|Join hundreds of other Developers and InfoSec professionals for Training, Sessions and Community at our first conference of 2019|
[AppSec Tel Aviv, May 26-30th]
Category:OWASP Source Code Review OWASP Projects Project
|Project Name||OWASP Source Code Review OWASP-Projects Project|
|Short Project Description||The objectives of this project are: 1. Develop and document a workflow for FLOSS projects to incorporate static analysis into the Software Development Life Cycle (SDLC); 2. Apply the above workflow as a required step for OWASP projects; 3. Aid in auditing select FLOSS projects to create a baseline for comparing security amongst FLOSS projects.|
|Project key Information||Project Leader
SoC's Project Leader
Creative Commons Attribution Share Alike 3.0
OWASP SoC 08
|Release Status||Main Links||Related Projects|
This project involving creating a process for integrating the Fortify Open Review Process into the OWASP project development lifecycle and working with Fortify to develop and test their new Open Review site at http://owasp.fortify.com/.
The goals of this project were to:
- Create a process for integrating the Fortify Open Review into open source development.
- Test functionality of the new Fortify Open Review site introduced in Summer 2008.
- Scan 10 OWASP projects with the Fortify Open Review to verify the site's functionality and establish a baseline.
- Scan 25 popular open source PHP projects to verify the site's ability to handle large scale projects and establish a baseline.
The workflow diagrams can be found in Workflow.zip. Within the ZIP file, overview.pdf describes the relationships between the different parts of the workflow. The file start.pdf describes the first step of the workflow which verifies that the project is an OWASP project. If it is not then the project is added as a new OWASP project File:Workflow Draft1.pdf. Prior to any source code analysis (SCA), the project must also be added as a Fortify Open Review Project(reference createProject.pdf).
As described in the Fortify Open Review Process, the Project Lead or Source Code Review Lead can choose between a continuous evaluation, where SCA is done weekly, or a one time analysis as part of their usual development process (see waterfall.pdf and iterative.pdf) after unit testing and prior to final system testing. The single analysis requires the evaluator to submit a Fortify output file which requires the evaluator to own a copy of Fortify 360. The continuous evaluation is automated, does not require the developer have a Fortify 360 license, and in accordance with the OWASP Code Review Guide these results can be used to remove common problems. The common problems, along with other software errors exposed by findBugs (reference findBugs.pdf) will then be documented as known problems in the project's bug list.
The purpose of this workflow is to integrate and automate SCA into the development cycle of open source applications for the sole purpose of decreasing software vulnerabilities. This effort can, and should, be supplemented by a Manual Code Review as described in the OWASP Open Review Project.
OWASP Projects Scanned
Non-OWASP projects scanned in MediaWiki, WordPress, and many others. See owasp.fortify.com for details.
We need OWASP project leaders to submit their projects for review. We will work with you to upload your project and review the findings, so that we can get each OWASP project to show zero defects.
Please go to https://lists.owasp.org/mailman/listinfo/owasp-scode-review-owasp-projects to subscribe to the list to contact us. You can post to the mailing list by emailing .
Project lead: James Walden
Contributors: Maureen Doyle, Grant Welch, Michael Whelan
Reviewers: Marco Morano, Alex Fry
This category currently contains no pages or media.