[Owasp-board] Fortify's Java Open Review Project and Sponsoring an OWASP Spring of Code Project

Fredrick DeQuan Lee flee at fortifysoftware.com
Fri Mar 30 19:57:11 UTC 2007


We had no particular external individual in mind to work on the  
metrics project. The metrics project seems like a good topic for an  
OWASP intern or grad student.

With regards to scanning OWASP projects, all of the Java OWASP  
projects are not only welcome, but encouraged to get added to our  
project. I know that both JBroFuzz and Webgoat are already in our  
routine scan list. One of our goals is to actually encourage and help  
open source developers to fix the issues that we find. Partnering  
with OWASP would at least make it easier to get OWASP projects fixed.


On Mar 30, 2007, at 12:47 PM, Dinis Cruz wrote:

> That idea does sound interesting, do you have anybody in mind to do  
> that project (which we could sponsor)
>
> I haven't seen a SpoC 007 on that subject (https://www.owasp.org/ 
> index.php/OWASP_Spring_Of_Code_2007_Applications) but it would  
> definitely be an strong application
>
> Stephen or Bob, any comments on this? (Stephen is on the Java  
> Project and Bob Austin is on the Metrics)
>
> I also wanted to explore the option to scan OWASP projects using  
> your tool/free service, what are our options?
>
> Dinis Cruz
> Chief OWASP Evangelist
> http://www.owasp.org
>
> On 3/29/07, Fredrick DeQuan Lee <flee at fortifysoftware.com> wrote:
> Dinis,
> I just read the latest OWASP news letter and saw  the call for  
> OWASP Spring of Code participation. As you know, Fortify Software  
> produces software security and quality analysis tools. Fortify  
> recently launched a public project, the Java Open Review Project  
> ( http://opensource.fortifysoftware.com), to examine Java open  
> source projects for security and quality defects. The project  
> retrieves open source projects, performs static analysis using  
> FindBugs and Fortify Source Code Analysis, and presents the results  
> for online analysis for auditors and project owners. Fortify is  
> currently seeking participation from those wishing to: submit  
> projects, review security defects, help fix open source security  
> defects, or supply general feedback.
> I noticed that two of your Spring of Code project ideas listed  
> would benefit from the information available at the JOR project  
> site. Specifically, the Java Project and the AppSec Metrics project  
> both could make use from the data collected in the JOR project  
> site. Of particular interest to me would be having an OWASP Spring  
> of Code participant process JOR data to use in the AppSec Metrics  
> -- project. Fortify should be able to contribute additional funding  
> for such an effort. Do you think there would be interest in such a  
> project?
>
>
> More details about the JOR Project can be found at: http:// 
> opensource.fortifysoftware.com
> I hope to hear from you soon!
>
>
>
> Fredrick DeQuan Lee
> Fortify Software
> Security Research Group
> (w) 650-213-5677
>
>
>
>
>
>
>
>

Fredrick DeQuan Lee
Fortify Software
Security Research Group
(w) 650-213-5677



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070330/a9604a48/attachment-0002.html>


More information about the Owasp-board mailing list