[Owasp-leaders] Automated Code Review in a distribuited environment

Alessio Marziali alessio.marziali at cyphersec.com
Mon Mar 30 19:07:34 EDT 2009


Hi Venki,

 

0.       Not really the case, Code Crawler is all based upon the Code Review
project.

1.       Yes, Code Crawler is 100% configurable in almost every part of it.
It's all based in an xml file.

2.        Manual Editing. XML File. Easy to implement UI.

3.       Should it be?

 

Many Thanks.


Regards,

 

Alessio Marziali

 

 

From: Venkatesh Jagannathan [mailto:venki at owasp.org] 
Sent: 30 March 2009 13:09
To: owasp-leaders at lists.owasp.org; alessio.marziali at cyphersec.com
Subject: Re: [Owasp-leaders] Automated Code Review in a distribuited
environment

 

Hi Alessio Maziali,

    This is indeed a good start as we all know that commerical products for
code scanners are quite expensive for small to medium companies. To address
that part, this is indeed a welcome initiative. I would like to know the
following:

 

0. Does this code scanner cover only OWASP top ten issues?

1. Is the code coverage completely configurable to address any vulnerability
in code scanning?

2. How is the rules engine configrable? I mean, do we have any specific
screen where we can configure this or is it a manual edit in a configurable
file?

3. Does it address and compliance related scanning as well, e.g., SOX, PCI
etc.

 

In short, I would like to know more details with reference to this.

 

Thanks & Regards,

~Venki

On Sat, Mar 28, 2009 at 1:39 AM, Alessio Marziali
<alessio.marziali at cyphersec.com> wrote:

All,

 

I'm writing you all to inform that today a prototype of a potential OWASP
project successfully ran in one of my company's server.

 

The architecture of this application has been designed to be multi thread.
Controlled by one central unit (server) a bunch of thread fires calling a
remote server. This server "slave" connects to the development servers
where it grabs a copy of the latest day build.

 

+magic starts here+ 

 

Using code crawler's engine a list of files which includes every file
located in a specific location (configurable) will be reviewed. 

 

The application will read only files with specific extensions. Which means
that it will ignore images/flash files/ or every file it has been asked to
ignore).

 

The control unit is a very rudimental web application which act as front
end. The front end works in combination with a SQL Server database as
backend. This is where results are stored. Using code crawler reporting
engine, the application is able to generate reports in different formats.

 

The entire system can run in "service/on demand" mode. Which means that it
can be scheduled to run when you leave your office and to be ready for
tomorrow with a cup of coffee in your hands. J

 

The code is on  its very early stages. Loads of Exceptions as it's supposed
to be a prototype.

 

It could be a very exciting project.  Could require a lot of efforts to get
it done.


Before asking for any help (volunteers\sponsorship) I'm here to ask if you
think that this project could be of any good for OWASP.

 

Flame, Suggestions, Questions are very welcome.

 

Best,

 

Alessio Marziali

OWASP Code Crawler Project Leader

 

alessio.marziali at cyphersec.com

www.cyphersec.com <http://www.cyphersec.com/> 

http://www.linkedin.com/in/alessiomarziali


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090331/5ea9eaa0/attachment-0001.html 


More information about the OWASP-Leaders mailing list