OWASP Summer of Code 2008 Applications

This page contains project Applications to the OWASP Summer Of Code 2008

= A few notes = ''' = Applications - {Fill in below} =
 * If you want to apply for a SoC 2008 sponsorship you HAVE TO USE THIS PAGE for your application.
 * See How To Participate for what to do once you completed your Application.
 * Please remember that projects will be selected and funded based on how well they meet the Selection Criteria.
 * Please see AoC 06 and SpoC 07 for examples of Applications.
 * '''You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include this information in your proposal.

The Application Security Desk Reference - ASDR

 * Leonardo Cavallari Militelli,
 * ASDR Table of Contents

OWASP Code review guide, V1.1
Code Review Guide Proposal:
 * Eoin Keary,

Introduction:The code review guide is currently at version RC 2.0 and the second best selling OWASP book. I have received many positive comments regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.

It has even inspired individuals to build tools based on its information and I have convinced such people (Alessio Marziali) to open source their tool and make it an OWASP project.

The combination of a book on secure code review and a tool to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.

Proposal: I am proposing that I improve the code review guide from a number of aspects. This should place the guide as a de facto secure code review guide in the application security industry.

Additional and expanded Chapters:

Transactional analysis Expand chapter. Examples via diagrams. Threat Modeling and Analysis The approach to examining an application to be reviewed. Focusing on areas of interest.

Example reports and how to write one How to determine the risk level of a finding.

Automated code review Code crawler documentation and usage.

Rich Internet Applications Expanded chapters on Flash, Ajax.

The OWASP ESAPI (Enterprise Security API) What it is, Why use it. What to review.

Code review Metrics: How to compile, use and analyse metrics. Rolling out metrics in the Enterprise.

Integrating Code review with an existing SDLC Integration of Secure Code review with an existing SDLC. Secure Code review roadmap definition. Documentation requirements. Scope definition. SDLC steering comittee establishment. Performace criteria, benchmarks and metrics. Integration of SDLC results into key IT governance areas. Critical success factors.

The OWASP Testing Guide v3
Now it's time to begin a new project that is based on v2 but improve it and complete it.
 * Matteo Meucci
 * The OWASP Testing Guide v2 was a great success, with thousand downloads and many many Companies that have adopted it as standard for a Web Application Penetration Testing.

In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:

* Information Gathering * Business logic testing * Authentication Testing * Session Management Testing * Data Validation Testing * Denial of Service Testing * Web Services Testing * AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category. 2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode analysis 3) Infrastructural test --> new category 4) Web Services section needs improvement 5) AJAX Testing section needs improvement 6) New category: Client side Testing. AJAX and Flash Testing


 * This document analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.

Code Crawler
This tool is aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code. The aim of the tool is to accompany the OWASP Code review Guide and to implement a total code review solution. Key areas of improvement: Reporting HTML Plain-Text
 * Alessio Marziali
 * Description:

Scanning Multiple File scanned at the same time Open Visual Studio Solutions and so scan all the files within the solution. Simple open multiple file

build a bigger database which will provide more information about the threats such vulnerability type (XSS,SQL Injection, Remote File Inclusion etc). Threats A feature that will let you save the threats for each project/document, so the reviewer can check how the development is going from a “security prospective” during the entire software lifecycle.

Improvement of the code scan system.

The Owasp Orizon Project

 * Paolo Perego (aka thesp0nge),
 * The Owasp Orizon Project,

Introduction

The Owasp Orizon Project born in 2006 in order to provide a framework to all Owasp projects developing code review services.

The project is in a quite stable stage and it is usable for Java static code review and some dynamic tests against XSS. Owasp Orizon includes also APIs for code crawling, usable for code crawling tools.

Milk project is a java code review tool I'm writing using Orizon as background engine. Its goal is to show engine capabilities.

Objectives and deliverables


 * plugin architecture for static code review library: this planned feature will be announced (hopefully, if my CFP will be accepted) to next Owasp European App conf.
 * starting C# support
 * upgrade from Alpha quality project to Beta quality project in accord to Owasp Project Assessment criteria

Why I should be sponsored for the project

Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

In the last year Owasp Orizon evolved a lot with a good static code review engine and a lot of code was written to give Owasp guys the best framework as possible to be used for writing code review tools. I hope to pursuit my goals again with SoC 2008.

Skavenger

 * Matthias Rohr

Introduction

Skavenger is a web application security assessment toolkit which arised from many years of professional experience in the web application assessment field and is the result of nearly one your of work.

It passively analyzes traffic logged by various MITM proxies (such as WebScarab and Burp) as well as other sources (like Firefox's LiveHTTPHeader plugin) and helps to identify various kinds of possible vulnerabilities (such as XSS, CRLF injection, an insecure session management and several kinds of information disclosure). Skavenger's modular design allows the integration of custom scanning modules without any knowledge about the tool at all.

Skavenger is completely written in Perl and can be downloaded from: https://sourceforge.net/projects/skavenger/

Objectives and deliverables

Here are some ideas:
 * A GUI to monitor and analyze scanning results
 * More sophisticated scanner modules (e.g. for better backend identification and more platform specific tests)
 * Database integration
 * API's to integrate modules in other languages (such as Python or Java).
 * Better source integration with custom Firefox, Burp or (of course) WebScarab plugins

SoC 08 Application X

 * First name or Alias,
 * Project name,
 * X
 * Y