OWASP Spring Of Code 2007 Applications

This page contains project Applications to the OWASP_Spring_Of_Code_2007

If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application

See OWASP_Spring_Of_Code_2007 for what do to one you completed your Application

-

Proposed template: {for longer proposals, in addition to these details you can create a PDF}:

{Your first name or Alias} - {Project name}
Please remember that projects will be selected and funded based on how well they meet the Selection Criteria.

You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.


 * Your educational and professional background


 * Application security experience and accomplishments


 * Participation and leadership in open communities


 * The opportunity, challenges, issues or need your proposal addresses


 * Objectives or ways in which you will meet the goal(s)


 * Specific activities and who will carry out these activities


 * Specific deliverables and a rough project schedule so we can track progress


 * Long-term vision for the project


 * Any other reasons why you and your project should be selected

Eoin Keary - Code review Project
I am proposing that I complete the OWASP Code review guide during this period. The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners.
 * Executive Summary:

I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.

There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world. Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices. The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done. Code review methodologies also need to be discussed.


 * Objectives and Deliverables:

Update of the code review guide:
 * Add additional areas relating to the code review process such as:
 * Benefits and pitfalls
 * Methodology
 * The code review process
 * Transactional analysis
 * Managing the code review process
 * Assigning risk to findings


 * Technical guides
 * Language specific best practice
 * Java
 * .NET
 * PHP
 * MySQL
 * Stored Procs
 * C/C++


 * Code review by vulnerability:
 * Reviewing Code for Buffer Overruns and Overflows
 * Reviewing Code for OS Injection
 * Reviewing Code for SQL Injection
 * Reviewing Code for Data Validation
 * Reviewing code for XSS issues
 * Reviewing Code for Error Handling
 * Reviewing Code for Logging Issues
 * Reviewing The Secure Code Environment
 * Reviewing code for Authorization Issues
 * Reviewing code for Authentication Issues
 * Reviewing code for Session Integrity
 * Reviewing code for Cross Site Request Forgery
 * Reviewing code for Cryptography implementation issues
 * Reviewing code Dangerous HTTP Methods (Deployment)
 * Race Conditions

The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.


 * Why I should be sponsored for the project:

I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process. I also was the lead of the Testing guide until V2 was published via the Autumn of Code.

I have always delivered any work I have volunteered for on time. I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.

Paolo Perego - Owasp Orizon Project
Owasp Orizon Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.
 * Executive Summary:

I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.

Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.

I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.

Completing the static code review API section Writing the java source code enforment objects
 * Objectives and Deliverables:
 * improving programming language to XML translator
 * improving security best practices code review scan library
 * improving secure coding fashion best practices library
 * writing the pattern matching scan using the aformentioned libraries
 * writing an object to handle form data values to avoid XSS
 * writing an object to handle form data values to avoid SQL Injection
 * writing an object to handle HttpRequest and HttpSession objects

Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.
 * Why I should be sponsored for the project:

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

Sebastien Deleersnyder - OWASP Education Project
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.
 * Executive Summary:

Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

Currently the project goals are to create Educational Tracks:
 * Objectives and Deliverables:
 * Complete the consolidation page of OWASP presentations performed in the past
 * A "Web Application Security Primer" Track for beginners (4 hours)
 * A "What developers should know on Web Application Security" Track for developers (4 hours)

I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.
 * Why you should be sponsored for the project:

This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.

If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.

The detailed road map can be found here. The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.
 * More details: