Difference between revisions of "Category:OWASP Source Code Review OWASP Projects Project"

From OWASP
Jump to: navigation, search
m (Process: Added workflow zip)
m (Process)
Line 7: Line 7:
  
  
The OWASP Source Code Review integrates OWASP projects with the Fortify Open Review Process. The workflow can be found in [[Image:https://www.owasp.org/index.php/Image:Workflow_July_11a.zip]  Therefore, any open source project using this workflow must first be added as an OWASP project as illustrated in [[Image:Workflow_Draft1.pdf#file]].   
+
The OWASP Source Code Review integrates OWASP projects with the Fortify Open Review Process. The workflow can be found in [[https://www.owasp.org/index.php/Image:Workflow_July_11a.zip Workflow.zip]]  Therefore, any open source project using this workflow must first be added as an OWASP project as illustrated in [[Image:Workflow_Draft1.pdf#file]].   
  
 
As described in the Fortify Open Review Process, the Project Lead or Source Code Review Lead can choose between a continuous evaluation, where SCA is done weekly, or one time analysis.  The single analysis requires the evaluator to submit a Fortify output file, which requires the evaluator to own a copy of Fortify.  The continuous evaluation is automated and in accordance with the [ http://www.lulu.com/content/1415989 OWASP Code Review Guide], these results can be used to remove common problems.  The common problems, along with other software errors exposed by findBugs, will be documented as known problems.   
 
As described in the Fortify Open Review Process, the Project Lead or Source Code Review Lead can choose between a continuous evaluation, where SCA is done weekly, or one time analysis.  The single analysis requires the evaluator to submit a Fortify output file, which requires the evaluator to own a copy of Fortify.  The continuous evaluation is automated and in accordance with the [ http://www.lulu.com/content/1415989 OWASP Code Review Guide], these results can be used to remove common problems.  The common problems, along with other software errors exposed by findBugs, will be documented as known problems.   

Revision as of 15:13, 11 December 2008

Click here to return to OWASP Projects page.
Click here to see (& edit, if wanted) the template.


PROJECT IDENTIFICATION
Project Name OWASP Source Code Review OWASP-Projects Project
Short Project Description The objectives of this project are: 1. Develop and document a workflow for FLOSS projects to incorporate static analysis into the Software Development Life Cycle (SDLC); 2. Apply the above workflow as a required step for OWASP projects; 3. Aid in auditing select FLOSS projects to create a baseline for comparing security amongst FLOSS projects.
Project key Information Project Leader
Dan Cornell
SoC's Project Leader
James Walden
Project Contributors
Justin Derry
Maureen Doyle
Michael Whelan
Grant Welch
Mailing list
Subscribe here
Use here
License
Creative Commons Attribution Share Alike 3.0
Project Type
Documentation
Sponsor
OWASP SoC 08
Fortify
Release Status Main Links Related Projects

Release Quality
Please see here for complete information.


Contents

Process

The OWASP Source Code Review integrates OWASP projects with the Fortify Open Review Process. The workflow can be found in [Workflow.zip] Therefore, any open source project using this workflow must first be added as an OWASP project as illustrated in File:Workflow Draft1.pdf.

As described in the Fortify Open Review Process, the Project Lead or Source Code Review Lead can choose between a continuous evaluation, where SCA is done weekly, or one time analysis. The single analysis requires the evaluator to submit a Fortify output file, which requires the evaluator to own a copy of Fortify. The continuous evaluation is automated and in accordance with the [ http://www.lulu.com/content/1415989 OWASP Code Review Guide], these results can be used to remove common problems. The common problems, along with other software errors exposed by findBugs, will be documented as known problems.

The single analysis or any one of the continuous analysis can be followed by a code review Manual Review as described in the OWASP Open Review Project.

OWASP Projects Scanned

AntiSamy

CSRFGuard

CSRFTester

DirBuster

JBroFuzz

Lapse

Stinger

Webekci

WebGoat

WebScarab

Non-OWASP projects scanned in MediaWiki, WordPress, and many others. See owasp.fortify.com for details.

Get involved

We need OWASP project leaders to submit their projects for review. We will work with you to upload your project and review the findings, so that we can get each OWASP project to show zero defects.

Please go to https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects to subscribe to the list to contact us. You can post to the mailing list by emailing [1].

People

Project lead: James Walden

Contributors: Maureen Doyle, Grant Welch, Michael Whelan

Reviewers: Marco Morano, Alex Fry

Fortify Software has generously made their Source Code Analyzer (SCA) technology available for use by open source projects at owasp.fortify.com.

This category currently contains no pages or media.