Winter Code Sprint

Foreword
The OWASP Winter Code Sprint (OWCS) is a program to involve students with Security projects. By participating in OCWS a student can get real life experience while contributing to an open source project and getting university credits.

Benefits
You get to work for a popular project. Since the project is open source your work is publicly visible. You get university credits while doing so. You are supervised by a person with real-world experience on security You make excellent contacts and you participate in an international team

Perks
Students who successfully(*) participate in the project will get:


 * An OWASP annual individual membership. More info here: http://owasp.com/index.php/Individual_Member
 * An OWASP Winter Code Sprint t-shirt.
 * An OWASP conference pass (no flight/accommodation - just an OWASP conference pass of choice)

(*) successful participation means a passing score granted by University authorities.

How it works:
Any project that will give you university credits can participate in OCWS. Each project will be guided by an OWASP mentor along with a professor. Students are graded by their University, based on success criteria identified at the beginning of the project.

Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source. Universities are free to specify their own requirements to projects, such as written reports. OWASP does not influence the way grades are allocated. The OWASP advisers will provide any information professors need in order to grade their students.

Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language.

As a Student
1. Review the list of OWASP Projects currently participating in OCWS

2. Get in touch with the OWASP Project mentor of your choice.

3. Agree deliverables with OWASP mentor and university professor.

4. Work away during Autumn/Winter 2014

5. Rise to Open Source Development Glory :-)

As a Professor
1. Review the list of OWASP Projects currently participating in OCWS

2. Get in touch with the OWASP Project mentor of your choice.

3. Promote the participating OWASP Projects among students.

4. Review student progress with help from OWASP mentors.

5. Grade student work according to university scoring system.

6. Provide student grade results to OWASP mentor/s.

As an OWASP Project Leader
1. Edit this page adding your project and some proposed tasks as per the examples

2. Promote the initiative to your academic contacts

Mailing List
A mailing list link will appear here shortly. In case you have questions or you want to get in touch please ask there.

OWASP OWTF - Testing Framework Improvements
Brief explanation:

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.

Top features

In this improvement phase, the Testing Framework should: For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!) The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible. This will be challenging but very worth trying after top priorities. The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.
 * (Top Prio) Focus more on functional tests
 * (Top Prio) Put together a great wiki documentation section for contributors
 * (Top Prio) Fix the current Travis issues :)
 * (Nice to have) Bring the unit tests up to speed with the codebase

General background

The Unit Test Framework should be able to:
 * Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see this presentation for more background)
 * Allow to regression test isolated plugins (i.e. "only test _this_ plugin")
 * Allow to regression test by test categories (i.e. "test only web plugins")
 * Allow to regression test everything (i.e. plugins + framework core: "test all")
 * Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible
 * Allow for easy creation of _new_ unit tests specific to OWASP OWTF
 * Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF
 * Perform well so that we can run as many tests as possible in a given period of time
 * Potentially leverage the python unittest library: http://docs.python.org/2/library/unittest.html

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

Expected results:


 * IMPORTANT: PEP-8 compliant code in all modified code and surrounding areas.
 * IMPORTANT: OWTF contributor README compliant code
 * Performant and automated regression testing
 * Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
 * Good documentation

Knowledge Prerequisite:

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

OWASP OWTF Mentor:

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

OWASP Hackademic Challenges - Source Code testing environment
Brief Explanation:

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

Expected Results:

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

Knowledge Prerequisites:

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

OWASP Hackademic Mentors: Konstantinos Papapanagiotou, Spyros Gasteratos - Contact: Konstantinos@owasp.org / spyros.gasteratos@owasp.org

OWASP Hackademic Challenges - Challenge Sandbox
Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend, we'd like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected. Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.

Ideas on the project:

 *Administrator's point of view* 

Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s). Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server. The student is expected to provide configuration scripts that do the above

 *Coder's Way* 

This is better explained with an example: In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function. The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.). The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).

 * Your solution here * 

 Expected results 

You should be able to upload a trully vulnerable web application as a hackademic challenge without compromising the server outside the sandbox.

OWASP Hackademic Challenges - CMS improvements
Brief Explanation:

The new CMS was created during 2012 GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome. For a complete list you can take a look at the issues in our github page here https://github.com/Hackademic/hackademic Some ideas to get you started: Ideas on this project:


 *  Template *

Since it's creation the project has received a good number of new features, but the visual/ux/ui part has never gotten much love. It would be good if we had a new template with proper ui design.


 * Questionaire creation plugin *

We'd like the admin to be able to create questionaires, assign rules for each question (e.g. correct answer +2pts incorrect answer -2, no answer 0) and assign them to students as homework/exams. The grading can either be done automatically (for multiple choice) or be submitted to the creator of the questionaire.


 * Ability to show different articles on the user's home screen

Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.


 * Gamification of the user's progress *

A series of plugins and a template which allow the user to earn badges as they solve challenges and a better visual representation of their progress.


 * Ability to define series of challenges

The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.


 *  Tagging of articles, users, challenges 

A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher. Also the user should be able to search according to the tags.


 * Your idea here

We welcome new ideas to make the project look awesome.

Expected Results:

New features and security improvements on the CMS part of the project.

Knowledge Prerequisites:

Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements.

OWASP Hackademic Mentors: Konstantinos Papapanagiotou, Spyros Gasteratos - Contact: Konstantinos@owasp.org / spyros.gasteratos@owasp.org

OWASP ZAP - Web UI
Brief explanation: 

ZAP is already an extremely capable tool used by many different groups of users. Work has already been done to make ZAP useful in environments where it can't run interactively (e.g. via the API). ZAP main Swing UI doesn't provide convenient access to remote users; a UI which provides some functionality for for users in such environments would be very useful.

Adding a powerful HTML interface to ZAP would allow it to operate in an even wider range of situations.

Expected Results:


 * A working example of an effective HTML UI that allows ZAP to be configured or used in a new way.

Optional:

Multi user / access controls, etc?

General background

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML, CSS and JavaScript. Some knowledge of application security would be useful, but not essential.

OWASP ZAP Mentor: Simon Bennetts - Contact: simon.bennetts@owasp.org

OWASP ZAP - Advanced reporting
Brief explanation: OWASP ZAP has a limited reporting feature. The actual version can print only the 'Alerts' results into a simple pdf, html or in xml format.

Expected Results: We want to be able to print more than the Alerts results, which includes many other outputs such as: Request and Response, Active Scan, Zest among others.

General background During the Gsoc 2013, we did a research and a prototype module was created, using BIRT plugins for Advance reporting. Read more about the results of the explorative research : https://www.owasp.org/index.php/GSoC2013_Ideas/OWASP_ZAP_Exploring_Advanced_reporting_using_BIRT]

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

OWASP ZAP Mentor: Simon Bennetts - Contact: simon.bennetts@owasp.org

OWASP ZAP - CI Integration
Brief explanation:

ZAP is ideally suited for performing security tests in a Continuous Integration environment.

Right now there are a lot of manual steps to perform. This development will be to investigate and implement code/plugins etc to make it much easier to integrate ZAP with tools like Selenium and Jenkins / Hudson.

Expected Results:

TBA

General background

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

OWASP ZAP Mentor: Simon Bennetts - Contact: simon.bennetts@owasp.org

More info?
Please get in touch with the OWASP Winter Code Sprint Lead: spyros.gasteratos@owasp.org