Difference between revisions of "ORPRO-process"

From OWASP
Jump to: navigation, search
(Documented activities)
Line 2: Line 2:
  
 
* '''Project intake'''
 
* '''Project intake'''
** ''PI.01: Communication with Open source project.'' Proposals for open source projects to be reviewed can be sent to one of the ORPRO project leads.  
+
** ''PI.01: Communication with open source project.'' Proposals for open source projects to be reviewed can be sent to one of the ORPRO project leads. Alternatively, the project actively approache open source projects. The open soure project must provide at least one primary contact.
** ''PI.02: Check entry criteria.'' The open source project will be checked against some entry criteria - for example the open source project team should be in a position to remediate security defects that are discovered.
+
** ''PI.02: Check entry criteria.'' The open source project will be checked against entry criteria. Entry criteria are:
** ''PI.03: Risk assessment.''
+
*** it must be widely used
 +
*** its license must allow independent security review
 +
*** the open source project team should be in a position to remediate security defects that are discovered
 +
*** the programming language must be supported by ORPRO's automated source code scanners and manual review team
 +
** ''PI.03: Risk assessment.''  
 
** ''PI.04: Assemble team.'' The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
 
** ''PI.04: Assemble team.'' The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
 
* '''Review'''
 
* '''Review'''

Revision as of 05:38, 31 October 2008

ORPRO process detail 1.jpg

  • Project intake
    • PI.01: Communication with open source project. Proposals for open source projects to be reviewed can be sent to one of the ORPRO project leads. Alternatively, the project actively approache open source projects. The open soure project must provide at least one primary contact.
    • PI.02: Check entry criteria. The open source project will be checked against entry criteria. Entry criteria are:
      • it must be widely used
      • its license must allow independent security review
      • the open source project team should be in a position to remediate security defects that are discovered
      • the programming language must be supported by ORPRO's automated source code scanners and manual review team
    • PI.03: Risk assessment.
    • PI.04: Assemble team. The project lead assigns a review project lead and the lead can additionally select a team of reviewers.
  • Review
    • Automated review
      • Assuming the project uses a platform supported by owasp.fortify.com, the source code is run through automated analysis. Defects discovered are manually reviewed and then communicated to the owners of the open source project for remediation. For more information on this process, see the OWASP Open Review owasp.fortify.com FAQ
      • AR.01: Configure tooling.
      • AR.02: Run tool on project.
      • AR.03: Review findings.
      • AR.04: Document results.
    • Manual Review
      • MR.01: Configure tooling.
      • MR.02: Perform manual review.
      • MR.03: Document results.
      • Reviewers manually review the application design and source code and communicate identified issues to the owners of the open source project for remediation.
  • Reporting
    • RE.01: Report issues to project. Either reviewers or the open source project leaders responsibly disclose the identified security issues
    • RE.02: Final report at OWASP site.

The ORPRO project is a relatively new effort and it is expected that these processes will develop and change over time to accommodate new situations as they arise.