[Owasp-board] Fortify's Java Open Review Project and Sponsoring an OWASP Spring of Code Project

Stephen de Vries stephen at corsaire.com
Wed Apr 4 16:20:15 UTC 2007

Interesting.  For the Metric's project, I think this is a perfect  
fit.  But it's a bit more difficult to see how this can fit into the  
Java project.  The Java project members might be interested in  
helping out with this effort, specifically, they could:
- review security defects for existing Java projects
- help fix security defects
- supply general feedback

But one thing I wanted to clarify first, is what will OWASP's role be  
in this?  As it stands now, anyone can join the Fortify project and  
start reviewing code.  But I can't see an angle that will benefit  
OWASP. (There doesn't have to be one, but it would be nice)


On 31 Mar 2007, at 02:47, Dinis Cruz wrote:

> That idea does sound interesting, do you have anybody in mind to do  
> that project (which we could sponsor)
> I haven't seen a SpoC 007 on that subject (https://www.owasp.org/ 
> index.php/OWASP_Spring_Of_Code_2007_Applications) but it would  
> definitely be an strong application
> Stephen or Bob, any comments on this? (Stephen is on the Java  
> Project and Bob Austin is on the Metrics)
> I also wanted to explore the option to scan OWASP projects using  
> your tool/free service, what are our options?
> Dinis Cruz
> Chief OWASP Evangelist
> http://www.owasp.org
> On 3/29/07, Fredrick DeQuan Lee <flee at fortifysoftware.com> wrote:
> Dinis,
> I just read the latest OWASP news letter and saw  the call for  
> OWASP Spring of Code participation. As you know, Fortify Software  
> produces software security and quality analysis tools. Fortify  
> recently launched a public project, the Java Open Review Project  
> ( http://opensource.fortifysoftware.com), to examine Java open  
> source projects for security and quality defects. The project  
> retrieves open source projects, performs static analysis using  
> FindBugs and Fortify Source Code Analysis, and presents the results  
> for online analysis for auditors and project owners. Fortify is  
> currently seeking participation from those wishing to: submit  
> projects, review security defects, help fix open source security  
> defects, or supply general feedback.
> I noticed that two of your Spring of Code project ideas listed  
> would benefit from the information available at the JOR project  
> site. Specifically, the Java Project and the AppSec Metrics project  
> both could make use from the data collected in the JOR project  
> site. Of particular interest to me would be having an OWASP Spring  
> of Code participant process JOR data to use in the AppSec Metrics  
> -- project. Fortify should be able to contribute additional funding  
> for such an effort. Do you think there would be interest in such a  
> project?
> More details about the JOR Project can be found at: http:// 
> opensource.fortifysoftware.com
> I hope to hear from you soon!
> Fredrick DeQuan Lee
> Fortify Software
> Security Research Group
> (w) 650-213-5677

Stephen de Vries
Corsaire Ltd
E-mail: stephen at corsaire.com
Tel:	+44 1483 226014
Fax: 	+44 1483 226068
Web: 	http://www.corsaire.com

CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
Corsaire Limited, registered in England No. 3338312. Registered
office: 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF.
Telephone: +44 (0)1483-226000

More information about the Owasp-board mailing list