Funds available for OWASP Projects
This page contains details about funds available to OWASP projects.
The sponsorship model is different from the one used in OWASP Autumn Of Code 2006, OWASP Spring Of Code 2007, OWASP Summer of Code 2008 and OWASP Season of Code 2009 since these are cases where specific money (throughout out the year) has been allocated to OWASP projects (for example by new OWASP members or by companies/organizations with specific requirements/projects)
Available Projects/THIS FIELD IS UNDER REVIEW
OWASP is requesting proposals for the following OWASP projects:
- Questions for SANS - Write 200 questions for SANS with a % of those questions made open to the OWASP community (funds directly allocated by SANS for this project)
- Source Code Review OWASP Projects - Implement a workflow where all OWASP projects that use JAVA technology are automatically audited for security flaws (funds directly allocated by Fortify Software for this project)
- BlackTop project - Develop a runtime code analysis tool to be used by Penetration Testers during client engagements (funds directly allocated by Ounce Labs for this project).
How to Apply
If you are interested, email your proposal to Dinis.cruz at owasp.net including responses to the following items:
- Your educational and professional background
- Application security experience and accomplishments
- Participation and leadership in open communities
- The opportunity, challenges, issues or need your proposal addresses
- Milestones and objectives
- Specific activities and who will carry out these activities
- Specific deliverables and a rough project schedule so we can track progress
- Long-term vision for the project
- Any other reasons why you and your project should be selected
The proposed project delivery time is 3 months and the payment will be made in two 50% parts (one at the 50% mark and one at 100% mark (i.e. project completed))
OWASP will also put the applicants in touch with the contacts at the sponsoring companies so that the brief and project deliverables can be finalized.
Project details/THIS FIELD IS UNDER REVIEW
Questions for SANS (5k)
- Project description: Write JAVA/JSP questions for SANS's Software Security Institute certification exams( http://www.sans-ssi.org/). The candidate will need to write 200 questions and answers and must be a knowledgeable and respected member of the Java community. For obvious reasons only 10% to 20% of the questions created will be disclosed to the OWASP community, with the remainder to be used in the certification's exams..
- Note that although this first request is for questions in JAVA/JSP there are plans to run a similar project for C, C++, PHP, .NET, so if you are interested in these other languages feel free to contact us..
- Funds available: 5,000 USD
- Sponsor: SANS
Source Code Review OWASP Projects (5k)
- Project description: Use Fortify Software's source code scanning engine ( http://opensource.fortifysoftware.com) to scan open source projects coded in JAVA. The objectives of this project will be:
- Develop and document a workflow for open source projects to incorporate static analysis into the Software Development Life Cycle (SDLC).
- Apply the above workflow as a required step for OWASP projects.
- Aid in auditing select open source projects to create a baseline for comparing security amongst open source projects.
- Funds available: 5,000 USD
- Sponsor: Fortify Software
BlackTop - Runtime coverage analysis tool (10k)
- Project description: Develop and document a "blackbox" pen testing code analysis solution capable of providing runtime coverage analysis for applications written in Java and .NET. In order to ensure the solution does not require access to the applications' source code, the solution should use (for example) the AspectJ and PostSharp bytecode weaving frameworks.
- The project must produce an open source, release quality application, including a GUI and documentation. The project should utilize a license; either the Eclipse Public License or the Mozilla Public license is allowable.
- The tool should provide code level details and call trace information of all ingress and egress points of the application and be able to identify gaps in the "blackbox" testing to facilitate more accurate and complete pen testing. All output and configuration should be done using an open format (such as XML) and enable command line execution of the application.
- Funds available: 10,000 USD
- Sponsor: Ounce Labs