Difference between revisions of "Project Information:template JSP Testing Tool Project"

From OWASP
Jump to: navigation, search
(owasp-jsp-testing-tool-project)
 
Line 6: Line 6:
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''  
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''  
  | colspan="6" style="width:85%; background:#cccccc" align="left"|The goal of this project is to create an easy to use, freely available tool that can be used to quickly ascertain the level of protection that each component of a JSP tag library offers. This information can serve two purposes:
+
  | colspan="6" style="width:85%; background:#cccccc" align="left"|The goal of this project is to create an easy to use, freely available tool that can be used to quickly ascertain the level of protection that each component of a JSP tag library offers. This information can serve two purposes: 1. It provides a means for projects to create a coding standard. By identifying which components are safe or unsafe, a project can establish a preference order of useable components. For those components identified as unsafe, extra security requirements can be imposed on any pages using those components. 2. It provides tag library providers development guidance. Providers can target security enhancements to the components that are most susceptible to cross-site scripting attacks. They can also use these results to demonstrate their performance relative to other competing tag libraries. It also provides feedback for developers that create small custom tag libraries for internal development usage. Ideally, the input to the tool will be the Tag Library Descriptor file along with a compiled version of the tag library. The resulting output will be a report of all tags in the library and their associated attributes with annotations for each attribute indicating whether or not it safely handles tainted input. Additionally, the framework for this tool should be robust enough to enable the functionality indicated by the future work section.   
  1. It provides a means for projects to create a coding standard. By identifying which components are safe or unsafe, a project can establish a preference order of useable components. For those components identified as unsafe, extra security requirements can be imposed on any pages using those components
+
  2. It provides tag library providers development guidance. Providers can target security enhancements to the components that are most susceptible to cross-site scripting attacks. They can also use these results to demonstrate their performance relative to other competing tag libraries. It also provides feedback for developers that create small custom tag libraries for internal development usage.  
+
 
+
Ideally, the input to the tool will be the Tag Library Descriptor file along with a compiled version of the tag library. The resulting output will be a report of all tags in the library and their associated attributes with annotations for each attribute indicating whether or not it safely handles tainted input. Additionally, the framework for this tool should be robust enough to enable the functionality indicated by the future work section.   
+
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''

Revision as of 04:50, 15 June 2008

PROJECT IDENTIFICATION
Project Name OWASP JSP Testing Tool Project
Short Project Description The goal of this project is to create an easy to use, freely available tool that can be used to quickly ascertain the level of protection that each component of a JSP tag library offers. This information can serve two purposes: 1. It provides a means for projects to create a coding standard. By identifying which components are safe or unsafe, a project can establish a preference order of useable components. For those components identified as unsafe, extra security requirements can be imposed on any pages using those components. 2. It provides tag library providers development guidance. Providers can target security enhancements to the components that are most susceptible to cross-site scripting attacks. They can also use these results to demonstrate their performance relative to other competing tag libraries. It also provides feedback for developers that create small custom tag libraries for internal development usage. Ideally, the input to the tool will be the Tag Library Descriptor file along with a compiled version of the tag library. The resulting output will be a report of all tags in the library and their associated attributes with annotations for each attribute indicating whether or not it safely handles tainted input. Additionally, the framework for this tool should be robust enough to enable the functionality indicated by the future work section.
Email Contacts Project Leader
Jason Li
Project Contributors
(if applicable)
Name&Email
Project Mailing List First Reviewer
Mark Kerzner
Second Reviewer
Fabrício Fujikawa
(TBC)
OWASP Board Member
(if applicable)
Name&Email
PROJECT MAIN LINKS
  • (If appropriate, links to be added)
SPONSORS & GUIDELINES
Sponsor - OWASP Summer of Code 2008 Sponsored Project/Guidelines/Roadmap
ASSESSMENT AND REVIEW PROCESS
Review/Reviewer Author's Self Evaluation
(applicable for Alpha Quality & further)
First Reviewer
(applicable for Alpha Quality & further)
Second Reviewer
(applicable for Beta Quality & further)
OWASP Board Member
(applicable just for Release Quality)
50% Review Objectives & Deliveries reached?
Yes/No (To update)
---------
See&Edit:50% Review/Self-Evaluation (A)
Objectives & Deliveries reached?
Yes/No (To update)
---------
See&Edit: 50% Review/1st Reviewer (C)
Objectives & Deliveries reached?
Yes/No (To update)
---------
See&Edit: 50%Review/2nd Reviewer (E)
X
Final Review Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Season of Code - (To update)
---------
See&Edit: Final Review/SelfEvaluation (B)
Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Season of Code - (To update)
---------
See&Edit: Final Review/1st Reviewer (D)
Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Season of Code - (To update)
---------
See&Edit: Final Review/2nd Reviewer (F)
Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Season of Code - (To update)
---------
See/Edit: Final Review/Board Member (G)