Category:OWASP Open Review Project RoadMap
Revision as of 10:40, 2 June 2008 by Pauloc
- I have been reviewing popular open source common libraries and apps (zlib,truecrypt, etc). We all have many 10's or 100's of these on our machines, in our routers, in our web servers, etc. The quality is sometimes appalling, and as a consequence I am worried about the security. What, for example, if there were an exploitable bug in zlib? Patch Windows in 200 places, Cisco routers, etc etc. But how many people understand the source of zlib, and take the effort to check, write it down, and make the results available to everyone?
- So, it seemed a good idea to start the Open Review PROject(ORPRO).
- Opposed to other initiatives, the idea is:
- Independent review, not led by development project, but by software security professionals,
- Centrally managed,
- Leading to independent statement what is reviewed, why it is reviewed,why it is considered secure, and in the end some assurance that the software is free from security bugs,
- Not afraid of digging into hard algorithms (compression, crypto, etc).
- Key is openness, responsible disclosure, without leaking vulns to each and everyone.
- I heard Mark Roxberry's talk on his .NET initiatives at Appsec Belgium. It seems he is thinking along the same line on this. Why not combine the review approaches in ORPRO, irrespective of the language?
- I am experienced in project management, enthusiastic, and a vivid public speaker. I have a PhD in math, reverse engineered professionally for many years, was cryptographic researcher, performed pentesting, taught secure development training and reverse engineering, etc. Currently I am security consultant, mainly in governance an compliance at multinationals. In my spare time I analyze code.
- Please let me know what you think of my proposal. I think many organization would be extremely glad that OWASP openly checks open source libraries and software that are vital to most commercial and noncommercial apps around.
This category currently contains no pages or media.