Category:OWASP Open Review Project

Click here to return to OWASP Projects page. Click here to see (& edit, if wanted) the template.

Overview
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

The OWASP Open Review Project (ORPRO) exists to act as a resource for open source projects and for the community in general. The goal is to provides facilities for both automated and manual review of open source applications and libraries.

Fortify Software has made their Source Code Analyzer (SCA) technology available to open source projects at owasp.fortify.com. See the owasp.fortify.com FAQ for more information.

Project Goals

 * Provide an independent security review of open source projects with a record of what has been reviewed and by whom in order to best communicate the security state of the open source projects. This will include both automated and manual review of source code as well as analysis of algorithms such as compression, crypto, etc
 * Provide resources to the community to centrally manage the review of open source projects
 * Engage in responsible disclosure of any security vulnerabilities discovered

Project Planning

 * Settle overlap between OWASP projects: August 2008 (completed)
 * Initial tool selection and implementation: September 2008 (completed)
 * Roll out automated review capabilities for a limited set of projects: September 2008 (completed)
 * First reviews: October 2008 (ongoing: first project has been selected)

Open review process
The high level process is as follows:



Click here for a more detailed process description.

Related OWASP Projects
The following OWASP projects have a direct relation with ORPRO:
 * OWASP Application Security Verification Standard Project
 * OWASP Code Review Project
 * OWASP Orizon Project

News

 * 5 June 2008  OWASP ORPRO launched
 * 12 September 2008 owasp.fortify.com made available as a public beta for automated source code review of open source projects

Get involved
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, PHP, etc who also have the audacity to review some of the most popular open source projects around.

We also need open source project leaders to submit their projects for review. If you run an open source project and are interested in participating, please email the mailing list.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

People
Project leads: Mario de Boer, Dan Cornell.

Contributors: Fortify Software has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at owasp.fortify.com.