[Owasp-board] Project proposal: ORPRO (Open Review Project)]

Paulo Coimbra paulo.coimbra at owasp.org
Wed Jun 4 11:59:57 UTC 2008

Dear de Boer,


First of all, please accept my apologies for such a long delay in answering
your questions.


Secondly, I thank you for supporting OWASP. 


Next, your proposal has of course been accept - be very welcomed! 


Assuming that you have accepted the Owasp
ts>  open source license, I have set up a project page for you. You can see
it here <https://www.owasp.org/index.php/Category:OWASP_Open_Review_Project>
. Please feel free to change it as you find best.


I also created a mailing list for your project. The address is
open-review-project at lists.owasp.org and the provisory password is


As a result, you are now able to use this email list
owasp-leaders at lists.owasp.org to contact all of the most active OWASP
members. I suggest contacting them to discuss your project and to find
hypothetical contributors.


However, I've already discussed your project with Dinis Cruz
(dinis.cruz at owasp.org) - he is one of the five OWASP Board Members - and he
would like, at first, to have a word with you. I can advance that he is as
well very pleased with your initiative.


To conclude, once again, it will be a pleasure to have you among us. Please,
don't hesitate to get back to me whenever you think that I can help with.


Many thanks, best regards,



Paulo Coimbra

OWASP Project Manager

Join us at OWASP
<https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference>  NYC
AppSec 2008 Conference


 -----Original Message-----
From: Mario de Boer [mailto:njama at xs4all.nl] 
Sent: 02 June 2008 09:05
To: owasp at owasp.org; paulo.coimbra at owasp.org
Subject: Project proposal: ORPRO (Open Review Project)]




I sent attached mail a week ago. As I didn't receive a response, I am

trying again.


With kind regards,



---------------------------- Original Message ----------------------------

Subject: Project proposal: ORPRO (Open Review Project)

From:    "Mario de Boer" <njama at xs4all.nl>

Date:    Sat, May 24, 2008 22:48

To:      owasp at owasp.org

         paulo.coimbra at owasp.org





I have been reviewing popular open source common libraries and apps (zlib,

truecrypt, etc). We all have many 10's or 100's of these on our machines,

in our routers, in our web servers, etc. The quality is sometimes

appalling, and as a consequence I am worried about the security. What, for

example, if there were an exploitable bug in zlib? Patch Windows in 200

places, Cisco routers, etc etc. But how many people understand the source

of zlib, and take the effort to check, write it down, and make the results

available to everyone?


So, it seemed a good idea to start the Open Review PROject(ORPRO).


Opposed to other initiatives, the idea is:

1. Independent review, not led by development project, but by software

security professionals

2. Centrally managed

3. Leading to independent statement what is reviewed, why it is reviewed,

why it is considered secure, and in the end some assurance that the

software is free from security bugs.

4. Not afraid of digging into hard algorithms (compression, crypto, etc)


Key is openness, responsible disclosure, without leaking vulns to each and



I heard Mark Roxberry's talk on his .NET initiatives at Appsec Belgium. It

seems he is thinking along the same line on this. Why not combine the

review approaches in ORPRO, irrespective of the language?


I am experienced in project management, enthusiastic, and a vivid public

speaker. I have a PhD in math, reverse engineered professionally for many

years, was cryptographic researcher, performed pentesting, taught secure

development training and reverse engineering, etc. Currently I am security

consultant, mainly in governance an compliance at multinationals. In my

spare time I analyze code.


Please let me know what you think of my proposal. I think many

organization would be extremely glad that OWASP openly checks open source

libraries and software that are vital to most commercial and noncommercial

apps around.


With kind regards,


Mario de Boer, PhD, CISSP, CISA



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080604/41c3e1c0/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 73 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080604/41c3e1c0/attachment-0002.gif>

More information about the Owasp-board mailing list