[Owasp-board] Project proposal: ORPRO (Open Review Project)]

dinis cruz dinis.cruz at owasp.org
Wed Jun 4 12:34:54 UTC 2008


Hi Mario
Your project is indeed a very important one and one I really would like to
see happening.

There are a lot of good things that will come out of this (securer
applications, knowledge, training materials, etc..) and once we have a full
working model we should be able to get some funding to support specific
engagements.

For example we have put as a requirement that for an OWASP project to
achieve 'release quality' it must pass a security scan (
https://www.owasp.org/index.php/Category:OWASP_Project_Assessment) with Fortify
Software's open source
review<http://opensource.fortifysoftware.com/welcome.html> (if
appropriate) and FindBugs <http://findbugs.sourceforge.net/>. In the future
this should be changed to include a 'human' analysis component just like the
one you are proposing on your project.

To start with, why don't you use the following applications has a target
(these have been chosen by the OWASP community as their most useful Open
Source tools that they use and we (OWASP) will be granting them 1000 USD as
a 'thank you' token):

1) Nmap
2) ModSecurity
3) Firebug (Firefox plug-in)
4) FindBugs
5) Burp Proxy
6) Nikto
7) Httrack
8) TemperData (Firefox plug-in)
9) ACEGI
10) Web Developer (Firefox plug-in)

Also please have a look at the other OWASP projects and see how much of what
is already in there you can use/reuse:
https://www.owasp.org/index.php/Category:OWASP_Project

Welcome onboard

Dinis Cruz

On Wed, Jun 4, 2008 at 12:59 PM, Paulo Coimbra <paulo.coimbra at owasp.org>
wrote:

>  Dear de Boer,
>
>
>
> First of all, please accept my apologies for such a long delay in answering
> your questions.
>
>
>
> Secondly, I thank you for supporting OWASP.
>
>
>
> Next, your proposal has of course been accept – be very welcomed!
>
>
>
> Assuming that you have accepted the Owasp open source license<https://www.owasp.org/index.php/OWASP_Licenses#Contributor_License_Agreements>,
> I have set up a project page for you. You can see it here<https://www.owasp.org/index.php/Category:OWASP_Open_Review_Project>.
> Please feel free to change it as you find best.
>
>
>
> I also created a mailing list for your project. The address is
> open-review-project at lists.owasp.org and the provisory password is *mariodeboertochange.
> *
>
> * *
>
> As a result, you are now able to use this email list
> owasp-leaders at lists.owasp.org to contact all of the most active OWASP
> members. I suggest contacting them to discuss your project and to find
> hypothetical contributors.
>
>
>
> However, I've already discussed your project with Dinis Cruz (
> dinis.cruz at owasp.org) - he is one of the five OWASP Board Members - and he
> would like, at first, to have a word with you. I can advance that he is as
> well very pleased with your initiative.
>
> * *
>
> To conclude, once again, it will be a pleasure to have you among us.
> Please, don't hesitate to get back to me whenever you think that I can help
> with.
>
>
>
> Many thanks, best regards,
>
> * *
>
>
>
> Paulo Coimbra
>
> OWASP Project Manager
>
> Join us at OWASP NYC AppSec 2008 Conference<https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference>
>
>
>
>  -----Original Message-----
> From: Mario de Boer [mailto:njama at xs4all.nl]
> Sent: 02 June 2008 09:05
> To: owasp at owasp.org; paulo.coimbra at owasp.org
> Subject: Project proposal: ORPRO (Open Review Project)]
>
>
>
> Dear OWASP,
>
>
>
> I sent attached mail a week ago. As I didn't receive a response, I am
>
> trying again.
>
>
>
> With kind regards,
>
> Mario
>
>
>
> ---------------------------- Original Message ----------------------------
>
> Subject: Project proposal: ORPRO (Open Review Project)
>
> From:    "Mario de Boer" <njama at xs4all.nl>
>
> Date:    Sat, May 24, 2008 22:48
>
> To:      owasp at owasp.org
>
>          paulo.coimbra at owasp.org
>
> --------------------------------------------------------------------------
>
>
>
> Dear OWASP,
>
>
>
> I have been reviewing popular open source common libraries and apps (zlib,
>
> truecrypt, etc). We all have many 10's or 100's of these on our machines,
>
> in our routers, in our web servers, etc. The quality is sometimes
>
> appalling, and as a consequence I am worried about the security. What, for
>
> example, if there were an exploitable bug in zlib? Patch Windows in 200
>
> places, Cisco routers, etc etc. But how many people understand the source
>
> of zlib, and take the effort to check, write it down, and make the results
>
> available to everyone?
>
>
>
> So, it seemed a good idea to start the Open Review PROject(ORPRO).
>
>
>
> Opposed to other initiatives, the idea is:
>
> 1. Independent review, not led by development project, but by software
>
> security professionals
>
> 2. Centrally managed
>
> 3. Leading to independent statement what is reviewed, why it is reviewed,
>
> why it is considered secure, and in the end some assurance that the
>
> software is free from security bugs.
>
> 4. Not afraid of digging into hard algorithms (compression, crypto, etc)
>
>
>
> Key is openness, responsible disclosure, without leaking vulns to each and
>
> everyone.
>
>
>
> I heard Mark Roxberry's talk on his .NET initiatives at Appsec Belgium. It
>
> seems he is thinking along the same line on this. Why not combine the
>
> review approaches in ORPRO, irrespective of the language?
>
>
>
> I am experienced in project management, enthusiastic, and a vivid public
>
> speaker. I have a PhD in math, reverse engineered professionally for many
>
> years, was cryptographic researcher, performed pentesting, taught secure
>
> development training and reverse engineering, etc. Currently I am security
>
> consultant, mainly in governance an compliance at multinationals. In my
>
> spare time I analyze code.
>
>
>
> Please let me know what you think of my proposal. I think many
>
> organization would be extremely glad that OWASP openly checks open source
>
> libraries and software that are vital to most commercial and noncommercial
>
> apps around.
>
>
>
> With kind regards,
>
>
>
> Mario de Boer, PhD, CISSP, CISA
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080604/fb163c84/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 73 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080604/fb163c84/attachment-0002.gif>


More information about the Owasp-board mailing list