Project Information:template Live CD 2008 Project - Final Review - Self Evaluation - B

From OWASP
Revision as of 09:38, 5 March 2009 by Paulo Coimbra (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Clik here to return to the previous page.

FINAL REVIEW
PART I

Project Deliveries & Objectives

OWASP Live CD 2008 Project's Deliveries & Objectives

QUESTIONS ANSWERS

1. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please exemplify writing down those of them that haven't been realised.

At inception, the project had the following goals:
  • Move from Morphix to SLAX (see Why SLAX)
    • Complete as of 50% review
  • Get SLAX to have an equal number of tools as had existed in the Live CD 2007 (updating tools where necessary)
    • Nearly complete as of 50% review. Metasploit has been added (the only missing part from the 2007 release at the 50% review) and updated to the latest SVN release. Also, a subversion client was added so that Live CD 2008 users can easily get the latest version on demand.
  • Add OWASP branding to SLAX
    • 90% complete at 50% review state. This is now complete and polished thanks to NIshi Kumar who volunteered to do the graphic design work.
  • Add additional, quality tools
    • The following tools have been added to the CD which were not present on the 2007 CD
      • Firefox 3 with many security related addons - details here
      • Burp Suite
      • Grendel-Scan
      • OWASP DirBuster
      • OWASP SQLiX
      • OWASP WSFuzzer
    • Some additional tools came as part of the SLAX distribution that are also web app sec related. These were mentioned in the OWASP Testing Guide version 2
      • wget
      • host
      • dig
      • openssl
      • grep
      • whois
      • grep
  • Document the Live CD 2008, both how it was created and general documentation (e.g. OWASP Testing Guide)
    • Extensive documentation on the creation of the Live CD 2008 was created here This was done on a MediaWiki installation so that the content could be moved easily to the OWASP website. The Live CD's installation of Firefox also included bookmarks to the general site as well as directly linking to many of the internal Wiki pages. For most of the modules, step-by-step instructions on how they were created are documented down to the individual command level.
    • General documentation included on the Live CD 2008 includes the following documentation primarily in PDF format. Also included is a HTML page linking to each document should current version be desired. The Live CD 2008 documentation Wiki also includes this list with links here.
      • OWASP Testing Guide
        • OWASP Testing Guide v2 (stable release)
        • OWASP Testing Guide v3 Table of Contents
      • OWASP CLASP
      • OWASP Top Ten Project
        • OWASP Top Ten 2007
        • OWASP Top 10 for Java Enterprise Edition
      • OWASP AppSec FAQ Project
      • OWASP Books: Download PDFs or Order Online
        • OWASP CLASP v1.2OWASP CLASP v1.2
        • OWASP Top 10 - 2007 Edition
        • OWASP Top10 - Testing - Legal 07
        • OWASP WebGoat and WebScarab
        • OWASP Guide 2.0
        • OWASP Code Review - 2008 (RC2)
      • WASC Threat Classification
      • OSSTMM - Open Source Security Testing Methodology Manual
        • OSSTMM_3.0_LITE.pdf download
        • OSSTMM.en.2.2.pdf download

2. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please quantify in terms of percentage.

All the goals above are at 100% complete.

3. What kind of help is required either from the Reviewers or from the OWASP Community?

First, my reviewers have been great. I couldn't ask more of them.

As for the OWASP community at large, I'd love for more people to download and test the OWASP Live CD 2008 and provide feedback. I've gotten some great feedback from the local OWASP chapter after presenting the Beta 2 release to them. I've also had some unsolicited feedback from several people (both OWASP and others). I'd love for this project to be wildly successful. To achieve that, I need feedback from a large number of people to find all the rough edges and provide suggestions to make it even better.
PART II

Assessment Criteria

OWASP Project Assessment Criteria

QUESTIONS ANSWERS

1. Having into consideration the OWASP Project Assessment Methodology which criteria, if any, haven’t been fulfilled in terms of Alpha Quality status?

Alpha Quality requires:
  • Agree to OWASP's open source license - yes
  • Main page must be on the OWASP website yes
  • Have code documented in Google Code or Sourceforge yes
  • Mailing List created yes
  • Solves a core application security need yes

2. Having into consideration the OWASP Project Assessment Methodology which criteria, if any, haven’t been fulfilled in terms of Beta Quality status?

Beta Quality requires:
  • Have an easy installer yes (assumes booting the Live CD 2008 = installer)
  • Include user documentation on OWASP Wiki Pages yes
  • Include documentation on how to build it from code yes (assumes build from code = create Live CD 2008)
  • Documentation stored with code yes (assumes ISO image = source code)

3. Having into consideration the OWASP Project Assessment Methodology which criteria, if any, haven’t been fulfilled in terms of Release Quality status?

Release Quality requires:
  • Reasonably easy to use yes
  • Include online documentation to built into the tool yes
  • Include scripts that facilitate building from source yes (assumes the scripts documented in the Live CD 2008 creation documentation suffice)
  • Publicly accessible bug tracking system yes
  • Run through Fortify and/or Coverity's source code review N/A

4. What kind of help is required either from the Reviewers or from the OWASP Community?

See my comments for # 3 above. I'd also love assistance getting the word out bout the OWASP Live CD 2008.

Also, I'd like some guidance on the following:
  • Would OWASP like the documentation Wiki migrated from its current location on http://mtesauro.com/livecd?
  • If so, where should this exist?
  • Is there anything I need to do to indicate my desire to continue with this project? Either official requirements or notification(s), etc.