Category:OWASP Open Review Project

Click here to return to OWASP Projects page. Click here to see (& edit, if wanted) the template.

Overview
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.

The OWASP Open Review Project (ORPRO) exists to act as a resource for open source projects and for the community in general. The goal is to provides facilities for both automated and manual review of open source applications and libraries - starting with OWASP projects but also serving all of the open source world.

Fortify Software has made their Source Code Analyzer (SCA) technology available to open source projects at owasp.fortify.com

Project Goals

 * Independent security review of open source projects;
 * Centrally managed review projects;
 * Independent statement on what is reviewed and by whom, resulting in a form of assurance that the software is free from security bugs;
 * Analysis not limited to code review, including digging into hard algorithms (compression, crypto, etc);
 * Responsible disclosure of any security vulnerabilities discovered.

Project Planning

 * Settle overlap between OWASP projects: August 2008
 * Tool selection and implementation: October 2008
 * First reviews: October 2008

Open review process
The high level process is as follows:
 * Proposal
 * Proposals for open source projets to be reviewed can be sent to the ORPRO project lead
 * Entry criteria
 * Project lead checks entry criteria for open source projects
 * Team
 * Project lead assigns review project lead
 * Review project lead assign team of reviewers
 * Review
 * Review project is managed by Review project leader
 * Progress reports are published
 * Communication with developer project
 * Responsible disclosure of bugs/defects

News
5 June 2008  OWASP ORPRO launched

Get involved
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, php, etc and that have the audacity to review some of the most popular open source projects around.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].

People
Project lead: Mario de Boer.

Contributors: None yet, any help more than appreciated.