:47, 2 October 2006 (EDT)