[Owasp-leaders] [Owasp-codereview] Automated Code Review in a distribuited environment

Jeff Williams jeff.williams at owasp.org
Mon Mar 30 14:35:43 EDT 2009


The Top 10 is really not specific enough to be a reasonable benchmark for
any tool.  There is no tool in existence that can search everything covered
by the T10, and probably never will be.  It would be much more interesting
to see which of the issues specified in the OWASP ASVS
(http://www.owasp.org/index.php/ASVS) are addressed.  And more than that, it
would be useful to know whether the tool claims to be able to completely
verify the ASVS requirement, or if it is only partial.

 

--Jeff

 

 

From: owasp-codereview-bounces at lists.owasp.org
[mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Monday, March 30, 2009 8:48 AM
To: owasp-leaders at lists.owasp.org; Owasp-codereview at lists.owasp.org
Cc: alessio.marziali at cyphersec.com
Subject: Re: [Owasp-codereview] [Owasp-leaders] Automated Code Review in a
distribuited environment

 

Hi,

May I answer some of this as Alessio used the OWASP code review guide to
model the tests on.

 

0. Does this code scanner cover only OWASP top ten issues?

 

Tool covers most common issues in Java, .Net, C/C++ (PHP to do). OWASP Top
10 is just a list of common issues. you shall find identical issues in other
lists. 

 

3. Does it address and compliance related scanning as well, e.g., SOX, PCI
etc.

 

What does this mean? 

How does any scanner know if code being scanned affects an organisations
financial bottom line?

How does any scanner know if the code is used for credit card processing or
is involved in PCI?

 

Secure code is secure code, no? Does it matter if it is PCI or Sox or OWASP
Top 10 "Compliant". 

 

 

 

 

2009/3/30 Venkatesh Jagannathan <venki at owasp.org>

Hi Alessio Maziali,

    This is indeed a good start as we all know that commerical products for
code scanners are quite expensive for small to medium companies. To address
that part, this is indeed a welcome initiative. I would like to know the
following:

 

0. Does this code scanner cover only OWASP top ten issues?

1. Is the code coverage completely configurable to address any vulnerability
in code scanning?

2. How is the rules engine configrable? I mean, do we have any specific
screen where we can configure this or is it a manual edit in a configurable
file?

3. Does it address and compliance related scanning as well, e.g., SOX, PCI
etc.

 

In short, I would like to know more details with reference to this.

 

Thanks & Regards,

~Venki

On Sat, Mar 28, 2009 at 1:39 AM, Alessio Marziali
<alessio.marziali at cyphersec.com> wrote:

All,

 

I'm writing you all to inform that today a prototype of a potential OWASP
project successfully ran in one of my company's server.

 

The architecture of this application has been designed to be multi thread.
Controlled by one central unit (server) a bunch of thread fires calling a
remote server. This server "slave" connects to the development servers
where it grabs a copy of the latest day build.

 

+magic starts here+ 

 

Using code crawler's engine a list of files which includes every file
located in a specific location (configurable) will be reviewed. 

 

The application will read only files with specific extensions. Which means
that it will ignore images/flash files/ or every file it has been asked to
ignore).

 

The control unit is a very rudimental web application which act as front
end. The front end works in combination with a SQL Server database as
backend. This is where results are stored. Using code crawler reporting
engine, the application is able to generate reports in different formats.

 

The entire system can run in "service/on demand" mode. Which means that it
can be scheduled to run when you leave your office and to be ready for
tomorrow with a cup of coffee in your hands. J

 

The code is on  its very early stages. Loads of Exceptions as it's supposed
to be a prototype.

 

It could be a very exciting project.  Could require a lot of efforts to get
it done.


Before asking for any help (volunteers\sponsorship) I'm here to ask if you
think that this project could be of any good for OWASP.

 

Flame, Suggestions, Questions are very welcome.

 

Best,

 

Alessio Marziali

OWASP Code Crawler Project Leader

 

alessio.marziali at cyphersec.com

www.cyphersec.com <http://www.cyphersec.com/> 

http://www.linkedin.com/in/alessiomarziali

 

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders



_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-- 
Eoin Keary CISSP CISA
https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference

OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

Quis custodiet ipsos custodes

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090330/125cb039/attachment.html 


More information about the OWASP-Leaders mailing list