Difference between revisions of "Category:OWASP Open Review Project RoadMap"

From OWASP
Jump to: navigation, search
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[OWASP_Open_Review_Project|Previous page - click here]]
+
* Independent security review of open source projects;
* I have been reviewing popular open source common libraries and apps (zlib,truecrypt, etc). We all have many 10's or 100's of these on our machines, in our routers, in our web servers, etc. The quality is sometimes appalling, and as a consequence I am worried about the security. What, for example, if there were an exploitable bug in zlib? Patch Windows in 200 places, Cisco routers, etc etc. But how many people understand the source of zlib, and take the effort to check, write it down, and make the results available to everyone?
+
* Centrally managed review projects;
* So, it seemed a good idea to start the Open Review PROject(ORPRO).
+
* Independent statement on what is reviewed and by whom, resulting in a form of assurance that the software is free from security bugs;
* Opposed to other initiatives, the idea is:
+
* Analysis not limited to code review, including digging into hard algorithms (compression, crypto, etc);
# Independent review, not led by development project, but by software security professionals,
+
* Responsible disclosure of any security vulnerabilities discovered.
#Centrally managed,
+
# Leading to independent statement what is reviewed, why it is reviewed,why it is considered secure, and in the end some assurance that the software is free from security bugs,
+
# Not afraid of digging into hard algorithms (compression, crypto, etc).
+
* Key is openness, responsible disclosure, without leaking vulns to each and everyone.
+
* I heard Mark Roxberry's talk on his .NET initiatives at Appsec Belgium. It seems he is thinking along the same line on this. Why not combine the review approaches in ORPRO, irrespective of the language?
+
* I am experienced in project management, enthusiastic, and a vivid public speaker. I have a PhD in math, reverse engineered professionally for many years, was cryptographic researcher, performed pentesting, taught secure development training and reverse engineering, etc. Currently I am security consultant, mainly in governance an compliance at multinationals. In my spare time I analyze code.
+
* Please let me know what you think of my proposal. I think many organization would be extremely glad that OWASP openly checks open source libraries and software that are vital to most commercial and noncommercial apps around.
+

Latest revision as of 12:09, 18 July 2008

  • Independent security review of open source projects;
  • Centrally managed review projects;
  • Independent statement on what is reviewed and by whom, resulting in a form of assurance that the software is free from security bugs;
  • Analysis not limited to code review, including digging into hard algorithms (compression, crypto, etc);
  • Responsible disclosure of any security vulnerabilities discovered.

This category currently contains no pages or media.