[Owasp-leaders] Automated Code Review in a distribuited environment

Venkatesh Jagannathan venki at owasp.org
Mon Mar 30 08:08:45 EDT 2009


Hi Alessio Maziali,
    This is indeed a good start as we all know that commerical products for
code scanners are quite expensive for small to medium companies. To address
that part, this is indeed a welcome initiative. I would like to know the
following:

0. Does this code scanner cover only OWASP top ten issues?
1. Is the code coverage completely configurable to address any vulnerability
in code scanning?
2. How is the rules engine configrable? I mean, do we have any specific
screen where we can configure this or is it a manual edit in a configurable
file?
3. Does it address and compliance related scanning as well, e.g., SOX, PCI
etc.

In short, I would like to know more details with reference to this.

Thanks & Regards,
~Venki

On Sat, Mar 28, 2009 at 1:39 AM, Alessio Marziali <
alessio.marziali at cyphersec.com> wrote:

>  All,
>
>
>
> I’m writing you all to inform that today a prototype of a potential OWASP
> project successfully ran in one of my company’s server.
>
>
>
> The architecture of this application has been designed to be multi thread.
> Controlled by one central unit (server) a bunch of thread fires calling a
> remote server. This server “slave” connects to the development servers
>  where it grabs a copy of the latest day build.
>
>
>
> +magic starts here+
>
>
>
> Using code crawler’s engine a list of files which includes every file
> located in a specific location (configurable) will be reviewed.
>
>
>
> The application will read only files with specific extensions. Which means
> that it will ignore images/flash files/ or every file it has been asked to
> ignore).
>
>
>
> The control unit is a very rudimental web application which act as front
> end. The front end works in combination with a SQL Server database as
> backend. This is where results are stored. Using code crawler reporting
> engine, the application is able to generate reports in different formats.
>
>
>
> The entire system can run in “service/on demand” mode. Which means that it
> can be scheduled to run when you leave your office and to be ready for
> tomorrow with a cup of coffee in your hands. J
>
>
>
> The code is on  its very early stages. Loads of Exceptions as it’s supposed
> to be a prototype.
>
>
>
> It could be a very exciting project.  Could require a lot of efforts to get
> it done.
>
>
> Before asking for any help (volunteers\sponsorship) I’m here to ask if you
> think that this project could be of any good for OWASP.
>
>
>
> Flame, Suggestions, Questions are very welcome.
>
>
>
> Best,
>
>
>
> Alessio Marziali
>
> OWASP Code Crawler Project Leader
>
>
>
> alessio.marziali at cyphersec.com
>
> www.cyphersec.com
>
> http://www.linkedin.com/in/alessiomarziali
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090330/a91de132/attachment.html 


More information about the OWASP-Leaders mailing list