[Owasp-board] 28, 000 USD available for work selected OWASP Projects (July 2007 Batch)

Mon Jul 2 17:01:39 UTC 2007

Hello OWASP

Now with the SpoC 007 (Spring of Code 2007) under way, I would like
ask forproposals
for OWASP projects that we have funds (28,000 USD) specifically allocated to
.

Here are the projects' titles and you can find more details at the end of
this email and on this page:
http://www.owasp.org/index.php/Funds_available_for_OWASP_Projects

   - *OSG - OWASP Site Generator* -  Join Boris in his development of the
   new version of .NET's OSG (funds from SPI Dynamics and Cenzic
   membership fees)
   - *OWASP Corporate Application Security Rating Guide* - Create and
   release the first version of this very important document ( funds from
   Cenzic membership fees)
   - *Questions for SANS* - Write 200 questions for SANS with a % of
   those questions made open to the OWASP community (funds directly
   allocated by SANS for this project)
   - *Source Code Review OWASP Projects* - Implement a workflow where all
   OWASP projects that use JAVA technology are automatically audited
forsecurity flaws (
   funds directly allocated by Fortify Software for this project)
   - BlackTop project - Develop a runtime code analysis tool to be used
   by Penetration Testers during client engagements (funds directly
   allocated by Ounce Labs for this project).

If you are interested, email your proposal including responses to the
following items:

   - Your educational and professional background
   - Application security experience and accomplishments
   - Participation and leadership in open communities
   - The opportunity, challenges, issues or need your proposal addresses
   - Milestones and objectives
   - Specific activities and who will carry out these activities
   - Specific deliverables and a rough project schedule so we can track
   progress
   - Long-term vision for the project
   - Any other reasons why you and your project should be selected

The proposed project delivery time is 3 months and the payment will be made
in two 50% parts (one at the 50% mark and one at 100% mark (i.e. project
completed))
I will also put the applicants in touch with the contacts at the sponsoring
companies so that the brief and project deliverables can be finalized.

The deadline for project submissions is July 15th.

Looking forward to your proposals,

Best regards

Dinis Cruz
Chief OWASP Evangelist
http://www. owasp.org <http://www.owasp.org/>

 OSG - OWASP Site Generator (5k)

   - *Project description:* Continue development of Site
Generator<http://www.owasp.org/index.php/OWASP_SiteGenerator>,
   write new vulnerabilities, work on new dynamic engine, document findings
   - *Funds available:* 5,000 USD
   - *Sponsor*: Spy Dynamics, Cenzic

OWASP Corporate Application Security Rating Guide (3k)

   - *Project description:* As per https://www.owasp
   .org/index.php/OWASP_Corporate_Application_Security_Rating_Guide,
   finalize criteria, research selected companies and publish a report with the
   results
   - *Funds available:* 3,000 USD
   - *Sponsor*: Cenzic

Questions for SANS (5k)

   - *Project description:* Write JAVA/JSP questions for SANS's Software
   Security Institute certification exams( http://www.sans-ssi.org/). The
   candidate will need to write 200 questions and answers and must be a
   knowledgeable and respected member of the Java community. For obvious
   reasons only 10% to 20% of the questions created will be disclosed to the
   OWASP community, with the remainder to be used in the certification's
   exams..
      - Note that although this first request is for questions in
      JAVA/JSP there are plans to run a similar project for C, C++,
      PHP, .NET, so if you are interested in these other languages feel free to
      contact us..
   - *Funds available:* 5,000 USD
   - *Sponsor*: SANS

Source Code Review OWASP Projects (5k)

   - *Project description:* Use Fortify Software's source code scanning
   engine ( http://opensource.fortifysoftware.com) to scan open source
   projects coded in JAVA. The objectives of this project will be:
      - Develop and document a workflow for open source projects to
      incorporate static analysis into the Software Development Life
Cycle (SDLC).

      - Apply the above workflow as a required step for OWASP projects.

      - Aid in auditing select open source projects to create a
      baseline for comparing security amongst open source projects.
   - *Funds available:* 5,000 USD
   - *Sponsor*: Fortify Software

BlackTop - Runtime coverage analysis tool (10k)

   - *Project description:* Develop and document a "blackbox" pen testing
   code analysis solution capable of providing runtime coverage analysis for
   applications written in Java and .NET. In order to ensure the solution does
   not require access to the applications' source code, the solution should use
   (for example) the AspectJ and PostSharp bytecode weaving frameworks.
   - The project must produce an open source, release quality
      application, including a GUI and documentation. The project
should utilize a
      license; either the Eclipse Public License or the Mozilla Public
license is
      allowable.
      - The tool should provide code level details and call trace
      information of all ingress and egress points of the application
and be able
      to identify gaps in the "blackbox" testing to facilitate more
accurate and
      complete pen testing.  All output and configuration should be
done using an
      open format (such as XML) and enable command line execution of the
      application.
   - *Funds available:* 10,000 USD
   - *Sponsor*: Ounce Labs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070702/e87d9270/attachment-0002.html>