[Owasp-codereview] Orizon project invitation
thesp0nge at gmail.com
Wed Nov 29 18:28:21 EST 2006
Orizon is a new Owasp project, born while I was preparing a
speech that I gave at SMAU, an IT Business event that took place in
Milan last October.
[ Introduction to Orizon ]
I was researching about code review and safe coding methodologies and I
realized that none of the sample tools I collected shares knowledge
about the security checks that are to be applied to the source code.
While I understand such an approach in a proprietary tool, I find that
it does not properly address the problem.
My idea is that code review tools need to share a common library
that includes bad coding patterns, unsafe code snippets, well known
source code related security branches. Therefore I started working on a
code review engine, in fact the Orizon project.
Orizon's goal is to provide three things (where the third is a direct
consequence of the first two):
a) a repository of security checks to be applied to source code during
a tool assisted code review
b) a framework for building code review security tools. By saying a
framework I mean that Orizon will provide a set of API and objects
usable by third part developers to write their tools
c) as a consequence of points a) and b), Orizon will be a
security code review tool. A small source code assessment tool will be
implemented to show Orizon API usage and it will be used of course
during source code assessments.
Orizon will be developed using Java 5 language.
[ Invitation ]
This mail would like to be an invitation to join the project. As a
matter of fact, the design phase is almost done, and I'll release a
whitepaper describing the framework architecture by next week.
A SVN repository is already up at sourceforge (links are provided at
the bottom of this mail) with a java parser built using antlr and a very
silly source file statistics collector that needs further coding.
I invite all interested people to join orizon mailing list in order
to discuss framework internals, and "how the things need to be
done"... if you are a java coder, you're also invited to hack my
code of course.
[ Links ]
Orizon page @ owasp:
Join the Orizon mailing list:
Orizon homepage @ sf.net: http://orizon.sourceforge.net/
[ Thanks ]
Orizon would no exist without great tools such as lapse, pmd, rats,
splint, flawfinder. So if any of you is involved in these projects...
thank you :)
Diverso non necessariamente significa peggiore
More information about the Owasp-codereview