[Owasp-board] sogftware (webapp) secure development project

Dinis Cruz dinis at ddplus.net
Fri Jan 26 18:12:28 UTC 2007


For reference we will soon be starting the applications for the OWASP SpoC
(Summer of Code) which will in a format similar to the OWASP AoC (Autumn of
Code) :

   - http://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006
   -
   http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Applications
   - http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Selection

And although the sponshorship value is not very high (5,000 USD or 2,500
USD) it might help to fund some time to be spend on this project

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org



On 1/26/07, Caruana Albert J at OPM <albert.j.caruana at gov.mt> wrote:
>
> Ernest
>
> It sounds like it is but I cannot judge. In any case, whether this gets
> FP7 funding or not, I think that at University of Malta, Universidad
> Luiz Llull, NIST CSRC, Fraunhofer IESE and OWASP level, with
> co-operation with WASC, there is enough contribution to get useful
> output form such a project. This is all extracurricular for me so I
> cannot be the person to run it, unfortunately!
> EU JRC would be the natural choice but they are undergoing a change of
> management in the IPSC
>
> The only question which needs to be solved is who leads the project and
> co-ordinates it.
> I am still trying to get all people around a table, here or elsewhere,
> failing that a phone conference.
>
> regards
> Albert
>
> Tel     +356 22 00 11 04
> Cel/SMS +356 99 29 33 81
> Fax     +356 22 00 14 92
>
> The opinions expressed in this message are solely those of the author
> and do
> not reflect an official position of the Government of Malta.
> This message may contain sensitive information and is intended solely
> for the
> individual named. If you are not the intended recipient you should not
> disseminate, distribute or copy the contents of this e-mail. If you have
> received this message by mistake, please notify the sender immediately
> and
> permanently destroy both the message and its contents.
> In the absence of qualified digital signatures and encrypted
> transmission, the
> security, reliability of delivery and integrity of this e-mail
> transmission
> cannot be guaranteed, as information could be modified in transit or may
> contain viruses. The sender, therefore, does not in any way accept any
> liability that may arise through this message.
> +++++++++++++++++++++++++++++++
>
> |-----Original Message-----
> |From: Ernest Cachia [mailto:ernest.cachia at um.edu.mt]
> |Sent: 25 January 2007 17:00
> |To: Caruana Albert J at OPM
> |Cc: Dinis Cruz; pete at isecom.org; Jeremiah Grossman;
> |Silke.Steinbach-Nordmann at iese.fraunhofer.de; Flask Eric at
> |MCST; Marcelo.MASERA at ec.europa.eu; kuhn at nist.gov
> |Subject: Re:
> |
> |Albert, et al.
> |An area within which one of my students is currently working
> |is "Automatic Generation of Test Cases using Equivalence
> |Partitioning".
> |Could this be of use to our collective efforts? The results he
> |seems to be achieving so far are very promising.
> |
> |Regards,
> |Ernest.
> |
> |Caruana Albert J at OPM wrote:
> |> I am trying to find funding for a kick-off meeting to identify
> |> a) a project champion who will be able to get all the
> |project details
> |> worked out in time and with the wording suitable for e.g. an
> |FP7 call,
> |> (budget, work program etc...)
> |> b) a technical leader or leadership team
> |>
> |> regards
> |> Albert
> |>
> |>
> |>
> |----------------------------------------------------------------------
> |> --
> |>
> |> Subject:
> |> Re: extracurricular (for me) are your interested?
> |> From:
> |> "Dinis Cruz" <dinis at ddplus.net>
> |> Date:
> |> Wed, 24 Jan 2007 11:38:21 +0100
> |> To:
> |> "Caruana Albert J at OPM" <albert.j.caruana at gov.mt>
> |>
> |> To:
> |> "Caruana Albert J at OPM" <albert.j.caruana at gov.mt>
> |> CC:
> |> "Ernest Cachia" <ernest.cachia at um.edu.mt>, <pete at isecom.org>,
> |> "Jeremiah Grossman" <jeremiah at whitehatsec.com>,
> |> <Silke.Steinbach-Nordmann at iese.fraunhofer.de>, "Flask Eric at MCST"
> |> <eric.flask at gov.mt>, <Marcelo.MASERA at ec.europa.eu>, <kuhn at nist.gov>,
> |> <owasp-leaders at lists.owasp.org>
> |>
> |>
> |> Hi Albert
> |>
> |> This does sound like an project that OWASP can collaborate
> |and add value.
> |>
> |> We already have quite a large body of material in our
> |website <http://www.owasp.org>  and several OWASP projects
> |<http://www.owasp.org/index.php/Category:OWASP_Project>  that
> |are trying to address the issues raised (note that not all
> |projects are in a complete 'mature' state):
> |>
> |>
> |> *    OWASP Top Ten Project
> |<http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project>
> |  "The OWASP Top Ten provides a powerful awareness document
> |for web application security. The OWASP Top Ten represents a
> |broad consensus about what the most critical web application
> |security flaws are. Project members include a variety of
> |security experts from around the world who have shared their
> |expertise to produce this list"
> |> *    OWASP Guide Project
> |<http://www.owasp.org/index.php/Category:OWASP_Guide_Project>
> |"The Guide is aimed at architects, developers, consultants and
> |auditors and is a comprehensive manual for designing,
> |developing and deploying secure web applications."
> |> *    OWASP AppSec FAQ Project
> |<http://www.owasp.org/index.php/Category:OWASP_AppSec_FAQ_Proje
> |ct>  "This FAQ answers some of the questions that developers
> |have about Web Application Security. This FAQ is not specific
> |to a particular platform or language. It addresses the common
> |threats to web applications and are applicable to any platform."
> |> *    OWASP Testing Guide
> |<http://www.owasp.org/index.php/Category:OWASP_Testing_Project>
> |  "This project's goal is to create a "best practices"
> |penetration testing framework which users can implement in
> |their own organizations and a "low level" penetration testing
> |guide that describes how to find certain issues."
> |> *    OWASP CLASP Project
> |<http://www.owasp.org/index.php/Category:OWASP_CLASP_Project>
> | "CLASP (Comprehensive, Lightweight Application Security
> |Process) provides a well-organized and structured approach for
> |moving security concerns into the early stages of the software
> |development lifecycle, whenever possible."
> |> *    OWASP Honeycomb Project
> |<http://www.owasp.org/index.php/Category:OWASP_Honeycomb_Projec
> |t>  "In the Honeycomb project, OWASP is assembling the most
> |comprehensive and integrated guide ever attempted to the
> |fundamental building blocks of application security
> |(principles, threats, attacks, vulnerabilities, and
> |countermeasures) through collaborative community efforts."
> |> *    OWASP Application Security Assessment Standards Project
> |<http://www.owasp.org/index.php/Category:OWASP_Application_Secu
> |rity_Assessment_Standards_Project>  "Currently there is a lack
> |of standardization over what constitutes an application
> |security assessment. With no single set of criteria being
> |referenced, it is suggested that OWASP establish a set of
> |standards defining and establishing a baseline approach to
> |conducting differing types/levels of application security
> |assessment. The standards should be flexible in design to
> |accommodate a range of security assurance levels. The
> |standards should not be viewed as placing requirements on any
> |party. Rather, the standards should make recommendations about
> |what should be done to be consistent with what the OWASP
> |community believes is best practice. Adhering to the standards
> |should help increase end user organization confidence that
> |assessments meet an industry agreed-upon approach.?"
> |> *    OWASP Application Security Metrics Project
> |<http://www.owasp.org/index.php/Category:OWASP_Application_Secu
> |rity_Metrics_Project> "This OWASP Project will first identify
> |and provide the OWASP community a set of application security
> |metrics that have been found by contributors to be effective
> |in measuring application security. This will be followed by
> |the development of new metrics that build on the initial
> |metrics foundation to fulfill unmet metrics requirements. The
> |goals of this Project are to make a baseline set of
> |application security metrics available to the OWASP community
> |and subsequently to provide a forum for the community to
> |contribute metrics back into the baseline."
> |> *    OWASP WASS Guide
> |<http://www.owasp.org/index.php/Category:OWASP_WASS_Project>
> |"The WASS, or Web Application Security Standards project, aims
> |at creating a proposed set of minimum requirements a web
> |application must exhibit if it is to be considered "secure".
> |There currently exists a similar set of standard requirements
> |focused at the network level in the Cardholder Information"
> |>
> |>
> |> I guess my next question is: What are the next steps?
> |>
> |> Also what are your thoughts on how this project is going to
> |be organized?
> |>
> |> Best regards
> |>
> |> Dinis Cruz
> |> Chief OWASP Evangelist
> |> http://www.owasp.org
> |>
> |>
> |> On 1/24/07, Caruana Albert J at OPM <albert.j.caruana at gov.mt> wrote:
> |>
> |>      Friends
> |>
> |>      I am settling back to normal routine after 10 days away.
> |>
> |>      I shall contact the FP7 folks this week and get back to
> |all to determine a path forward with the project idea.
> |>
> |>      I had contact with Rick Kuhn of NIST who is working on
> |testing (reduction) methodology. I have not contacted him in
> |this context.
> |>
> |>      I am therefore copying this email to him to see the
> |potential for co-operation in the area of reliability
> |improvement for (webappsec) software and improvement of the
> |development process using testing in a feedback manner to
> |identify sources of error and unreliability and develop
> |software and systems with a wide "operating window" - i.e. a
> |high fault tolerance.
> |>
> |>      regards
> |>      Albert
> |>
> |>      Tel     +356 22 00 11 04
> |>      Cel/SMS +356 99 29 33 81
> |>      Fax     +356 22 00 14 92
> |>
> |>      The opinions expressed in this message are solely those
> |of the author and do
> |>      not reflect an official position of the Government of Malta.
> |>      This message may contain sensitive information and is
> |intended solely for the
> |>      individual named. If you are not the intended recipient
> |you should not
> |>      disseminate, distribute or copy the contents of this
> |e-mail. If you have
> |>      received this message by mistake, please notify the
> |sender immediately and
> |>      permanently destroy both the message and its contents.
> |>      In the absence of qualified digital signatures and
> |encrypted transmission, the
> |>      security, reliability of delivery and integrity of this
> |e-mail transmission
> |>      cannot be guaranteed, as information could be modified
> |in transit or may
> |>      contain viruses. The sender, therefore, does not in any
> |way accept any
> |>      liability that may arise through this message.
> |>      +++++++++++++++++++++++++++++++
> |>
> |>
> |>      |(this was the letter sent to Marcelo Masera ISPRA JRC)
> |>      |
> |>      |       to get system development moving towards the
> |state of the art of the
> |>      |manufacturing industry - around 1985 - when people
> |started counting the
> |>      |cost of rework and of scrap and decided to embrace
> |Product quality
> |>      |management, Total quality management and Six-sigma in
> |succession to
> |>      |reduce the sources of error.
> |>      |
> |>      |Below a project concept for your information and,
> |while I have some
> |>      |expression of interest from Fraunhofer IESE already, I
> |would like to
> |>      |ask whether your team would contribute.
> |>      |
> |>      |I am in fact thinking of circulating a form of the attached as
> |>      |invitation and would like to ask whether we could meet
> |e.g. in ISPRA to
> |>      |formulate a more solid FP7 project proposal on this
> |basis with some of
> |>      |the interested or potentially interested parties -
> |OWASP, WASC and
> |>      |OASIS members, your own contacts - around the EU.
> |>      |
> |>      |Funding even of a kick-off meeting could be a problem
> |so any ideas you
> |>      |could give me would be more than welcome.
> |>      |
> |>      |While the project aims at the exploding area of web
> |services, what is
> |>      |learnt there can in my opinion then be fed back into
> |other forms of
> |>      |application development systems down to embedded
> |systems using weird
> |>      |dialects of common OS, layered and programming
> |language products.
> |>      |
> |>      |The conceptual model of the project would be:
> |>      |
> |>      |Work product 1: generate common terminology accepted worldwide
> |>      |
> |>      |review already available resources for the (relatively
> |few) web
> |>      |application vulnerabilities with the aim of generating
> |a usable common
> |>      |reference work analogous to or integrated in the
> |Mitre.org CVE database
> |>      |for infrastructure vulnerabilities.
> |>      |(Various attempts OVAL, AVDL etc...)
> |>      |
> |>      |Work Product 2 - select targets
> |>      |-      review lists of available widely used products for
> |>      |generating web applications for the purpose of
> |creating a shortlist of
> |>      |most popular tools (to reduce the number of variables
> |in the software
> |>      |engineering process.
> |>      |
> |>      |
> |>      |Work Product 3: review the major reputable toolkits
> |for generating web
> |>      |applications for percent first-pass, first-quality
> |product in practice
> |>      |(e.g. when used by a novice team at university, by a
> |standard software
> |>      |house, by a high end software house team)
> |>      |       - choose toolkits as being widely used
> |>      |       - establish a test harness to evaluate them,
> |building on current
> |>      |published work comparing various semi-automated
> |webappsec test tools
> |>      |       - carry out tests on known "benchmarks" - e.g.
> |Hacme websites provided
> |>      |by foundstone, Webgoat etc...
> |>      |
> |>      |Work product 4 - what is the cause of faults in web services?
> |>      |
> |>      |       - correlate vulnerability names described in
> |WP1 with sources of error
> |>      |in commonly used tools
> |>      |
> |>      |Work product 5 - how can you avoid errors?
> |>      |
> |>      |       - in specification (obtaining user requirements
> |and performance
> |>      |criteria)
> |>      |       - in drafting the model
> |>      |       - in building the first pilot
> |>      |       - in minimising changes to the first pilot
> |>      |       - in refining the pilot (scale up/load testing)
> |>      |       - in user testing and acceptance
> |>
> |===============================================================
> |===========
> |>      THE ANSWERS FROM ISPRA AND BARCELONA:
> |>      |-----Original Message-----
> |>      |From: Pete Herzog [ mailto:pete at isecom.org
> |<mailto:pete at isecom.org> ]
> |>      |Sent: 14 December 2006 16:40
> |>      |To: Marcelo.MASERA at ec.europa.eu
> |>      |Cc: Caruana Albert J at OPM; jgw at mind-ing.com
> |>      |Subject: Re: extracurricular (for me) are your interested?
> |>      |
> |>      |Hi,
> |>      |
> |>      |I think the project is sound.  If you are looking to
> |work with ISECOM
> |>      |to make this a project we could provide the
> |collaboration space and
> |>      |help you find volunteers.
> |>      |
> |>      |None of our projects work with outside funding so all
> |efforts are
> |>      |volunteer based and the momentum of the project always
> |depends on the
> |>      |dedication of the project leader.
> |>      |
> |>      |Let me know how you want to work with us precisely and
> |we can help you
> |>      |build this project up.
> |>      |
> |>      |Sincerely,
> |>      |-pete.
> |>      |
> |>      |--
> |>      |Pete Herzog - Managing Director - pete at isecom.org
> |ISECOM - Institute
> |>      |for Security and Open Methodologies www.isecom.org -
> |www.osstmm.org
> |>      |www.hackerhighschool.org - www.isestorm.org
> |>
> ||-------------------------------------------------------------------
> |>      |ISECOM is the OSSTMM Professional Security Tester
> |(OPST), OSSTMM
> |>      |Professional Security Analyst (OPSA), and Hacker
> |Highschool Teacher
> |>      |certification authority.
> |>      |
> |>      |Marcelo.MASERA at ec.europa.eu wrote:
> |>      |> Thanks Albert,
> |>      |>
> |>      |> The old web site is still there due to the fact that the
> |>      |Framework Programme is ending, and so it is easier to
> |wait for Jan 1st
> |>      |and FP7...
> |>      |>
> |>      |> I'm in contact with ETH, and know some people from ex-ACIP.
> |>      |> And we have some examples (electric power and telecom) that
> |>      |can serve as pilot.
> |>      |>
> |>      |> I don't think to be in Berlin for the e-gov conference.
> |>      |>
> |>      |> Buone feste,
> |>      |> Marcelo
> |>      |>
> |>      |>
> |>      |>
> |>      |> -----Original Message-----
> |>      |> From: Caruana Albert J at OPM [
> |mailto:albert.j.caruana at gov.mt <mailto:albert.j.caruana at gov.mt> ]
> |>      |> Sent: Thursday, December 14, 2006 2:08 PM
> |>      |> To: MASERA Marcelo (JRC)
> |>      |> Cc: pete at isecom.org; Joe Woods
> |>      |> Subject: RE: extracurricular (for me) are your interested?
> |>      |>
> |>      |> Marcelo
> |>      |>
> |>      |> Thanks for your reply.
> |>      |>
> |>      |> Joe Woods is working towards creating a securemed
> |entity, involving
> |>      |> pilot solutions for CIIP in the Med, with Ispra and
> |Angera being at
> |>      |> the cisalpine border of the area.
> |>      |> He is copied on this.
> |>      |> He is working with members of the ACIP project.
> |>      |>
> |>      |> There should be scope for cooperation in that arena as I
> |>      |believe they
> |>      |> want to pilot the solutions (e.g. which your team proposes)
> |>      |on dealing
> |>      |> with incidents in systems of systems.
> |>      |>
> |>      |> Have you seen the ETH Zurich work this year on CIIP?
> |>      |> (the link from the ENISA website is not valid - I
> |can give you one
> |>      |> which
> |>      |> works.)
> |>      |>
> |>      |> On the other hand, several times this year I have
> |heard that the
> |>      |> systems, computers and embedded systems and
> |processors used e.g. in
> |>      |> manufacturing plants, aeroplanes, cars, etc.. all
> |have much higher
> |>      |> reliability and fault tolerance than that sold to the
> |>      |innocent user as
> |>      |> operating system, office, web services etc...
> |>      |>
> |>      |> Chrysler-Mercedes, General Motors were implying - if our
> |>      |systems were
> |>      |> made by (you know who) we would not be able to
> |produce a car, let
> |>      |> alone sell it.
> |>      |>
> |>      |> It is thus clear that with the required incentives, adequate
> |>      |> reliability is available.
> |>      |>
> |>      |> Hence my project - focus on web services due to
> |their having high EU
> |>      |> commission visibility [due to the drive to reduce
> |administrative
> |>      |> inefficiency by the adoption of e-government, service
> |>      |clusters etc...]
> |>      |>
> |>      |>
> |>
> |.......................................................................
> ........................................................................
> .................................................
> |>
> |>      |-----Original Message-----
> |>      |From: Ernest Cachia [ mailto:ernest.cachia at um.edu.mt
> |<mailto:ernest.cachia at um.edu.mt> ]
> |>      |Sent: 23 January 2007 20:42
> |>      |To: pete at isecom.org
> |>      |Cc: Caruana Albert J at OPM
> |>      |Subject: Re: FW: extracurricular (for me) are your interested?
> |>      |
> |>      |Hi all.
> |>      |
> |>      |Sorry about not getting back. My team and I cannot seem to
> |>      |stretch the hours. I would reiterate what Pete says and ask in
> |>      |what framework are we to proceed. I am currently trying to fit
> |>      |myself into the upcoming FP7 but what Albert says seems
> |>      |compelling. I just don't have the first foothold in
> |this, as it were.
> |>      |
> |>      |Ernest.
> |>      |
> |>      |Pete Herzog wrote:
> |>      |> Hi,
> |>      |>
> |>      |> Sorry for the long delay.  I've been in
> |fire-fighting mode for 6
> |>      |> months straight now and I'm very sorry for the
> |delay.  I finally
> |>      |> caught my breath and now am getting through my
> |backlog of mails!
> |>      |>
> |>      |> I don't know anyone at NIST.  So how would you like
> |to proceed?
> |>      |>
> |>      |> Sincerely,
> |>      |> -pete.
> |>      |>
> |>      |
> |>      |--
> |>
> ||===============================================================
> |>      |====================
> |>      |DR. ERNEST CACHIA, Senior Lecturer at the Department of
> |>      |Computer Science and A.I. of the University of Malta, Msida
> |>      |MSD06, Malta (Europe).
> |>      |Tel: +356 23-40-25-19; Fax: +356 21-32-05-39
> |>      |E-mail: ernest.cachia at um.edu.mt
> |>
> ||===============================================================
> |>      |====================
> |>      |
> |>      |
> |>
> |>
> |>
> |>
> |>
> |>
> |>
> |---------------------------------------------------------------
> |---------
> |>
> |> Subject:
> |> Re: extracurricular (for me) are your interested?
> |> From:
> |> "Pete Herzog" <pete at isecom.org>
> |> Date:
> |> Wed, 24 Jan 2007 10:25:18 +0100
> |> To:
> |> "Caruana Albert J at OPM" <albert.j.caruana at gov.mt>
> |>
> |> To:
> |> "Caruana Albert J at OPM" <albert.j.caruana at gov.mt>
> |> CC:
> |> "Ernest Cachia" <ernest.cachia at um.edu.mt>, "Jeremiah Grossman"
> |> <jeremiah at whitehatsec.com>,
> |> <Silke.Steinbach-Nordmann at iese.fraunhofer.de>, "Dinis Cruz"
> |> <dinis at ddplus.net>, "Flask Eric at MCST" <eric.flask at gov.mt>,
> |> <Marcelo.MASERA at ec.europa.eu>, <kuhn at nist.gov>
> |>
> |>
> |> Hi,
> |>
> |> Just a note: I have worked on terminology which may help
> |this project.
> |> OSSTMM 2.2 has this terminology (osstmm.org) as well as the security
> |> metrics which need to be better applied (idiot proofing) to
> |web tests.
> |> It's a direction I'm heading in now with it.
> |>
> |> -pete.
> |>
> |>
> |
> |--
> |===============================================================
> |====================
> |DR. ERNEST CACHIA, Senior Lecturer at the
> |Department of Computer Science and A.I. of the
> |University of Malta, Msida MSD06, Malta (Europe).
> |Tel: +356 23-40-25-19; Fax: +356 21-32-05-39
> |E-mail: ernest.cachia at um.edu.mt
> |===============================================================
> |====================
> |
> |
> |
>



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070126/afcece9c/attachment-0002.html>


More information about the Owasp-board mailing list