OWASP Spring Of Code 2007 Project Ideas

Revision as of 02:04, 14 March 2007 by Dinis.cruz (talk | contribs) (New page: This page contains project ideas for submissions to the OWASP_Spring_Of_Code_2007 Current OWASP project leaders should use this as a place to put their 'wish-list' for their projects....)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page contains project ideas for submissions to the OWASP_Spring_Of_Code_2007

Current OWASP project leaders should use this as a place to put their 'wish-list' for their projects.

General Ideas

  • OWASP Honeycomb Project: Normalize the CLASP and VulnCat data and help to release the Honeycomb user's guide
  • Help to Complete V2.0 of WebScarab and package it as product
  • Integrate WebGoat with with SiteGenerator
  • Complete the 'Owasp membership pack'
  • Create the next version of 'Owasp Live CD'
  • Complete the project OWASP Report Generator (ORG) and release it as a product
  • Organize the 'OWASP branding project' and make a 1st pass at the current abuses of the OWASP brand
  • Create Training materials for OWASP projects (from tools to guides)
  • WebMaster the Owasp.org website for 3 months and implement all missing functionality
  • for more ideas see the current project list at OWASP Project

OWASP .Net Project

  • Organize the current OWASP .NET Project in a similar way to the Java Project
  • Cross reference the .NET material in the other OWASP projects (Testing Guide, HoneyComb,etc...) and add more articles specific to .NET security
  • Expand Dinis Cruz' research on .Net partial trust and create a Proof of Concept application showing how .Net's Partial Trust Sandbox can be used to mitigate against most Web Application Attacks (extra bonus points if a Java demo is also delivered :)

OWASP Site Generator

  • Add more vulnerabilties (and document them using ORG)
  • Implement the new engine (http based using interfaces) which allows the use of any backend web technology
  • Add ability to save / log all requests receive
  • Write documentation and articles about it

OWASP Site Generator

  • Fix bugs in the OWASP version
  • Add multiple Sample Reports (namely for the current OWASP tools)
  • Write documentation and articles about it

.NET Tools to develop

  • Dynamically calculate required CAS permissions (don’t get me started on PermCalc)
  • Refactor code that requires higher permissions into separate assemblies (so that only 1% of the code will need to run outside the Sandbox)
  • Converters of unmanaged code to managed code (i.e. C++ to C#, VB6 to VB.Net, etc…)
  • Source code audit tools that identify vulnerabilities or areas that might have vulnerabilities
  • “.Net Time-machine (ala Flight Recorder)” - ability to record the entire state of all objects during a .Net Execution and allow the execution, debugging and fuzzing from any arbitrary point (see Java’s DeJaVu and JaRec Projects (I remember seeing another PoC of this type of tool, but can’t seem to be able to find the link))
  • Smart fuzzers (to find run-time vulnerabilities)
  • ‘Security rating calculators’ which will give a product (or dll) a rating based on the ‘threat profile of that application’ (for example the more unmanaged code, the worse rating) . This will be a very important part of the ‘Partial Trust Brand’
  • Development environments that allow the development of complex and feature rich partial Trust applications like IE in managed code
  • New execution environments (aka mini CLRs) that allow the execution of Managed/Verifiable code in : Services, Drivers, plug-ins etc…
  • New Virtual PC Execution environments that allow the safe execution of ‘potential malicious applications’ whose interface with the user’s assets are controlled by a managed/verifiable application (and CAS policies)
  • ‘What is going on’ tools. When I run an application I need to know EVERYTHING it does. And if the application somehow escapes the ‘execution monitoring system’ I want to know that it did. Now that Microsoft bought SysInternals, can we have a massive boast on those tools capabilities?. This tools must also build CAS polices based on what they detected the target application needs.
  • Tools that allow the easy development and use of CAS and RBS (Role Base Security) and frameworks for securing an application’s Business-Logic (for example using a CAS to prevent the user account’s from being changed, or an bank account from being accessed)
  • Code Coverage Tools - To know how much of an application has been tested, fuzzed or executed
  • ‘Real time Hot Patching of Jitted methods (without using the .NET profiler)’ - For advanced defence solutions we will need the capability to make changes to jitted code (i.e . writing patches in C#)
  • For ASP.NET:
    • WAF (Web Application Firewalls) with pluggable modules for: Data Validation, Authentication, Authorization, Anti-CSRF, DoS, Business-Logic vulnerabilities, etc…
    • A framework similar to Struts (which force the developers to do the right thing (i.e. explicitly define all inputs into their application)
    • IDS (Intrusion Detection Systems) with the capability to change the application’s behaviour when under attack
    • Native Http Pipeline for IIS 5 and 6 (similar to what seems that will happen in IIS 7)
      • This will be very important to protect ASP Classic pages
    • CAS demands for dangerous methods (for example methods and classes that allow SQL Injections, XSS, etc…)
      • The current CAS permission’s model is designed to protect the server and the other co-hosted applications. This needs to be extended so that CAS can be used to protect the actual application from vulnerabilities in its code
    • CAS demands for methods or code that ’should’ exist (for example data valiation checks, authorization, etc….)