[Owasp-codereview] [Owasp-leaders] Automated Code Review in a distribuited environment

Eoin eoin.keary at owasp.org
Mon Mar 30 08:47:55 EDT 2009


Hi,
May I answer some of this as Alessio used the OWASP code review guide to
model the tests on.

 0. Does this code scanner cover only OWASP top ten issues?

*Tool covers most common issues in Java, .Net, C/C++ (PHP to do). OWASP Top
10 is just a list of common issues. you shall find identical issues in other
lists. *

3. Does it address and compliance related scanning as well, e.g., SOX, PCI
etc.

*What does this mean? *
*How does any scanner know if code being scanned affects an organisations
financial bottom line?*
*How does any scanner know if the code is used for credit card processing or
is involved in PCI?*
**
*Secure code is secure code, no? Does it matter if it is PCI or Sox or OWASP
Top 10 "Compliant". *





2009/3/30 Venkatesh Jagannathan <venki at owasp.org>

> Hi Alessio Maziali,
>     This is indeed a good start as we all know that commerical products for
> code scanners are quite expensive for small to medium companies. To address
> that part, this is indeed a welcome initiative. I would like to know the
> following:
>
> 0. Does this code scanner cover only OWASP top ten issues?
> 1. Is the code coverage completely configurable to address any
> vulnerability in code scanning?
> 2. How is the rules engine configrable? I mean, do we have any specific
> screen where we can configure this or is it a manual edit in a configurable
> file?
> 3. Does it address and compliance related scanning as well, e.g., SOX, PCI
> etc.
>
> In short, I would like to know more details with reference to this.
>
> Thanks & Regards,
> ~Venki
>
>   On Sat, Mar 28, 2009 at 1:39 AM, Alessio Marziali <
> alessio.marziali at cyphersec.com> wrote:
>
>>    All,
>>
>>
>>
>> I’m writing you all to inform that today a prototype of a potential OWASP
>> project successfully ran in one of my company’s server.
>>
>>
>>
>> The architecture of this application has been designed to be multi thread.
>> Controlled by one central unit (server) a bunch of thread fires calling a
>> remote server. This server “slave” connects to the development servers
>>  where it grabs a copy of the latest day build.
>>
>>
>>
>> +magic starts here+
>>
>>
>>
>> Using code crawler’s engine a list of files which includes every file
>> located in a specific location (configurable) will be reviewed.
>>
>>
>>
>> The application will read only files with specific extensions. Which means
>> that it will ignore images/flash files/ or every file it has been asked to
>> ignore).
>>
>>
>>
>> The control unit is a very rudimental web application which act as front
>> end. The front end works in combination with a SQL Server database as
>> backend. This is where results are stored. Using code crawler reporting
>> engine, the application is able to generate reports in different formats.
>>
>>
>>
>> The entire system can run in “service/on demand” mode. Which means that it
>> can be scheduled to run when you leave your office and to be ready for
>> tomorrow with a cup of coffee in your hands. J
>>
>>
>>
>> The code is on  its very early stages. Loads of Exceptions as it’s
>> supposed to be a prototype.
>>
>>
>>
>> It could be a very exciting project.  Could require a lot of efforts to
>> get it done.
>>
>>
>> Before asking for any help (volunteers\sponsorship) I’m here to ask if you
>> think that this project could be of any good for OWASP.
>>
>>
>>
>> Flame, Suggestions, Questions are very welcome.
>>
>>
>>
>> Best,
>>
>>
>>
>> Alessio Marziali
>>
>> OWASP Code Crawler Project Leader
>>
>>
>>
>> alessio.marziali at cyphersec.com
>>
>> www.cyphersec.com
>>
>> http://www.linkedin.com/in/alessiomarziali
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Eoin Keary CISSP CISA
https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference

OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

Quis custodiet ipsos custodes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20090330/0d4a8a72/attachment.html 


More information about the Owasp-codereview mailing list