Difference between revisions of "Category:OWASP Open Review Project"

From OWASP
Jump to: navigation, search
(Open review process)
 
(14 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[[:Category:OWASP Project|Click here to return to OWASP Projects page.]]<br>
+
==== Main  ====
 +
<!---[[:Category:OWASP Project|Click here to return to OWASP Projects page.]]<br>
 
[[:Project Information:template Open Review Project|Click here to see (& edit, if wanted) the template.]]  
 
[[:Project Information:template Open Review Project|Click here to see (& edit, if wanted) the template.]]  
{{:Project Information:template Open Review Project}}
+
{{:Project Information:template Open Review Project}}--->
[[Category:OWASP Project]]
+
  
 
== Overview ==
 
== Overview ==
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones, open source is everywhere.
+
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones.  Open source is everywhere.
  
The OWASP Open Review Project (ORPRO) exists to act as a resource for open source projects and for the community in general.  The goal is to provides facilities for both automated and manual review of open source applications and libraries.
+
The OWASP Open Review Project (ORPRO) exists to act as a resource providing automated static analysis of OWASP projects.
  
Fortify Software has made their [http://www.fortify.com/products/detect/in_development.jsp Source Code Analyzer (SCA) technology] available to open source projects at [http://owasp.fortify.com owasp.fortify.com]
+
Fortify Software has made their [https://www.fortify.com/products/fortify-on-demand/index.html Fortify on Demand (FoD) technology] available to OWASP projects at [http://owasp.fortifyondemand.com owasp.fortifyondemand.com].
  
 
== Project Goals ==
 
== Project Goals ==
* Provide an independent security review of open source projects with a record of what has been reviewed and by whom in order to best communicate the security state of the open source projects.  This will include both automated and manual review of source code as well as analysis of algorithms such as compression, crypto, etc
+
* Provide an independent security review of OWASP projects with a record of what has been reviewed and by whom in order to best communicate the security state of the projects.  At the current time this includes automated review of OWASP project code
* Provide resources to the community to centrally manage the review of open source projects
+
 
* Engage in responsible disclosure of any security vulnerabilities discovered
 
* Engage in responsible disclosure of any security vulnerabilities discovered
  
Line 19: Line 18:
 
* Settle overlap between OWASP projects: August 2008 (completed)
 
* Settle overlap between OWASP projects: August 2008 (completed)
 
* Initial tool selection and implementation: September 2008 (completed)
 
* Initial tool selection and implementation: September 2008 (completed)
* Roll out automated review capabilities for a limited set of projects: September 2008
+
* Roll out automated review capabilities for a limited set of projects: September 2008 (completed)
 
* First reviews: October 2008
 
* First reviews: October 2008
 
+
* Shutter original project:June 2011
== Open review process ==
+
* Re-start project using Fortify on Demand rather than Fortify SCA: August 2011
The high level process is as follows:
+
* Proposal
+
** Proposals for open source projets to be reviewed can be sent to the ORPRO project lead.  The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
+
* Team Development
+
** The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
+
* Review
+
** Assuming the project uses a platform supported by [http://owasp.fortify.com/ owasp.fortify.com], the source code is run through automated analysis.  Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation.  For more information on this process, see the [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project_owasp.fortify.com_FAQ OWASP Open Review owasp.fortify.com FAQ]
+
** Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
+
** Either reviewers or the open source project leaders responsibly disclose the identified security issues
+
 
+
 
+
The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.
+
 
+
== Related OWASP Projects ==
+
The following OWASP projects have a direct relation with ORPRO:
+
* [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
+
* [http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Project]
+
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
+
  
 
== News ==
 
== News ==
 
* '''5 June 2008'''  OWASP ORPRO launched
 
* '''5 June 2008'''  OWASP ORPRO launched
 
* '''12 September 2008''' [http://owasp.fortify.com/ owasp.fortify.com] made available as a public beta for automated source code review of open source projects
 
* '''12 September 2008''' [http://owasp.fortify.com/ owasp.fortify.com] made available as a public beta for automated source code review of open source projects
 +
* '''16 August 2011''' Project re-launched using Fortify on Demand rather than Fortify SCA
  
 
== Get involved ==
 
== Get involved ==
Security review takes both time and expertise. We need people with good secure coding skills in C, C++, .NET, Java, PHP, etc who also have the audacity to review some of the most popular open source projects around.
+
We want OWASP project leaders to submit their projects for review.  If you run an OWASP project and are interested in participating, please email the mailing list.
 
+
We also need open source project leaders to submit their projects for review.  If you run an open source project and are interested in participating, please email the mailing list.
+
  
 
Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].
 
Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].
  
 
== People ==
 
== People ==
Project leads: [[User:Njama|Mario de Boer]], [[User:Dancornell|Dan Cornell]].
+
Project leads: [[User:Dancornell|Dan Cornell]].
 +
 
 +
Contributors: [http://www.fortify.com Fortify Software] has generously made their Fortify on Demand (FoD) technology available for use by OWASP projects at [http://owasp.fortifyondemand.com/ owasp.fortifyondemand.com].
 +
 
 +
==== Project About  ====
 +
 
 +
{{:Projects/OWASP Open Review Project | Project About}}
 +
 
 +
'''Sponsor'''<br>
 +
[https://www.fortify.com/ https://www.fortify.com/sites/all/themes/fortify_com_2010/images/common/logo.png]
  
Contributors: [http://www.fortify.com Fortify Software] has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at [http://owasp.fortify.com/ owasp.fortify.com].
+
__NOTOC__ <headertabs />
  
[[Category:OWASP Project]]
+
[[Category:OWASP_Project|Open Review Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Download]] [[Category:OWASP_Alpha_Quality_Tool]]

Latest revision as of 10:08, 19 August 2011

Main

Overview

We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones. Open source is everywhere.

The OWASP Open Review Project (ORPRO) exists to act as a resource providing automated static analysis of OWASP projects.

Fortify Software has made their Fortify on Demand (FoD) technology available to OWASP projects at owasp.fortifyondemand.com.

Project Goals

  • Provide an independent security review of OWASP projects with a record of what has been reviewed and by whom in order to best communicate the security state of the projects. At the current time this includes automated review of OWASP project code
  • Engage in responsible disclosure of any security vulnerabilities discovered

Project Planning

  • Settle overlap between OWASP projects: August 2008 (completed)
  • Initial tool selection and implementation: September 2008 (completed)
  • Roll out automated review capabilities for a limited set of projects: September 2008 (completed)
  • First reviews: October 2008
  • Shutter original project:June 2011
  • Re-start project using Fortify on Demand rather than Fortify SCA: August 2011

News

  • 5 June 2008 OWASP ORPRO launched
  • 12 September 2008 owasp.fortify.com made available as a public beta for automated source code review of open source projects
  • 16 August 2011 Project re-launched using Fortify on Demand rather than Fortify SCA

Get involved

We want OWASP project leaders to submit their projects for review. If you run an OWASP project and are interested in participating, please email the mailing list.

Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing open-review-project@lists.owasp.org.

People

Project leads: Dan Cornell.

Contributors: Fortify Software has generously made their Fortify on Demand (FoD) technology available for use by OWASP projects at owasp.fortifyondemand.com.

Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Open Review Project (home page)
Purpose:
  • The OWASP Open Review Project (ORPRO) is a project to openly check open source libraries and software that are vital to most commercial and non-commercial apps around.
  • We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones. Open source is everywhere.
  • The OWASP Open Review Project (ORPRO) exists to act as a resource providing automated static analysis of OWASP projects.
  • Fortify Software has made their Fortify on Demand (FoD) technology available to OWASP projects at owasp.fortifyondemand.com.

License: N/A
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases

Sponsor
logo.png

This category currently contains no pages or media.