QA wikiupdates

From OWASP
Jump to: navigation, search

Quality Approach Updates

12 June 2014

These has been the activities and progress regarding the QA project as described in here: https://www.owasp.org/index.php/Proposal_Project_Review_QA_Approach

JIRA Account configured for Candidate Flagship projects

Setup Projects in JIRA(done):

  • OWASP AntiSamy Project
  • OWASP Enterprise Security API
  • OWASP ModSecurity Core Rule Set Project
  • OWASP CSRFGuard Project
  • OWASP Web Testing Environment Project
  • OWASP WebGoat Project
  • OWASP Zed Attack Proxy

Setup Accounts for Project leaders and Admins(done)

JIRA account

Virtual Server: Testing Environment(In progress)

Acquired a virtual server through Leaseweb OS: Windows 2012 Installed components:

  • Eclipse
  • Visual Studio Express
  • OWASP ZAP 2.3.1
  • TomCat 6
  • MySQL 5.5
  • Tortoise Subversion
  • JRE 7
  • Mozilla
  • WAVSEP.war

To be installed:

  • WebGoat(last version)


SWAMP integration preliminary tests

Created some tests to load ESAPI C into the SWAMP but the assessment failed. Probably related to build scripts. We will continue the tests with ESAPI C++.ESAPI C had more than 2 years inactive.

SWAMP

Preliminary tests on activity verification

ESAPI libraries are been right now verified for Health Criteria. From this first assessment the following results

  • Perl==> Last maintained 3 years ago
  • C++==>last commit 11 months ago
  • Python==>last release from 3 years ago
  • .NET==>last release from 3 years ago
  • C==>Source code last updated 2 years ago
  • Java==> Updated a month ago
  • Classic ASP==>last release from 3 years ago

Libraries with more than a year without updates do not pass the health criteria Email has sent to Project leaders for verification of inactivity levels or any further plans in the future.

  • .NET has been verified as inactive by Project leader as inactive
  • Python library too
  • Kevin Wall has also confirmed most projects are inactive

Development of Python tool for sniffing activities in Repositories

Ohloh is a nice tool, unfortunately it does not measure activity in multiple branches We hope the tool built by Enrico Branca can help with this since it can measure activities in all branches

June 17, 2014

ESAPI libraries : conclusions

  • We have verified together with ESAPI project leaders to leave ESAPI Java as a lab project
  • Right now other ESAPI libraries will be set inactive as also confirmed with project leaders

In progress: Testing CSRF

  • I have started the main verification of CSRF libraries which include:
  • Getting source code from Github
  • verify source code commits on branches
  • Verify wiki pages for health criteria
  • verify instructions on how to use the code
  • verify issue list fixing and wiki pages

So far I'm setting this information in JIRA for the Project leaders to feedback and verify the findings I'll be working on CSRF this week and next week we will the define the final status for this library

In progress: Meeting with SWAMP team 18 June, 2014

Tomorrow I'll have a meeting with the SWAMP team to verify some technical questions regarding implementation of tools/packages into SWAMP servers. I hope this meeting can help us define a strategic plan regarding deployment of OWASP tools in this environment