[Owasp-board] Fwd: OWASP thesis project

Dinis Cruz dinis at ddplus.net
Thu Jan 18 12:06:13 UTC 2007


Great answers and Ideas Jeff

I can see that you updated the OWASP student
projects<http://www.owasp.org/index.php/OWASP_student_projects>
page :)

Also, can you gain the habit of add links to new pages and relevant changes
(like this one) to the
http://www.owasp.org/index.php/OWASP_Newsletter_3#Latest_additions_to_the_WIKI
page<http://www.owasp.org/index.php/OWASP_Newsletter_3#Latest_additions_to_the_WIKI%20page>?

That will make my and Aaron live easy

Thanks

---------- Forwarded message ----------
From: Jeff Williams <jeff.williams at owasp.org>
Date: Jan 16, 2007 4:12 PM
Subject: RE: OWASP thesis project
To: s051033 at student.dtu.dk, Dinis Cruz <dinis at ddplus.net>

Hi Van,

Here are a few ideas.

- Write a tool that takes the output of static analysis and turns it into
penetration test cases

- Make WebScarab generate, record, and playback security test cases (think
JUnit) so that you can do regression security testing

- Build an open threat modeling tool like Microsoft's but not so ridiculous

- Adding true data flow analysis to LAPSE. Check out the jDFA project at
sourceforge to see whether that can be applied to find tainted data attacks
like XSS and SQL injection (as well as others)

- Security metrics from static analysis. Currently people stop at SLOC
count.  Build a tool that generates something like this label
(http://www.owasp.org/index.php/Types_of_application_security_metrics) and
it could get a lot of attention.

- Integrated security activities across the lifecycle.  Currently people
are talking about "touchpoints" and "activities" but there's no unifying
line of sight or theme.

- Honeycomb.  I know it seems simple, but when you start trying to organize
ALL the information that's out there it gets incredibly difficult.  The
simple taxonomies are wrong, bad, and misleading.  Honeycomb is using a
folksonomy approach that I hope will allow us to do something new here.  But
it really needs someone to think it through - perfect for a thesis.

- Honeycomb+Tools.  Integrating the Honeycomb information into tools would
be incredibly helpful.  Things like the OWASP report generator need it.
Threat modeling tools need it.  Scanners need it.  We need to prepare the
information there for tool use.

That's a few off the top of my head. Let me know what sounds interesting and
I'd be happy to think some more about it.

--Jeff

Jeff Williams, Chair
The OWASP Foundation
work: 410-707-1487
main: 301-604-4882

"Dedicated to finding and fighting the causes of insecure software"

-----Original Message-----
From: Van Vu [mailto:s051033 at student.dtu.dk]
Sent: Tuesday, January 16, 2007 11:04 AM
To: Dinis Cruz
Cc: owasp at owasp.org
Subject: OWASP thesis project
Importance: High

Dear Mr.Dinis and gurus,
My name is Van and i am a M.Sc. student from DTU (Denmark). My field of
study is about computer security and i am searching for a thesis topic. I
am a new member of OWASP so i aware that our organization offers some
student projects. I have checked the guideline:
http://www.owasp.org/index.php/OWASP_student_projects
"web application security metrics" is a *thesis level* project but i'd
like to avoid it, at least for now because it is *too abstract*. About the
remaining projects, it seems that the requirements stop at level of doing
literature survey (sorry, this is just my subjective remark). My preferred
work is to write software for penetration testing. For example, it could
be a tool to prevent DoS attack caused by flood of XmlRequests in AJAX. I
will comb the pool of posted topics again, especially the ones about Web
2.0 to see if i miss something that has not been done before. To
accelerate my process, i'd be grateful if you can drop me some hint about
idea at the *thesis level* that one of your working group want to exploit.
I am willing to joint such a working group to do my thesis and never my
big work as i can invest up to 8 months for it.
Please feel free to circulate my mail in our community if it can help to
speed up the process. Well, i need to report progress to my supervisor by
the end of this month.
Thank you very much for your help.
------------
Best regards,
Dinh Van Vu (Van)
IMM Department-Denmark Technical University
Mobile nr.:  (+45)40783319



-- 
Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?
http://www.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070118/b6f35099/attachment-0002.html>


More information about the Owasp-board mailing list