OWASP Summer of Code 2008 Applications

This page contains project Applications to the OWASP Summer Of Code 2008

= A few notes = ''' = Applications - {Fill in below} =
 * If you want to apply for a SoC 2008 sponsorship you HAVE TO USE THIS PAGE for your application.
 * See How To Participate for what to do once you completed your Application.
 * Please remember that projects will be selected and funded based on how well they meet the Selection Criteria.
 * Please see AoC 06 and SpoC 07 for examples of Applications.
 * '''You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include this information in your proposal.

The Application Security Desk Reference - ASDR
The ASDR is a reference volume that contains basic information about all the foundational topics in application security. It intends to replace and refresh OWASP Honeycomb Project with a new structure for articles and relationship between categories.
 * Leonardo Cavallari Militelli
 * Proposal: ASDR Table of Contents

This idea raised when finished the Attack Reference Guide for OWASP Spring Of Code 2007, where it was identified that OWASP reference articles need some special attention. Jeff Williams is totally supporting this project.

We already have defined which type of article we should include on Desk Reference, as follows:
 * Principles
 * Threat Agents
 * Attacks
 * Vulnerabilities
 * Countermeasures
 * Technical Impacts
 * Business Impacts


 * Road Map: A complete project roadmap can be found on OWASP Honeycomb Project. Basically, I have defined the following activities, some of them already developed:
 * Define articles templates for each reference type
 * Define subcategories for articles classification
 * Compile first DRAFT version of ASDR Book
 * Articles development & Call for Volunteers
 * Articles revision
 * First version of OWASP ASDR book

OWASP Code review guide, V1.1
Code Review Guide Proposal:
 * Eoin Keary,

Introduction:The code review guide is currently at version RC 2.0 and the second best selling OWASP book. I have received many positive comments regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.

It has even inspired individuals to build tools based on its information and I have convinced such people (Alessio Marziali) to open source their tool and make it an OWASP project.

The combination of a book on secure code review and a tool to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.

Proposal: I am proposing that I improve the code review guide from a number of aspects. This should place the guide as a de facto secure code review guide in the application security industry.

Additional and expanded Chapters:

Transactional analysis Expand chapter. Examples via diagrams. Threat Modeling and Analysis The approach to examining an application to be reviewed. Focusing on areas of interest.

Example reports and how to write one How to determine the risk level of a finding.

Automated code review Code crawler documentation and usage.

Rich Internet Applications Expanded chapters on Flash, Ajax.

The OWASP ESAPI (Enterprise Security API) What it is, Why use it. What to review.

Code review Metrics: How to compile, use and analyse metrics. Rolling out metrics in the Enterprise.

Integrating Code review with an existing SDLC Integration of Secure Code review with an existing SDLC. Secure Code review roadmap definition. Documentation requirements. Scope definition. SDLC steering comittee establishment. Performace criteria, benchmarks and metrics. Integration of SDLC results into key IT governance areas. Critical success factors.

The OWASP Testing Guide v3
Now it's time to begin a new project that is based on v2 but improve it and complete it.
 * Matteo Meucci
 * The OWASP Testing Guide v2 was a great success, with thousand downloads and many many Companies that have adopted it as standard for a Web Application Penetration Testing.

In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:

* Information Gathering * Business logic testing * Authentication Testing * Session Management Testing * Data Validation Testing * Denial of Service Testing * Web Services Testing * AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category. 2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode analysis 3) Infrastructural test --> new category 4) Web Services section needs improvement 5) AJAX Testing section needs improvement 6) New category: Client side Testing. AJAX and Flash Testing


 * This document analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.

Code Crawler

 * Alessio Marziali (aka nTze)

Description This tool is aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code. The aim of the tool is to accompany the OWASP Code review Guide and to implement a total code review solution for "everyone"; Where "everyone" means "more" companies performing secure software activities. Key areas of improvement: Reporting - PDF - Microsoft Office Compatible Word Document - HTML

Scanning - Multiple File scanned at the same time -- Open Microsoft Visual Studio's Solutions

Bigger Database Which will provide more information about the threats such vulnerability type (XSS,SQL Injection, Remote File Inclusion etc). Security Software Life Cycle A feature that will let you save the threats for each project/document, so the reviewer can check how the development is going from a “security prospective” during the entire software lifecycle.

Improvement of the code scan system.

The Owasp Orizon Project

 * Paolo Perego (aka thesp0nge),
 * The Owasp Orizon Project,

Introduction

The Owasp Orizon Project born in 2006 in order to provide a framework to all Owasp projects developing code review services.

The project is in a quite stable stage and it is usable for Java static code review and some dynamic tests against XSS. Owasp Orizon includes also APIs for code crawling, usable for code crawling tools.

Milk project is a java code review tool I'm writing using Orizon as background engine. Its goal is to show engine capabilities.

Objectives and deliverables


 * plugin architecture for static code review library: this planned feature will be announced (hopefully, if my CFP will be accepted) to next Owasp European App conf.
 * starting C# support
 * upgrade from Alpha quality project to Beta quality project in accord to Owasp Project Assessment criteria

Why I should be sponsored for the project

Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

In the last year Owasp Orizon evolved a lot with a good static code review engine and a lot of code was written to give Owasp guys the best framework as possible to be used for writing code review tools. I hope to pursuit my goals again with SoC 2008.

Skavenger

 * Matthias Rohr

Introduction

Skavenger is a web application security assessment toolkit which arised from many years of professional experience in the web application assessment field and is the result of nearly one your of work.

It passively analyzes traffic logged by various MITM proxies (such as WebScarab and Burp) as well as other sources (like Firefox's LiveHTTPHeader plugin) and helps to identify various kinds of possible vulnerabilities (such as XSS, CRLF injection, an insecure session management and several kinds of information disclosure). Skavenger's modular design allows the integration of custom scanning modules without any knowledge about the tool at all.

Skavenger is completely written in Perl and can be downloaded from: https://sourceforge.net/projects/skavenger/

Objectives and deliverables

Here are some ideas:
 * A GUI to monitor and analyze scanning results
 * More sophisticated scanner modules (e.g. for better backend identification and more platform specific tests)
 * Database integration
 * API's to integrate modules in other languages (such as Python or Java).
 * Better source integration with custom Firefox, Burp or (of course) WebScarab plugins

OWASP .NET Project Leader

 * Mark Roxberry

Project Proposal

Assume the lead of the OWASP .NET Project. Ensure that information, materials and software are relevant to building secure .NET web applications and services. Provide deep content for all roles related to .NET web applications and services including:


 * Architectural guidance
 * Developer tools, information and checklists
 * IT professional content (for those that deploy and maintain .NET websites)
 * Penetration testing resources
 * Incident response resources

The OWASP .NET Project Leader will actively recruit .NET contributors, including personnel from Microsoft, but others throughout the .NET ecosystem. Including experts from communities from large companies to ISVs, from enterprise architects to ALT.NET developers will be important for the overall reach of the OWASP .NET project. Other communities to consider include developers who use Mono (.NET for Linux), including Moonlight (Silverlight for Linux).

The OWASP .NET Project Leader will actively contribute to the OWASP projects that require .NET resources, by recruiting resources or contributing to the project.

I propose to have the project active in 1-3 months, with continuous recruitment efforts for contributors for the life of the project. Metrics for success can include number of contributors, number of articles, search engine ranks for pages and site visit counts. For the application however, I will submit that within 3 months I can provide a baseline to set site goals for each metric.

Why I should be sponsored for the project

I have previously contributed to the OWASP Test Guide v2 project, providing content and reviewed content. I care about the OWASP mission. In fact, I have used the OWASP Top 10 to teach developers about vulnerabilities in web applications.

I have 15 years of technical leadership experience using Microsoft technologies. I have lead small and large teams as a technical lead, lead developer and architect on small and large projects. I am a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker. I am on top of current trends and required to be informed regarding .NET web development and security, including, for example ASP.NET MVC, Silverlight, Unity, Entity Framework. I am personally interested in providing security resources to .NET developers globally, specific and applicable to their projects.

OWASP Backend Security Project

 * Full name: Carlo Pelliccioni
 * Project: OWASP Backend Security Project
 * Project description:
 * OWASP Backend Security Project is a new project created to improve and to collect the existant information about the backend security.
 * The project is composed by three sections (security development, security hardening and security testing).
 * The aim is to define the guidelines for the companies and IT professionals working in the security field into processes development and back-end components management/testing in the enterprise architecture.


 * Objectives:

Overview Create a section with an introduction about the project (high-level description) explaining the main goals.

Development Include the writings already existant in OWASP wiki concerning PHP, JAVA and ASP.NET and extend the projects' sections with new contents.

Hardening Create new guidelines about the dbms hardening

Testing Include the writings already existant in OWASP wiki about security testing. Create new articles about security testing.

OWASP Classic ASP Security Project
Executive Summary I am interested in making P018 - OWASP Classic ASP Security Project happen, Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place” and continue spreading the word on security. I have always be a passionate of the technology (regardless of its inconveniences such as being old and DLL-hell prone) and I am really exited on the idea of sharing my knowledge of this area to the world and what best that though OWASP.
 * Juan Carlos Calderon

Objectives and Deliverables Create a secure framework for Classic ASP application by complementing existing OWASP projects with documentation for this particular technology and the creation of security libraries. More specifically:
 * Creation of a Common Object Repository for ASP applications based on OWASP ESAPI Project including objects and/or references to libraries for security applications all this aligned with OWASP Top10 and OWASP Guide.
 * Create Documentation aligned to OWASP Code Review Project Checklist providing additional technology-specific checks.
 * Addition of expression for Code Review Tool to support Classic ASP applications.
 * Implementation of Version 1 of Stinger for ASP either by using an installable COM library or ISAPI.
 * This same module will compliment the OWASP Validation Documentation Project.

Why should I be sponsored for the project? I have 10 years of experience on Web technologies. During 8 years I have performed and leaded hundreds of Security Source Code Reviews and Black box testing on Web Applications. On my current job I lead 30 people in diverse locations all of them working on the Application Security arena, so I am accustomed to execute and deliver.

Also I’ve had close contact with OWASP since 2005 by making possible the translation of OWASP Top 10 2004 and OWASP Testing Guide V1.17  to Spanish.

Internationalization Guidelines and OWASP-Spanish Project
Executive Summary The main goal of OWASP is to spread the word about security (“Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.”) and OWASP has done great work so far :). And now it’s time for a next big step.
 * Juan Carlos Calderon

The number of native and secondary speakers in the world for Chinese, Spanish, French, Russian, Arabic and Indi languages are estimated in similar number to English speaking or even more (Some References at Ethnologue, Encarta, Wikipedia). I think is a good time for OWASP to reach those that do not speak English to have full access to all the OWASP materials, not just a couple of documents.

OWASP, while open to translations, do not have clear guidelines on how to translate OWASP contents and (AFAIK) there is no multi-language support in OWASP.org site. This is understandable as there is no formal project for internationalization so far.

Oportunity and Effort This is great opportunity to make Spanish the first language on which the OWASP site and documentation is fully translated and at the same time share the experience with other people interested in the same objective, Bring OWASP to the world. And this is something I’ve being pushing for some time ago and that could be possible “at once” via SoC 2008.

I understand this is significant effort so to have it done I will count with the help of 6 people (friend of mine, all of them Security auditors with excellent English level) plus a few well known contributors from OWASP-Spanish effort, so the founding will be divided among the people involved in the same proportion of the work they do for the completion of this effort. This, to encourage delivery.

Objectives and Deliverables
 * Team up with Larry Casey to implement Multilanguage support in OWASP.org Mediawiki.
 * General Guidelines on minimum/recommended requirements to start a new language translation for OWASP Document and Site Pages
 * General Guidelines on minimum/recommended requirements to implement internationalization and localization (i18n) on OWASP Software
 * Full translation to Spanish of all the release-level document projects. Those are:
 * Top 10 2007
 * Guide 2 (Already translated)
 * Testing Guide (Already Translated)
 * Legal
 * FAQ
 * Full Translation of major sections of OWASP Site
 * Project Main Pages (Release, Beta and Alpha levels for both documents and tools projects)
 * Principles
 * References Section
 * Conferences
 * News (Those currently displayed in OWASP site)
 * About OWASP
 * Evaluation of Spanish translation approach for WebGoat and WebScarab and delivery of this document to Bruce and Rogan for possible implementation in near future.
 * Leverage for deploy of es.owasp.org, the domain already exists but is not redirecting correctly.
 * Create a Communication strategy to help and keep track on new pages or changes in significant pages so all the translations are in sync.

Out of Scope Translation of the following sections are NOT in Scope
 * Local Chapters Pages
 * Presentations
 * Conferences
 * Videos
 * Blogs
 * All the projects deliverables in Alpha and Beta Stages
 * All the documentation “on development” like Guide Version 3.0
 * Translation of Pages, documentation or tools to other language other than Spanish according to the stated in above section.

Why should I be sponsored for the project? I’ve being part of contributions to OWASP documents on the translation arena since 2005, a few of them by making possible the translation of OWASP Top 10 2004 and OWASP Testing Guide V1.17  to Spanish. It is time to make the full job done :).

I have 10 years of experience on Web technologies. During 8 years I have performed and leaded hundreds of Security Source Code Reviews and Black box testing on Web Applications. On my current job I lead 30 people in diverse locations all of them working on the Application Security arena, so I am accustomed to execute and deliver.

The Ruby on Rails Security Guide v2
Heiko Webers

The last security guide for Rails was a great success, with a lot of more secure web applications and continued awareness in the community of security issues. The Ruby on Rails Security Project is the one and only source of information about Rails security topics, and I keep the community up-to-date with blog posts and conference talks in Europe. The Guide and the Project has been mentioned in several Rails books and web-sites.

Version 1 of the Ruby on Rails Security Guide was sponsored by the SpoC 07, set the standard for OWASP programming language specific guides in terms of the topic outline and has been published as a book. Nevertheless I'm convinced that a more compact design and a "question-and-answer" style of writing will reach an even larger audience. Of course the new Guide will still include answers to the OWASP Top Ten security vulnerabilities.

A lot has changed since the publishing of the first Guide. Some new security holes have been found, there are new advises and most importantly Rails version 2.0 has been released. The new Ruby on Rails Security Guide aims at providing an up-to-date coding and configuration guide for the Rails community.

In the new Rails Security Guide I'd like to
 * update the entire book to match Rails 2.0
 * cover new topics, including, but not limited to:
 * Intranet and administration interface security,
 * phishing,
 * real-world attack situations,
 * short excursus on server monitoring,
 * the new CookieStore session management,
 * vulnerabilities in popular plug-ins,
 * denial-of-service attacks
 * cover all OWASP Top Ten security vulnerabilities
 * a more compact writing style, more examples and "questions-and-answers"
 * introduce the OWASP and Rails security to a greater audience

OWASP Application Security Verification Standard

 * Mike

OWASP Application Security Verification Standard Proposal

Educational and professional background

The applicant is a hands-on senior professional services manager with a trademark of developing creative solutions to complex application security-related technical problems.

Application security experience and accomplishments

The applicant has a background in trusted product evaluation:


 * CC evaluation
 * CC evidence development, including operating system test code development
 * CC project management
 * TCSEC evaluation
 * TCSEC project management
 * TEF management
 * CCTL management

The applicant also has a background in security-related software development and integration:


 * PKI toolkit development
 * PK-E application integration
 * Secure web portal application development
 * Secure web portal integration
 * Secure instant messaging application development, including three patents

The applicant also has a background in cryptomodule testing:


 * FIPS 140 evaluation
 * FIPS 140 evidence development

Participation and leadership in open communities

The applicant does not have experience in contributing to open communities.

The opportunity, challenges, issues or need your proposal addresses

OWASP is looking for a commercially-workable open standard for performing application security verification efforts. The problem is that there is a huge range in the coverage and level of rigor available in the market, and consumers have no way to tell the difference between someone just running a grep tool, and someone doing painstaking code review and manual testing. So, a standard is needed.

Objectives or ways in which you will meet the goal(s)

The applicant’s proposal will address the above challenges as follows:


 * The applicant will define an evaluation framework that may be used to conduct OWASP Application Security Verification Standard certifications.
 * The applicant will define an OWASP Application Security Verification Standard which defines levels that applications may be certified against.

Specific activities and who will carry out these activities

The applicant will carry out these activities. Please see below for a proposed list of specific deliverables.

Specific deliverables and a rough project schedule so we can track progress

The applicant proposes the following deliverables:


 * Scheme Overview document. This will define the overall framework with roles, responsibilities, and processes.
 * Evaluation and Certification document. This will describe the evaluation and certification process.
 * Conditions for the Use of Trademarks. This will describe OWASP’s name, logo, and certificate may be used and referenced.
 * Evaluation Report Content Requirements. This will describe the content requirements of evaluation reports.
 * OWASP Application Security Verification Standard. This will define the levels that applications may be certified against.
 * OWASP Application Security Verification Standard Appendix A. This will define the required content of the OWASP Application Security Verification Standard Security Policy.
 * Policy Letter #1. Acceptance of Security Policies into OWASP Evaluation This will define the requirements to be listed as in evaluation on the OWASP web site.

The applicant proposes the following rough project schedule:


 * 2nd April. Project kickoff.
 * 15th June. Alpha Quality drafts of Scheme Overview document and of OWASP Application Security Verification Standard document completed.
 * 31st August. Project completion. Beta Quality drafts of all documents completed.

Long-term vision for the project

The long-term vision for the project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing application security verification.

Any other reasons why you and your project should be selected.

The applicant has a uniquely-qualified perspective given his experience with TCSEC, TTAP, CC, FIPS 140-1, and FIPS 140-2 evaluation programs, and his real-world perspective as a developer and integrator of security-related applications.