Category:OWASP SASAP Project

Overview
One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculums. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application. This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

Project Lead(s)
The OWASP Scholastic Application Security Assessment Project is co-lead by Eric Sheridan and Goran Trajkovski, PhD

Participants
The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.


 * Application Security Professional – Eric Sheridan Aspect Security
 * Towson University (TU) Partner – Dr. Goran Trajkovski Towson University
 * Students – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner
 * Web Application - The Open WebMail Project

OWASP Utilization
The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:


 * OWASP Top Ten 2004/2007 The security critical areas that the students will assess in the review
 * OWASP Testing Guide v2 The primary resource for building penetration testing cases
 * OWASP Guide The primary resource for technical details pertaining to a technology and/or vulnerability
 * OWASP WebScarab The primary proxy utility used throughout the assessment

The Final Report
Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

How does OWASP Benefit?
The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

The OWASP Community…
 * will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.
 * will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.
 * will be addressing the need to educate developers in the security critical areas.
 * will be seen as offering a professional level service to another open source project.
 * will be addressing one of the root causes of application software insecurity.

Open WebMail Assessment Progress - 75%
The bulk of the application security assessment is complete. Currently, we are working on the draft report that will be used to notify the Open WebMail developers.


 * Student Training and Preparation, Day 1 - complete
 * Student Training and Preparation, Day 2 - complete
 * Student Training and Preparation, Day 3 - complete
 * Application Security Assessment Execution, 6 weeks - complete
 * Student Application Security Finding Write-ups, 2 weeks - complete
 * Draft Report - near completion
 * Open WebMail Notification - pending
 * Final Report - pending

Feedback and Participation
We hope you find this project useful. Please contribute back to the project by writing your comments, questions, and suggestions on the OWASP SASAP talk page. Thanks!

Donations
The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's spare time. If you have found this or any other project useful, please support OWASP with a donation.

Project Sponsors
The OWASP SASAP project is sponsored by the OWASP Spring of Code 2007.