Funds available for OWASP Projects

From OWASP
Revision as of 11:31, 2 July 2007 by Dinis.cruz (Talk | contribs)

Jump to: navigation, search

This page contains details about funds available to OWASP projects.

The sponsorship model is different from the one used in AoC 06 and SpoC 007 since these are cases where specific money (throughout out the year) has been allocated to OWASP projects (for example by new OWASP members or by companies/organizations with specific requirements/projects)

Contents

July 2007 Batch - Overview

Now with the SpoC 007 (Spring of Code 2007) under way, OWASP is requesting proposals for OWASP projects with sponsorship funds available.

The projects with funding available are (with details included below):

  • OSG - OWASP Site Generator - Join Boris in his development of the new version of .NET's OSG (funds from SPI Dynamics and Cenzic membership fees)
  • OWASP Corporate Application Security Rating Guide - Create and release the first version of this very important document ( funds from Cenzic membership fees)
  • Questions for SANS - Write 200 questions for SANS with a % of those questions made open to the OWASP community (funds directly allocated by SANS for this project)
  • Source Code Review OWASP Projects - Implement a workflow where all OWASP projects that use JAVA technology are automatically audited for security flaws (funds directly allocated by Fortify Software for this project)
  • BlackTop project - Develop a runtime code analysis tool to be used by Penetration Testers during client engagements.

If you are interested, email your proposal to Dinis.cruz at owasp.net including responses to the following items:

  • Your educational and professional background
  • Application security experience and accomplishments
  • Participation and leadership in open communities
  • The opportunity, challenges, issues or need your proposal addresses
  • Milestones and objectives
  • Specific activities and who will carry out these activities
  • Specific deliverables and a rough project schedule so we can track progress
  • Long-term vision for the project
  • Any other reasons why you and your project should be selected

The proposed project delivery time is 3 months and the payment will be made in two 50% parts (one at the 50% mark and one at 100% mark (i.e. project completed))

OWASP will also put the applicants in touch with the contacts at the sponsoring companies so that the brief and project deliverables can be finalized.

The deadline for project submissions is July 15th.

July 2007 Batch - Project details

OSG - OWASP Site Generator (5k)

  • Project description: Continue development of Site Generator, write new vulnerabilities, work on new dynamic engine, document findings
  • Funds available: 5,000 USD
  • Sponsor: Spy Dynamics, Cenzic


OWASP Corporate Application Security Rating Guide (3k)


Questions for SANS (5k)

  • Project description: Write JAVA/JSP questions for SANS's Software Security Institute certification exams( http://www.sans-ssi.org/). The candidate will need to write 200 questions and answers and must be a knowledgeable and respected member of the Java community. For obvious reasons only 10% to 20% of the questions created will be disclosed to the OWASP community, with the remainder to be used in the certification's exams..
    • Note that although this first request is for questions in JAVA/JSP there are plans to run a similar project for C, C++, PHP, .NET, so if you are interested in these other languages feel free to contact us..
  • Funds available: 5,000 USD
  • Sponsor: SANS


Source Code Review OWASP Projects (5k)

  • Project description: Use Fortify Software's source code scanning engine ( http://opensource.fortifysoftware.com) to scan open source projects coded in JAVA. The objectives of this project will be:
    • Develop and document a workflow for open source projects to incorporate static analysis into the Software Development Life Cycle (SDLC).
    • Apply the above workflow as a required step for OWASP projects.
    • Aid in auditing select open source projects to create a baseline for comparing security amongst open source projects.
  • Funds available: 5,000 USD
  • Sponsor: Fortify Software


BlackTop - Runtime coverage analysis tool (10k)

  • Project description: Develop and document a "blackbox" pen testing code analysis solution capable of providing runtime coverage analysis for applications written in Java and .NET. In order to ensure the solution does not require access to the applications' source code, the solution should use (for example) the AspectJ and PostSharp bytecode weaving frameworks.
    • The project must produce an open source, release quality application, including a GUI and documentation. The project should utilize a license; either the Eclipse Public License or the Mozilla Public license is allowable.
    • The tool should provide code level details and call trace information of all ingress and egress points of the application and be able to identify gaps in the "blackbox" testing to facilitate more accurate and complete pen testing. All output and configuration should be done using an open format (such as XML) and enable command line execution of the application.
  • Funds available: 10,000 USD
  • Sponsor: Ounce Labs