Difference between revisions of "OWASP Spring Of Code 2007 Project Ideas"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/galeach/new89.html asian gallery punish
 
] [http://s1.shard.jp/frhorton/kbokzbuu7.html africa mideast
 
] [http://s1.shard.jp/frhorton/78vbl98c2.html africa animal endangered south] [http://s1.shard.jp/olharder/3-auto-geneva.html auto compressor man
 
] [http://s1.shard.jp/frhorton/ru9zwzdr5.html absa africa bank south] [http://s1.shard.jp/galeach/new28.html asiants.+com
 
] [http://s1.shard.jp/galeach/new86.html asia attack crocodile in
 
] [http://s1.shard.jp/olharder/autoimmune-hashimotos.html auction auto capital
 
] [http://s1.shard.jp/frhorton/qwl7aihru.html africa history in islam
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/losaul/townsville-australia.html adventure african australia safari wide world
 
] [http://s1.shard.jp/losaul/south-african.html white pages melbourne australia
 
] [http://s1.shard.jp/bireba/download-symantec.html ez trust ez antivirus
 
] [http://s1.shard.jp/losaul/wiremesh-australia.html pocruises australia
 
] [http://s1.shard.jp/frhorton/9viywdetn.html african flying fox
 
] [http://s1.shard.jp/olharder/yesterdays-auto.html autogenerated
 
] [http://s1.shard.jp/losaul/cheap-air-fare-to.html nova radio melbourne australia
 
] [http://s1.shard.jp/galeach/new67.html jewelry news asia
 
] [http://s1.shard.jp/bireba/mac-antivirus.html antivirus scans
 
] [http://s1.shard.jp/frhorton/2i2g9o8vi.html african american books for children
 
] [http://s1.shard.jp/galeach/new47.html asian caricature
 
] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/frhorton/74dtisquk.html african male model south
 
] [http://s1.shard.jp/losaul/liberal-party.html liberal party of australia victorian division] [http://s1.shard.jp/losaul/alice-springs.html australia season weather
 
] [http://s1.shard.jp/losaul/australia-funniest.html brightmail virus australia
 
] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/bireba/remove-norton-antivirus.html avg vs avast antivirus
 
] [http://s1.shard.jp/frhorton/sofu2962u.html cheap air flights south african airlines zaragoza
 
] [http://s1.shard.jp/frhorton/eustnj89y.html african countries map
 
] [http://s1.shard.jp/frhorton/uf3em2dk5.html african diamonds for sale
 
] [http://s1.shard.jp/galeach/new66.html ude asia capital
 
] [http://s1.shard.jp/galeach/new61.html thai songs on asianavenue
 
] [http://s1.shard.jp/olharder/auto-emissions-test.html bumper to bumper auto
 
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/galeach/new27.html volcanic eruptions in asia
 
] [http://s1.shard.jp/frhorton/p7w3g6anv.html african baby fabric quilt
 
] [http://s1.shard.jp/losaul/dog-bike-trailer.html welsh cobs australia
 
] [http://s1.shard.jp/losaul/australian-motorsportbiz.html australian vegetation map
 
] [http://s1.shard.jp/bireba/avg-antivirus.html panda titanium antivirus 2005 download
 
] [http://s1.shard.jp/losaul/steel-houses-australia.html australian rain forest
 
] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/frhorton/z7u5veip8.html africa animal husbandry malawi south] [http://s1.shard.jp/galeach/new187.html american asiatic underwriters
 
] [http://s1.shard.jp/losaul/ralph-lauren.html australian production services
 
] [http://s1.shard.jp/galeach/new130.html asia airways
 
] [http://s1.shard.jp/olharder/discount-import.html brett favre autographs
 
 
[http://s1.shard.jp/bireba/nortonantivirus.html antivirus software sales
 
] [http://s1.shard.jp/galeach/new89.html asianetwork
 
] [http://s1.shard.jp/olharder/auto-escort-ford.html automatic login linux
 
] [http://s1.shard.jp/losaul/business-services.html australia en estudiar ingles
 
] [http://s1.shard.jp/galeach/new155.html imagine asian theatre] [http://s1.shard.jp/galeach/new70.html genetics society of australasia] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/losaul/car-hire-brisbane.html australia fishing industry
 
] [http://s1.shard.jp/galeach/new71.html asian mpx220 rom
 
] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/bireba/antivirus-software.html antivirusprogramma
 
] [http://s1.shard.jp/bireba/sofos-antivirus.html nortons antivirus crack
 
] [http://s1.shard.jp/losaul/south-african.html national health and medical research council of australia
 
] [http://s1.shard.jp/olharder/best-way-auto-care.html barry stevens autos
 
] [http://s1.shard.jp/losaul/australia-british.html australian sheperd breeders
 
] [http://s1.shard.jp/galeach/new173.html review asian massage dallas
 
] [http://s1.shard.jp/galeach/new87.html asian boy models.com
 
] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/frhorton/1kjwm4ocq.html cricket south africa score
 
] [http://s1.shard.jp/losaul/severe-droughts.html 2ue radio australia
 
] [http://s1.shard.jp/bireba/pc-cillin-antivirus.html download norton antivirus 2005 full software
 
] [http://s1.shard.jp/frhorton/yoc3js17e.html african drum poem
 
] [http://s1.shard.jp/bireba/top-ten-antivirus.html uninstall norton antivirus corporate
 
] [http://s1.shard.jp/galeach/new67.html washington dc asian escort
 
] [http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/losaul/australia-bus.html value your car australia
 
] [http://s1.shard.jp/losaul/liberal-party.html australia butt hinge in s
 
] [http://s1.shard.jp/galeach/new54.html asian dominatrixs
 
] [http://s1.shard.jp/bireba/macintosh-antivirus.html avg antivirus professional edition
 
] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/olharder/automobile-sites.html washington auto auction
 
] [http://s1.shard.jp/frhorton/77murrpay.html natural african hairstyles
 
] [http://s1.shard.jp/olharder/celebrity-autograph.html auto dodge nashville show
 
] [http://s1.shard.jp/bireba/uninstall-norton.html 2005 norton antivirus download
 
] [http://s1.shard.jp/frhorton/2u1ol1yan.html africa city elizabeth port south
 
] [http://s1.shard.jp/bireba/norton-antivirus.html norton antivirus 2004 professional] [http://s1.shard.jp/olharder/auto-panel-plus.html auto dealers in denver
 
] [http://s1.shard.jp/bireba/panda-titanium.html avast antivirus problems
 
] [http://s1.shard.jp/frhorton/fhojtfuuj.html africa south sowetan
 
] [http://s1.shard.jp/frhorton/aarrl6erq.html beautiful african american hair style
 
] [http://s1.shard.jp/frhorton/gcc5hqqy1.html african american attainment educational man
 
] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/frhorton/whhjm2ac8.html national productivity institute of south africa
 
] [http://s1.shard.jp/bireba/etrust-ez-antivirus.html avg vs avast antivirus
 
] [http://s1.shard.jp/losaul/tents-australia.html accommodation australia holiday port port port stephens stephens stephens.org
 
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/bireba/northon-antivirus.html new antiviruses
 
] [http://s1.shard.jp/losaul/australian-oil.html australian oil of eucalyptus] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/olharder/22-auto-barrels.html auto reverse tape player
 
 
http://www.textricerla.com
 
 
This page contains project ideas for submissions to the [[OWASP_Spring_Of_Code_2007]]. Current OWASP project leaders should use this as a place to put their 'wish-list' for their projects.
 
This page contains project ideas for submissions to the [[OWASP_Spring_Of_Code_2007]]. Current OWASP project leaders should use this as a place to put their 'wish-list' for their projects.
  
Line 125: Line 46:
 
* '''Data Flow''' - Adding true data flow analysis to LAPSE. Check out the jDFA project at sourceforge to see whether that can be applied to find tainted data attacks like XSS and SQL injection (as well as others)
 
* '''Data Flow''' - Adding true data flow analysis to LAPSE. Check out the jDFA project at sourceforge to see whether that can be applied to find tainted data attacks like XSS and SQL injection (as well as others)
  
* '''Security Across the SDLC''' - Integrated security activities across the lifecycle.  Currently people are talking about “touchpoints” and “activities” but there’s no unifying line of sight or theme.   
+
* '''Security Across the SDLC''' - Integrated security activities across the lifecycle.  Currently people are talking about “touchpoints” and “activities” but there’s no unifying line of sight or theme.   
  
* '''Honeycomb''' - It seems simple, but when you start trying to organize ALL the information that’s out there it gets incredibly difficult.  The simple taxonomies are wrong, bad, and misleading.  Honeycomb is using a folksonomy approach that I hope will allow us to do something new here.  But it really needs someone to think it through – perfect for a thesis.
+
* '''Honeycomb''' - It seems simple, but when you start trying to organize ALL the information that’s out there it gets incredibly difficult.  The simple taxonomies are wrong, bad, and misleading.  Honeycomb is using a folksonomy approach that I hope will allow us to do something new here.  But it really needs someone to think it through perfect for a thesis.
  
 
* '''Honeycomb+Tools''' - Integrating the Honeycomb information into tools would be incredibly helpful.  Things like the OWASP report generator need it.  Threat modeling tools need it.  Scanners need it.  We need to prepare the information there for tool use.
 
* '''Honeycomb+Tools''' - Integrating the Honeycomb information into tools would be incredibly helpful.  Things like the OWASP report generator need it.  Threat modeling tools need it.  Scanners need it.  We need to prepare the information there for tool use.
Line 160: Line 81:
 
==== .NET Tools to develop ====
 
==== .NET Tools to develop ====
  
* Dynamically calculate required CAS permissions (don’t get me started on PermCalc)
+
* Dynamically calculate required CAS permissions (don’t get me started on PermCalc)
  
 
* Refactor code that requires higher permissions into separate assemblies (so that only 1% of the code will need to run outside the Sandbox)
 
* Refactor code that requires higher permissions into separate assemblies (so that only 1% of the code will need to run outside the Sandbox)
  
* Converters of unmanaged code to managed code (i.e. C++ to C#, VB6 to VB.Net, etc…)
+
* Converters of unmanaged code to managed code (i.e. C++ to C#, VB6 to VB.Net, etc…)
  
 
* Source code audit tools that identify vulnerabilities or areas that might have vulnerabilities
 
* Source code audit tools that identify vulnerabilities or areas that might have vulnerabilities
  
* ".Net Time-machine (ala Flight Recorder)" - ability to record the entire state of all objects during a .Net Execution and allow the execution, debugging and fuzzing from any arbitrary point (see Java’s DeJaVu and JaRec Projects (I remember seeing another PoC of this type of tool, but can’t seem to be able to find the link))
+
* ".Net Time-machine (ala Flight Recorder)" - ability to record the entire state of all objects during a .Net Execution and allow the execution, debugging and fuzzing from any arbitrary point (see Java’s DeJaVu and JaRec Projects (I remember seeing another PoC of this type of tool, but can’t seem to be able to find the link))
  
 
* Smart fuzzers (to find run-time vulnerabilities)
 
* Smart fuzzers (to find run-time vulnerabilities)
  
* ‘Security rating calculators’ which will give a product (or dll) a rating based on the ‘threat profile of that application’ (for example the more unmanaged code, the worse rating) . This will be a very important part of the ‘Partial Trust Brand’
+
* ‘Security rating calculators’ which will give a product (or dll) a rating based on the ‘threat profile of that application’ (for example the more unmanaged code, the worse rating) . This will be a very important part of the ‘Partial Trust Brand’
  
 
* Development environments that allow the development of complex and feature rich partial Trust applications like IE in managed code
 
* Development environments that allow the development of complex and feature rich partial Trust applications like IE in managed code
  
* New execution environments (aka mini CLRs) that allow the execution of Managed/Verifiable code in : Services, Drivers, plug-ins etc…
+
* New execution environments (aka mini CLRs) that allow the execution of Managed/Verifiable code in : Services, Drivers, plug-ins etc…
  
* New Virtual PC Execution environments that allow the safe execution of ‘potential malicious applications’ whose interface with the user’s assets are controlled by a managed/verifiable application (and CAS policies)
+
* New Virtual PC Execution environments that allow the safe execution of ‘potential malicious applications’ whose interface with the user’s assets are controlled by a managed/verifiable application (and CAS policies)
  
* ‘What is going on’ tools. When I run an application I need to know EVERYTHING it does. And if the application somehow escapes the ‘execution monitoring system’ I want to know that it did. Now that Microsoft bought SysInternals, can we have a massive boast on those tools capabilities?. This tools must also build CAS polices based on what they detected the target application needs.
+
* ‘What is going on’ tools. When I run an application I need to know EVERYTHING it does. And if the application somehow escapes the ‘execution monitoring system’ I want to know that it did. Now that Microsoft bought SysInternals, can we have a massive boast on those tools capabilities?. This tools must also build CAS polices based on what they detected the target application needs.
  
* Tools that allow the easy development and use of CAS and RBS (Role Base Security) and frameworks for securing an application’s Business-Logic (for example using a CAS to prevent the user account’s from being changed, or an bank account from being accessed)
+
* Tools that allow the easy development and use of CAS and RBS (Role Base Security) and frameworks for securing an application’s Business-Logic (for example using a CAS to prevent the user account’s from being changed, or an bank account from being accessed)
  
 
* Code Coverage Tools - To know how much of an application has been tested, fuzzed or executed
 
* Code Coverage Tools - To know how much of an application has been tested, fuzzed or executed
  
‘Real time Hot Patching of Jitted methods (without using the .NET profiler)’ - For advanced defence solutions we will need the capability to make changes to jitted code (i.e . writing patches in C#)
+
‘Real time Hot Patching of Jitted methods (without using the .NET profiler)- For advanced defence solutions we will need the capability to make changes to jitted code (i.e . writing patches in C#)
  
 
==== ASP.NET ====
 
==== ASP.NET ====
  
* WAF (Web Application Firewalls) with pluggable modules for: Data Validation, Authentication, Authorization, Anti-CSRF, DoS, Business-Logic vulnerabilities, etc…
+
* WAF (Web Application Firewalls) with pluggable modules for: Data Validation, Authentication, Authorization, Anti-CSRF, DoS, Business-Logic vulnerabilities, etc…
  
 
* A framework similar to Struts (which force the developers to do the right thing (i.e. explicitly define all inputs into their application)
 
* A framework similar to Struts (which force the developers to do the right thing (i.e. explicitly define all inputs into their application)
  
* IDS (Intrusion Detection Systems) with the capability to change the application’s behaviour when under attack
+
* IDS (Intrusion Detection Systems) with the capability to change the application’s behaviour when under attack
  
 
* Native Http Pipeline for IIS 5 and 6 (similar to what seems that will happen in IIS 7). This will be very important to protect ASP Classic pages
 
* Native Http Pipeline for IIS 5 and 6 (similar to what seems that will happen in IIS 7). This will be very important to protect ASP Classic pages
  
* CAS demands for dangerous methods (for example methods and classes that allow SQL Injections, XSS, etc…). The current CAS permission’s model is designed to protect the server and the other co-hosted applications. This needs to be extended so that CAS can be used to protect the actual application from vulnerabilities in its code
+
* CAS demands for dangerous methods (for example methods and classes that allow SQL Injections, XSS, etc…). The current CAS permission’s model is designed to protect the server and the other co-hosted applications. This needs to be extended so that CAS can be used to protect the actual application from vulnerabilities in its code
  
* CAS demands for methods or code that ’should’ exist (for example data valiation checks, authorization, etc….)
+
* CAS demands for methods or code that ’should’ exist (for example data valiation checks, authorization, etc….)
  
 
__NOTOC__
 
__NOTOC__

Latest revision as of 07:49, 3 June 2009

This page contains project ideas for submissions to the OWASP_Spring_Of_Code_2007. Current OWASP project leaders should use this as a place to put their 'wish-list' for their projects.

We are looking for great projects that will help make the world a place where insecure software is the exception, not the rule. We'll consider any kind of project including tools, knowledgebase, process, marketing, etc...

OWASP Projects

See the current project list at OWASP Projects and contact the project's leaders if you have specific ideas

SpoC 007

  • Help with SpoC 007 initiative
    • project manage SpoC 007 projects
    • ensure all projects are going smoothly

General Ideas

  • Develop a JavaScript library to fingerprint a good guy browser connection as opposed to a bot or other bad guy attacker.
  • OWASP Honeycomb Project: Normalize the CLASP and VulnCat data and help to release the Honeycomb user's guide
  • Help to Complete V2.0 of WebScarab and package it as product
  • Integrate WebGoat with with SiteGenerator
  • Complete the 'Owasp membership pack'
  • Create the next version of 'Owasp Live CD'
  • Organize the 'OWASP branding project' and make a 1st pass at the current abuses of the OWASP brand
  • Create Training materials for OWASP projects (from tools to guides)
  • AppSec Principles - do some research and flesh out one of the OWASP principles. Talk about how the principle works in general, and then examine how it is applied in various contexts
  • Attacks - flesh out the list of attacks, develop each one with content and links
  • Vulnerabilities - work to fill out writeups of vulnerabilities and clean up the vulnerability lists. There's lots of linking to other articles here needed. We're integrating CLASP, CWE, Fortify, and other sources of vulnerabilities to make the best resource anywhere.
  • Countermeasures - general cleanup and linking of these articles. Probably some stubs in there that need significant writing
  • Java Project - great opportunity to do research and bring together all the best information in one place for Java developers

Medium or Large Projects

  • OWASP Corporate Application Security Rating Guide - Help us examine the application security practices of the corporate world. How about assessing the top 50 companies and top 50 software companies for their practices. The goal is to make it public what companies are doing in this area. The link is just an idea of how it might work!
  • Static Analysis to Pentest - Write a tool that takes the output of static analysis and turns it into penetration test cases
  • Security Test Automation - Make WebScarab generate, record, and playback security test cases (think JUnit) so that you can do regression security testing
  • Open Threat Modeling - Build an open threat modeling tool like Microsoft's but not so cumbersome
  • Data Flow - Adding true data flow analysis to LAPSE. Check out the jDFA project at sourceforge to see whether that can be applied to find tainted data attacks like XSS and SQL injection (as well as others)
  • Security Across the SDLC - Integrated security activities across the lifecycle. Currently people are talking about “touchpoints” and “activities” but there’s no unifying line of sight or theme.
  • Honeycomb - It seems simple, but when you start trying to organize ALL the information that’s out there it gets incredibly difficult. The simple taxonomies are wrong, bad, and misleading. Honeycomb is using a folksonomy approach that I hope will allow us to do something new here. But it really needs someone to think it through – perfect for a thesis.
  • Honeycomb+Tools - Integrating the Honeycomb information into tools would be incredibly helpful. Things like the OWASP report generator need it. Threat modeling tools need it. Scanners need it. We need to prepare the information there for tool use.
  • LiveCD Education Project - The LiveCD project is a phenomenal idea. What it needs to really take flight is information that educates the user on every aspect. This project will generate text tutorials, video tutorials, and other learning media that will help users learn how to use the LiveCD along with the tools which it encompasses.

OWASP .Net Project

  • Organize the current OWASP .NET Project in a similar way to the Java Project
  • Cross reference the .NET material in the other OWASP projects (Testing Guide, HoneyComb,etc...) and add more articles specific to .NET security
  • Expand Dinis Cruz' research on .Net partial trust and create a Proof of Concept application showing how .Net's Partial Trust Sandbox can be used to mitigate against most Web Application Attacks (extra bonus points if a Java demo is also delivered :)

OWASP Site Generator

  • Add more vulnerabilties (and document them using ORG)
  • Implement the new engine (http based using interfaces) which allows the use of any backend web technology
  • Add ability to save / log all requests receive
  • Write documentation and articles about it

OWASP Site Generator

  • Fix bugs in the OWASP version
  • Add multiple Sample Reports (namely for the current OWASP tools)
  • Write documentation and articles about it

.NET Tools to develop

  • Dynamically calculate required CAS permissions (don’t get me started on PermCalc)
  • Refactor code that requires higher permissions into separate assemblies (so that only 1% of the code will need to run outside the Sandbox)
  • Converters of unmanaged code to managed code (i.e. C++ to C#, VB6 to VB.Net, etc…)
  • Source code audit tools that identify vulnerabilities or areas that might have vulnerabilities
  • ".Net Time-machine (ala Flight Recorder)" - ability to record the entire state of all objects during a .Net Execution and allow the execution, debugging and fuzzing from any arbitrary point (see Java’s DeJaVu and JaRec Projects (I remember seeing another PoC of this type of tool, but can’t seem to be able to find the link))
  • Smart fuzzers (to find run-time vulnerabilities)
  • ‘Security rating calculators’ which will give a product (or dll) a rating based on the ‘threat profile of that application’ (for example the more unmanaged code, the worse rating) . This will be a very important part of the ‘Partial Trust Brand’
  • Development environments that allow the development of complex and feature rich partial Trust applications like IE in managed code
  • New execution environments (aka mini CLRs) that allow the execution of Managed/Verifiable code in : Services, Drivers, plug-ins etc…
  • New Virtual PC Execution environments that allow the safe execution of ‘potential malicious applications’ whose interface with the user’s assets are controlled by a managed/verifiable application (and CAS policies)
  • ‘What is going on’ tools. When I run an application I need to know EVERYTHING it does. And if the application somehow escapes the ‘execution monitoring system’ I want to know that it did. Now that Microsoft bought SysInternals, can we have a massive boast on those tools capabilities?. This tools must also build CAS polices based on what they detected the target application needs.
  • Tools that allow the easy development and use of CAS and RBS (Role Base Security) and frameworks for securing an application’s Business-Logic (for example using a CAS to prevent the user account’s from being changed, or an bank account from being accessed)
  • Code Coverage Tools - To know how much of an application has been tested, fuzzed or executed
  • ‘Real time Hot Patching of Jitted methods (without using the .NET profiler)’ - For advanced defence solutions we will need the capability to make changes to jitted code (i.e . writing patches in C#)

ASP.NET

  • WAF (Web Application Firewalls) with pluggable modules for: Data Validation, Authentication, Authorization, Anti-CSRF, DoS, Business-Logic vulnerabilities, etc…
  • A framework similar to Struts (which force the developers to do the right thing (i.e. explicitly define all inputs into their application)
  • IDS (Intrusion Detection Systems) with the capability to change the application’s behaviour when under attack
  • Native Http Pipeline for IIS 5 and 6 (similar to what seems that will happen in IIS 7). This will be very important to protect ASP Classic pages
  • CAS demands for dangerous methods (for example methods and classes that allow SQL Injections, XSS, etc…). The current CAS permission’s model is designed to protect the server and the other co-hosted applications. This needs to be extended so that CAS can be used to protect the actual application from vulnerabilities in its code
  • CAS demands for methods or code that ’should’ exist (for example data valiation checks, authorization, etc….)