Difference between revisions of "Category:OWASP Orizon Project"

From OWASP
Jump to: navigation, search
(33 intermediate revisions by 5 users not shown)
Line 1: Line 1:
[[:Category:OWASP Project|Click here to return to OWASP Projects page.]]<br>
+
[[Category:OWASP Project]]
[[:Project Information:template Orizon Project|Click here to see (& edit, if wanted) the template.]]  
+
[[Category:OWASP Tool]]
{{:Project Information:template Orizon Project}}
+
[[Category:OWASP Download]]
 +
[[Category:OWASP Beta Quality Tool]]
  
== Overview ==
+
{{ ProjectTabs |
 +
Proj_About =  
  
The quest for secure code is what all developers want (I hope so) to achieve. Software must be reliable. Software must be strong. Software must be '''secure'''.
+
The quest for secure code is what all developers want to achieve (at least we hope so). Software must be reliable. Software must be strong. Software must be '''secure'''.
  
How much my software has to be ''secure''? The correct answer is hard to find. But security is a problem that even a development team must take care for.
+
How ''secure'' does my software have to be? The correct answer is hard to find. But security is a problem that even a development team must consider.
Must be a skilled developer also a security guru? Don't know, not necessarly. But it's important that someone give him the tools to merge security know how to his development skills, and so our quest for secure code starts...
+
  
Orizon borns with the aim to provide a common ground to safe coding and code review methodologies applied to software. The code is approaching the first major release and it will be able to be used in a production environment very soon.
+
Should skilled developers also be security gurus? Not necessarily, but it is important to provide security tools that will augment their development skills. And so our quest for secure code begins...  
  
Orizon must give thanks di Findbugs, Owasp LAPSE Project, RATS, Flawfinder for ideas and inspiration.
+
The OWASP Orizon project was created with the aim of providing a common ground for safe coding and code review methodologies to be applied to software. The project is approaching its first major release and it will be able to be used in a production environment in the near future.
  
Orizon page at sourceforge is [http://orizon.sourceforge.net this].
+
Orizon must give thanks to Findbugs, the OWASP LAPSE Project, RATS, and Flawfinder for ideas and inspiration.
  
== Goals ==
+
The Orizon project, hosted by Sourceforge, is [http://orizon.sourceforge.net here].
Owasp Orizon goal is to provide a set of APIs to:
+
* manage a safe coding rules library
+
* apply these rules to a generic source file
+
* support the widespread used programming language (Java, C#, ASP.NET, C, C++, ...)
+
* create report to show source code assessment results
+
* let developers build code review tools
+
* help people understand how much important is applying safe coding rules while making software
+
  
Owasp Orizon will implement all security checks described in the [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project Code review Guide].
+
====Goals====
 +
Orizon's goal is to provide:
 +
* a tool a security specialist (or a developer with hackish state-of-mind) can use to perform code reviews
 +
* an engine a developer can embed in his application to provide code review services
  
== Documentation ==
+
One of OWASP's newly-created goals is to eat its own dog food and Orizon will contribute to this goal by utilizing the recommendations described in the [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Guide].
  
Available online it is the [http://downloads.sourceforge.net/orizon/The_Owasp_Orizon_Project_Internals_v2.2.ppt?use_mirror=osdn slideshow] used during [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2008_-_Belgium Owasp AppSec EU 2008 in Ghent, May 2008].
+
====Discussion group====
 +
A discussion group is available as well, in [http://www.linkedin.com/groups?gid=2055672 LinkedIN]. We can use this group to talk about Orizon, to promote it in the real world business of statica analysis, to request features, to submit bugs, to exchange some words with the developers and so on.
  
== Download ==
+
So, please join the [http://www.linkedin.com/groups?gid=2055672 group] and help us spreading the voice. Static analysis is fun... again.
By now all the code is in subversion repository hosted at sourceforge.net.
+
  
Last release is: [http://downloads.sourceforge.net/orizon/orizon-1.0.jar?use_mirror=heanet 1.0]
+
====Join the project====
 +
Orizon wants you!
  
=== Dawn ===
+
The model we follow is the OpenBSD one. Anyone will be free about sending opinions, criticism and patches. If an user will provide a good number of patches showing us he (or she) really wants to collaborate to the project, than he (or she) will be added to Owasp orizon core team.
In September 2007, while hacking around release 0.50, I decided to introduce dynamic code review facilities, just for Java language by now.
+
Looking for a name of this Orizon's piece of code, I choosed ''dawn''.  
+
  
I think this will be the most cutting edge technology inside Orizon. It will help developers to ''raise'' from a buggy and unsafe code into an hardened one... so that's because of the name ''dawn'' for all related to dynamic code review.
+
If you are a skilled Java developer why don't you consider writing a bunch of code for Orizon? Or, consider joining the project for documentation, advertising, blog maintenance, etc.
  
Dawn is contained in Orizon since release 0.45pre1.
+
We hope you find the OWASP Orizon Project useful. Please contribute to the project by volunteering for one of the tasks, or by sending your comments, questions, and suggestions to owasp-orizon@owasp.org.  
  
=== Bastion ===
+
To join the OWASP Orizon Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-orizon subscription page.]
Sometimes around March 2007, looking to the results in tell people how good would be reviewing their code for security issues, I realized that a quick workaround has to be provided for whom scared about a full code review activity or simply for whom who want to have a quick fix meanwhile the security review has been completed.
+
  
For such a reason I realized a parallel project, called Bastion, in order to provide to Java developers, classes that embed security checks in their core in order to have a quick fix without changing so much in the code.
+
<!-- ==== Project Identification ====
 +
{{:Project Information:template Orizon Project}} -->
  
Please, let me explain, that this won't substitute a security code review at all. Bastion would give a primer help meanwhile effort has been spent over source code to leverage security branches.
+
==== Project Details ====
 +
{{:GPC Project Details/OWASP Orizon Project | OWASP Project Identification Tab}}
  
Starting from Orizon v0.25, Bastion is a separated JAR file.
+
====Download====
Latest Bastion version is:
+
[http://downloads.sourceforge.net/orizon/bastion-0.42-b193.jar?use_mirror=heanet 0.42 Build 193]
+
  
I realized also a very simple web application that shows how to use bastion in order to fix a very dummy Cross Site Scripting attack with a single line of code changed.
+
The latest release is [https://sourceforge.net/projects/orizon/files/orizon-devel/v1.19/orizon_bin_1.19.tar.gz/download 1.19].
The WAR file containing the aforementioned web application could be found
+
[http://downloads.sourceforge.net/orizon/bastion_test.war?use_mirror=heanet here]
+
  
The base url is setted up to bastion_test, so after starting up your preferred application server, run your browser to ''http://url/bastion_test'' and follow the instructions.
+
====The blog====
  
The application is built against a very old orizon version, indeed bastion was still contained inside orizon. Since my latest work is related to Orizon APIs, Bastion code is the same from April to nowadays.
+
The Orizon blog is proudly hosted by Wordpress.com [http://owasporizon.wordpress.com here].
  
A few words need to be spent here. I'm not reinventing the wheel. The Web is full of library sanitizing source code trying to mitigate an attack over a web application. Bastion is just my small contribute to the community, I really hope you'll appreciate this.
+
|
  
== The library ==
+
Proj_Documentation= Available online is an  [http://downloads.sourceforge.net/orizon/The_Owasp_Orizon_Project_Internals_v2.2.ppt?use_mirror=osdn Orizon presentation] given at  [http://www.owasp.org/index.php/OWASP_AppSec_Europe_2008_-_Belgium OWASP AppSec EU 2008] in Ghent, May 2008.
For a code review tool the most important thing is the knowledge, the security checks being applied to the source code.
+
No matter how good is your tool or fancy is your UI, a poor security check library means your tool is useless.
+
 
+
Orizon organizes safe coding best practices in XML rules contained in files called recipes. The mantra I choose is that "coding is like cooking", the goal is to choose the right recipe.
+
 
+
Recipes are gathered togheter in a zip file called Library.
+
 
+
This is the layout of the knowledge inside orizon.
+
 
+
=== The XML schema ===
+
Orizon XML schema used to describe secure coding checks can be hard to read. In this [http://www.owasp.org/index.php/OWASP_Orizon_Project_XML page] you can find more details about how an XML rule is built.
+
 
+
== Blog ==
+
Owasp blog is now proudly hosted by sourceforge [http://orizon.sourceforge.net/blog here].
+
 
+
 
+
 
+
== Future Development ==
+
This is the updated project RoadMap. I was too optimistic in my first roadmap draft. This is a more realistic timeline...
+
+
For an up to date roadmap you have to refer to official Orizon Roadmap [http://orizon.sourceforge.net/roadmap.html page]
+
 
+
== Speeches ==
+
  
 
  '''Owasp Orizon Internals @ Owasp AppSec NY 2008, New York 22-25th September 2008'''
 
  '''Owasp Orizon Internals @ Owasp AppSec NY 2008, New York 22-25th September 2008'''
Line 100: Line 70:
  
 
  '''OWASP Orizon Project @ SMAU eAcademy, Milan 4-7th October 2006'''
 
  '''OWASP Orizon Project @ SMAU eAcademy, Milan 4-7th October 2006'''
I will talk to [http://www.webb.it SMAU eAcademy2006] next saturday 7th October 2006 about code review and safe coding. [http://webb.it/event/eventview/5772/1/0,0/code_review_e_principi_di_programmazione_sicura Here] you can find more informations in italian only by now.  
+
I will talk to [http://www.webb.it SMAU eAcademy2006] next Saturday 7th October 2006 about code review and safe coding. [http://webb.it/event/eventview/5772/1/0,0/code_review_e_principi_di_programmazione_sicura Here] you can find more information (for now, only in Italian). The last part of the speech will be about introducing the Orizon project and giving a development roadmap.
Last part of the speech will be about introducing Orizon project, giving development roadmap
+
  
== 2.10.2006 ==
+
A slideshare space is available to for the presentations used in Owasp [http://www.slideshare.net/thesp0nge | conferences]
  
'''OWASP Orizon Project Created! - 09:24, 2 October 2006 (EDT)'''
+
|
  
The Open Web Application Security Project is proud to announce the OWASP Orizon Project!
+
Proj_Mail =
 +
November 2009 - we started moving from current release to the next major bump (v2.0) that will happen next June 2010 during Owasp AppSEC conference in Stockholm.
  
== Feedback and Participation: ==
+
In order to motivate collaboration and to keep track about project improvements, each month a slideshow showing the biggest updates will be published on the Net and over the blog, so anyone can figure it out how to help the project and we're doing for the community
  
Orizon wants you
+
|
Of course, as opensource project, '''anyone''' is welcome tho join Orizon, and please do it.
+
If you are a C#, Java or ASP skilled developer and you want to share your experience with such languages feel free to use mailing list to contribute in Orizon supported languages.
+
  
If you are a Java skilled developer why don't you think about writing some bunch of codes for Orizon?
+
}}
  
If you write quite well or, it's not so difficult, better than me, please think about joining the project for documentation, advertising, blog maintenance ...
 
  
We hope you find the OWASP Orizon Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org.  To join the OWASP Orizon Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-orizon subscription page.]
+
== Project creation ==
  
== Project Contributors ==
+
'''OWASP Orizon Project Created! - 09:24, 2 October 2006 (EDT)'''
--[[User:Thesp0nge|thesp0nge]] 09:47, 2 October 2006 (EDT)
+
  
== Project Sponsor ==
+
The Open Web Application Security Project is proud to announce the OWASP Orizon Project!
  
  
[[Category:OWASP Project]]
+
== Project sponsor ==
[[Category:OWASP Tool]]
+
 
[[Category:OWASP Download]]
+
[https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008]

Revision as of 10:06, 18 November 2009


About

The quest for secure code is what all developers want to achieve (at least we hope so). Software must be reliable. Software must be strong. Software must be secure.

How secure does my software have to be? The correct answer is hard to find. But security is a problem that even a development team must consider.

Should skilled developers also be security gurus? Not necessarily, but it is important to provide security tools that will augment their development skills. And so our quest for secure code begins...

The OWASP Orizon project was created with the aim of providing a common ground for safe coding and code review methodologies to be applied to software. The project is approaching its first major release and it will be able to be used in a production environment in the near future.

Orizon must give thanks to Findbugs, the OWASP LAPSE Project, RATS, and Flawfinder for ideas and inspiration.

The Orizon project, hosted by Sourceforge, is here.

Goals

Orizon's goal is to provide:

  • a tool a security specialist (or a developer with hackish state-of-mind) can use to perform code reviews
  • an engine a developer can embed in his application to provide code review services

One of OWASP's newly-created goals is to eat its own dog food and Orizon will contribute to this goal by utilizing the recommendations described in the OWASP Code Review Guide.

Discussion group

A discussion group is available as well, in LinkedIN. We can use this group to talk about Orizon, to promote it in the real world business of statica analysis, to request features, to submit bugs, to exchange some words with the developers and so on.

So, please join the group and help us spreading the voice. Static analysis is fun... again.

Join the project

Orizon wants you!

The model we follow is the OpenBSD one. Anyone will be free about sending opinions, criticism and patches. If an user will provide a good number of patches showing us he (or she) really wants to collaborate to the project, than he (or she) will be added to Owasp orizon core team.

If you are a skilled Java developer why don't you consider writing a bunch of code for Orizon? Or, consider joining the project for documentation, advertising, blog maintenance, etc.

We hope you find the OWASP Orizon Project useful. Please contribute to the project by volunteering for one of the tasks, or by sending your comments, questions, and suggestions to owasp-orizon@owasp.org.

To join the OWASP Orizon Project mailing list or view the archives, please visit the subscription page.


Project Details

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What does this OWASP project release offer you?
what is this project?
OWASP Orizon Project

Purpose: Owasp Orizon is a code review tool intended to be used from security specialist to perform white box assessement. Orizon exposes also a set of APIs that can be used within a security tool to provide code review services

License: General Public License version 3

who is working on this project?
Project Leader: Paolo Perego @

Project Maintainer: Paolo Perego @

Project Contributor(s):

  • Steven Evans @
  • Andres Riancho @
  • Dinis Cruz
  • Mike Duncan @
  • prashant k v @
  • Alessio Marziali @
  • Jason Li @
  • Nishi Kumar @
how can you learn more?
Project Pamphlet: N/A

3x slide Project Presentation: View

Mailing list: Subscribe or read the archives

Project Roadmap: To view, click here

Main links:

Project Health: Yellow button.JPG Not Reviewed (Provisional)
To be reviewed under Assessment Criteria v2.0

Key Contacts
  • Contact Paolo Perego @ to contribute, review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Orizon 1.19 - 2009 - (download)

Release Leader: Paolo Perego @

Release details: Main links, release roadmap and assessment

Rating: Greenlight.pngGreenlight.png Beta Release
To be reviewed under Assessment Criteria v2.0


Download

The latest release is 1.19.

The blog

The Orizon blog is proudly hosted by Wordpress.com here.

FAQ

Available online is an Orizon presentation given at OWASP AppSec EU 2008 in Ghent, May 2008.

Owasp Orizon Internals @ Owasp AppSec NY 2008, New York 22-25th September 2008

Orizon@AppSec NY 2008

Owasp Orizon Internals @ Owasp AppSec EU 2008, Ghent 21-22nd May 2008

Orizon@AppSec EU 2008

Owasp Orizon Internals @ Owasp Day Italy 2008, Rome 31st March 2008

Orizon@Owasp Day in Italy

OWASP Orizon Project @ SMAU eAcademy, Milan 4-7th October 2006

I will talk to SMAU eAcademy2006 next Saturday 7th October 2006 about code review and safe coding. Here you can find more information (for now, only in Italian). The last part of the speech will be about introducing the Orizon project and giving a development roadmap.

A slideshare space is available to for the presentations used in Owasp [http://www.slideshare.net/thesp0nge

News

November 2009 - we started moving from current release to the next major bump (v2.0) that will happen next June 2010 during Owasp AppSEC conference in Stockholm.

In order to motivate collaboration and to keep track about project improvements, each month a slideshow showing the biggest updates will be published on the Net and over the blog, so anyone can figure it out how to help the project and we're doing for the community

Contributors/Users

{{{Proj_Contributors}}}



Project creation

OWASP Orizon Project Created! - 09:24, 2 October 2006 (EDT)

The Open Web Application Security Project is proud to announce the OWASP Orizon Project!


Project sponsor

OWASP Summer of Code 2008

Pages in category "OWASP Orizon Project"

This category contains only the following page.