[Owasp-board] Swingset Redux

Paulo Coimbra paulo.coimbra at owasp.org
Fri Jul 2 15:37:29 UTC 2010


Hello Cathal,

 

I’ve created the http://www.owasp.org/index.php/Projects/ESAPI_Swingset
‘Project About’ wiki page and placed it here
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Sw
ingset and here
http://www.owasp.org/index.php/ESAPI_Swingset#tab=Project_About. 

 

Please check it out and let me know if you find any problems or mistakes. 

 

Feel free to add any additional information to the project’s wiki page or to
request assistance regarding its edition.

 

As your project reaches a point that you'd like OWASP to assist in its
promotion, the GPC will need the following to help spread the word about
your project:


 * Project Flyer/Pamphlet (PDF file):
http://globalprojectscommittee.wordpress.com/2009/07/21/what-is-this-project
-flyerpamphlet-thing/. 

 

 * Conference style presentation describing the project in at least 3 slides
-
http://globalprojectscommittee.wordpress.com/2009/07/27/what-is-the-3x-slide
-presentation-thing/

 

As work on your project progresses and you are ready to assess the current
release, please let the GPC know of the change in status.  

 

The GPC can work with you to get your project assessed and moved up the
OWASP quality ladder from Alpha to Beta to Stable.  Not every release
requires an assessment - feel free to email the GPC if you are unsure about
your project's requirements.  For examples of projects at various quality
levels, please see the OWASP Project page
http://www.owasp.org/index.php/Category:OWASP_Project. 



To conclude, please let me know whether or not you want to use an OWASP
email address. If yes, I will set it up for you.


That is all for now - I wish you and your project great success.  Thank you
for supporting OWASP's mission.

Should you have any questions or require any further information, please do
not hesitate to contact me. 

Many thanks, best regards,

 

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Cathal.P.Courtney at aib.ie [mailto:Cathal.P.Courtney at aib.ie] 
Sent: quarta-feira, 30 de Junho de 2010 09:37
To: Paulo Coimbra
Cc: fabio.e.cerullo at aib.ie
Subject: RE: Swingset Redux

 

Hi Paulo

 

Please find attached information on our thoughts for the project roadmap. 

 

If you have any questions please let me know. 

 

Thanks,

Cathal

-----"Paulo Coimbra" <paulo.coimbra at owasp.org> wrote: -----

To: <Cathal.P.Courtney at aib.ie>
From: "Paulo Coimbra" <paulo.coimbra at owasp.org>
Date: 06/25/2010 01:31PM
cc: "'Global Projects Committee'"
<global-projects-committee at lists.owasp.org>
Subject: RE: Swingset Redux

Hello Cathal, 

  

Thank you! The GPC it’s being carbon copied. 

  

Best regards, 

  

Paulo Coimbra, 

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager 

  

From: Cathal.P.Courtney at aib.ie [mailto:Cathal.P.Courtney at aib.ie] 
Sent: sexta-feira, 25 de Junho de 2010 10:43 
To: Paulo Coimbra 
Subject: RE: Swingset Redux 

  

Hi Paulo 

  

Thanks for that, I'll start work on the project roadmap. I should have
something for you early next week. 

  

I tried to cc the projects-committee list but i'm not subscribed to the list
and the mail got bounced back. If you want to forward on my mail to the list
please feel free. 

  

Cathal 

-----"Paulo Coimbra" <paulo.coimbra at owasp.org> wrote: ----- 

To: <Cathal.P.Courtney at aib.ie> 
From: "Paulo Coimbra" <paulo.coimbra at owasp.org> 
Date: 06/24/2010 05:41PM 
cc: <fabio.e.cerullo at aib.ie>, "'Jeff Williams'" <jeff.williams at owasp.org>,
<dave.wichers at owasp.org>, "'Global Projects Committee'"
<global-projects-committee at lists.owasp.org> 
Subject: RE: Swingset Redux 

Hello Cathal, 

  

Thank you for getting back to us. Everything you said makes all the sense to
me, although I am not a specialist. I am sure that if our Projects
Committee’s members have anything to clarify or to propose to you, they will
contact as soon as possible. 

  

Meanwhile, I will be waiting for the data I have asked for. As soon as I get
it, I will re-set the project page for you. 

  

Many thanks, best regards, 

  

Paulo Coimbra, 

OWASP Project <https://www.owasp.org/index.php/Main_Page>  Manager 

  

From: Cathal.P.Courtney at aib.ie [mailto:Cathal.P.Courtney at aib.ie] 
Sent: quinta-feira, 24 de Junho de 2010 15:00 
To: Paulo Coimbra 
Cc: fabio.e.cerullo at aib.ie; Cathal.P.Courtney at aib.ie; 'Jeff Williams';
dave.wichers at owasp.org; 'Global Projects Committee' 
Subject: RE: Swingset Redux 

  

Hi Jeff, Paulo 

  

I have uploaded a customised version of the swingset application to google
code (installation instructions are on the project home page) 

  

http://code.google.com/p/swingset-demo/   

  

Just regarding taking leadership of the project, I think it might be good to
get your feedback on what we have done before we take this on. We are
building on the existing project and your vision of where this should go
might differ to ours. 

  

The major change we made was the inclusion of labs where users get a chance
to get their hands dirty with ESAPI. In the labs users are presented with
common security vulnerabilities and use ESAPI to resolve the issues. We
tried to cover as many of the Owasp Top 10  as possible and changed the
grouping of the chapters to map to ASVS verification requirements. 

  

We were conscious of overlap with WebGoat but felt that where WebGoat
demonstrates vulnerabilities and gives people an understanding of them, it
doesn't really go into the coding techniques used to protect against the
vulnerabilities. We felt the inclusion of labs in SwingSet would provide an
opportunity for developers to learn how to protect applications against
these vulnerabilities and also demonstrate the different aspects of the
ESAPI library. 

  

If you have any problems with the app let us know. Looking forward to
hearing your feedback. 

  

Thanks, 

  

Cathal 

  


  

-----"Paulo Coimbra" <paulo.coimbra at owasp.org> wrote: ----- 

To: <fabio.e.cerullo at aib.ie> 
From: "Paulo Coimbra" <paulo.coimbra at owasp.org> 
Date: 06/22/2010 04:48PM 
cc: <Cathal.P.Courtney at aib.ie>, "'Jeff Williams'" <jeff.williams at owasp.org>,
<dave.wichers at owasp.org>, "'Global Projects Committee'"
<global-projects-committee at lists.owasp.org> 
Subject: RE: Swingset Redux 

Hello Fabio, 

First of all, thank you for volunteering to lead an OWASP Project.  It is
with volunteers like yourself that OWASP continues to succeed in making
application security visible. 

Second, regarding your new leadership of this project, I'd like to request
that you send a project roadmap - basically the high level details of where
you'd like to take the project.  The OWASP Global Projects Committee (GPC)
will look at the roadmap and provide feedback on your project:  suggesting
projects which are closely related, resources and contacts which may assist
your efforts and any other suggestions to increase your project's success. 

  

To get your project started, here are a couple of references for your
review: 

 - The Guidelines for OWASP Projects provide a quick overview of items key
to a projects success -
http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects
<http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects> , 


 - OWASP's Assessment Criteria is the metric by which projects are
evaluated.  There are three categories for projects: Alpha, Beta, and
Release.  The Assessment Criteria allows project leaders to know what
aspects of projects OWASP values -
http://www.owasp.org/index.php/Category:OWASP_Project_Assessment
<http://www.owasp.org/index.php/Category:OWASP_Project_Assessment> , 

  

 - OWASP's GPC blog - http://globalprojectscommittee.wordpress.com/
<http://globalprojectscommittee.wordpress.com/> , 


Your project will have an OWASP wiki page to inform and promote your project
to the OWASP community.  To setup your project's page, please provide the
details below so that the GPC can establish your initial project page.  The
details provided will be used to complete OWASP's project template.  Feel
free to add any additional information to wiki page or request assistance
about how to add to your projects wiki page. 

Details to create your project page: 
(0) Project Name, 

(1) Project purpose / overview, 
(2) Project Roadmap (as mentioned above), 
(3) Project links (if any) to external sites, 
(4) Project License (
http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects#Project_Licensi
ng ), 
(5) Project Leader name, 

(6) Project Leader email address, 
(7) Project Leader wiki account - the username (you'll need this to edit the
wiki), 
(8) Project Maintainer (if any)  - name, email and wiki account (if any), 
(9) Project Contributor(s) (if any) - name email and wiki account (if any), 

As your project reaches a point that you'd like OWASP to assist in its
promotion, the GPC will need the following to help spread the word about
your project: 

 * Conference style presentation describing the project in at least 3 slides
-
http://globalprojectscommittee.wordpress.com/2009/07/27/what-is-the-3x-slide
-presentation-thing/ 


 * Project Flyer/Pamphlet (PDF file) -
http://globalprojectscommittee.wordpress.com/2009/07/21/what-is-this-project
-flyerpamphlet-thing/ 


As work on your project progresses and you are ready to create a release,
please let the GPC know of the change in status.  The GPC can work with you
to get your project assessed and moved up the OWASP quality ladder from
Alpha to Beta to Stable.  Every release does not require an assessment -
feel free to email the GPC if you are unsure about your project's
requirements.  For examples of projects at various quality levels, please
see the OWASP Project page -
http://www.owasp.org/index.php/Category:OWASP_Project 

That is all for now - I wish you and your project great success.  Thank you
for supporting OWASP's mission. 

Should you have any questions or require any further information, please do
not hesitate to contact me. 

Many thanks, best regards, 

  

Paulo Coimbra, 

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager 

  

  

From: Jeff Williams [mailto:jeff.williams at owasp.org] 
Sent: terça-feira, 22 de Junho de 2010 16:10 
To: fabio.e.cerullo at aib.ie; dave.wichers at owasp.org; 'Paulo Coimbra' 
Cc: Cathal.P.Courtney at aib.ie 
Subject: RE: Swingset Redux 

  

Hi Fabio, 

  

Thank you and Cathal so much. This is very exciting. Ideally, I’d like to
set this up as a separate repository at GoogleCode.  We should also set up a
wiki page on the OWASP wiki and link it into the main page on ESAPI as well.
For distribution, we can simply upload a zip file to the OWASP wiki for now.
Perhaps later when the Google Code repository is set up we can serve it
right from there.   If you need help on any of this, please just let me
know. 

  

So for now, could we start a wiki page at OWASP and upload the zip file and
instructions there?  Then I can download and test. 

  

Thank you! 

  

--Jeff 

  

Jeff Williams, Chair 

The OWASP Foundation 

work: 410-707-1487 

main: 301-604-4882 

  

From: fabio.e.cerullo at aib.ie [mailto:fabio.e.cerullo at aib.ie] 
Sent: Tuesday, June 22, 2010 10:22 AM 
To: jeff.williams at owasp.org; dave.wichers at owasp.org 
Cc: Cathal.P.Courtney at aib.ie 
Subject: Swingset Redux 

  


Jeff/Dave, 

As promised, Cathal & myself have been working in a 'customized' version of
Swingset which allows you to not only see how application vulnerabilities
could be remediated by implementing ESAPI, but also enable users to play
with the code and fix these vulnerabilities themselves. 

For each lesson we have included: 

- Introduction 
- Exercise 
- Solution 

There is also an installation guide to set up Eclise, Swingset & ESAPI so
everything works together. 

Could you please let me know a code repository where we could copy this for
your review? 

Thank you, 

Fabio Cerullo 
Divisional Information Security 
Bankcentre D1, 
Ballsbridge, 
Dublin 4, 
Ireland. 

Tel: +353 1 772 6309 
Email: fabio.e.cerullo at aib.ie 


****************************************************** 
This document is strictly confidential and is intended for use by the
addressee unless otherwise indicated. 
  
This email has been scanned by an external email security system. 
  
Allied Irish Banks 
  
AIB and AIB Group are registered business names of Allied Irish Banks p.l.c.
Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.
Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311;
Registered in Ireland: Registered No. 24173 
  
Please consider the environment before printing this e-mail. 
****************************************************** 

  


****************************************************** 
This document is strictly confidential and is intended for use by the
addressee unless otherwise indicated. 
  
This email has been scanned by an external email security system. 
  
Allied Irish Banks 
  
AIB and AIB Group are registered business names of Allied Irish Banks p.l.c.
Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.
Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311;
Registered in Ireland: Registered No. 24173 
  
Please consider the environment before printing this e-mail. 
****************************************************** 

  

 
******************************************************
This document is strictly confidential and is intended for use by the
addressee unless otherwise indicated.
 
This email has been scanned by an external email security system.
 
Allied Irish Banks
 
AIB and AIB Group are registered business names of Allied Irish Banks p.l.c.
Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.
Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311;
Registered in Ireland: Registered No. 24173
 
Please consider the environment before printing this e-mail. 
******************************************************

 

 
******************************************************
This document is strictly confidential and is intended for use by the
addressee unless otherwise indicated.
 
This email has been scanned by an external email security system.
 
Allied Irish Banks
 
AIB and AIB Group are registered business names of Allied Irish Banks p.l.c.
Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.
Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311;
Registered in Ireland: Registered No. 24173
 
Please consider the environment before printing this e-mail. 
******************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100702/7d7bf64c/attachment-0002.html>


More information about the Owasp-board mailing list