[Owasp-leaders] Automated Code Review in a distribuited environment

Alessio Marziali alessio.marziali at cyphersec.com
Mon Mar 30 19:07:34 EDT 2009

Hi Venki,


0.       Not really the case, Code Crawler is all based upon the Code Review

1.       Yes, Code Crawler is 100% configurable in almost every part of it.
It's all based in an xml file.

2.        Manual Editing. XML File. Easy to implement UI.

3.       Should it be?


Many Thanks.



Alessio Marziali



From: Venkatesh Jagannathan [mailto:venki at owasp.org] 
Sent: 30 March 2009 13:09
To: owasp-leaders at lists.owasp.org; alessio.marziali at cyphersec.com
Subject: Re: [Owasp-leaders] Automated Code Review in a distribuited


Hi Alessio Maziali,

    This is indeed a good start as we all know that commerical products for
code scanners are quite expensive for small to medium companies. To address
that part, this is indeed a welcome initiative. I would like to know the


0. Does this code scanner cover only OWASP top ten issues?

1. Is the code coverage completely configurable to address any vulnerability
in code scanning?

2. How is the rules engine configrable? I mean, do we have any specific
screen where we can configure this or is it a manual edit in a configurable

3. Does it address and compliance related scanning as well, e.g., SOX, PCI


In short, I would like to know more details with reference to this.


Thanks & Regards,


On Sat, Mar 28, 2009 at 1:39 AM, Alessio Marziali
<alessio.marziali at cyphersec.com> wrote:



I'm writing you all to inform that today a prototype of a potential OWASP
project successfully ran in one of my company's server.


The architecture of this application has been designed to be multi thread.
Controlled by one central unit (server) a bunch of thread fires calling a
remote server. This server "slave" connects to the development servers
where it grabs a copy of the latest day build.


+magic starts here+ 


Using code crawler's engine a list of files which includes every file
located in a specific location (configurable) will be reviewed. 


The application will read only files with specific extensions. Which means
that it will ignore images/flash files/ or every file it has been asked to


The control unit is a very rudimental web application which act as front
end. The front end works in combination with a SQL Server database as
backend. This is where results are stored. Using code crawler reporting
engine, the application is able to generate reports in different formats.


The entire system can run in "service/on demand" mode. Which means that it
can be scheduled to run when you leave your office and to be ready for
tomorrow with a cup of coffee in your hands. J


The code is on  its very early stages. Loads of Exceptions as it's supposed
to be a prototype.


It could be a very exciting project.  Could require a lot of efforts to get
it done.

Before asking for any help (volunteers\sponsorship) I'm here to ask if you
think that this project could be of any good for OWASP.


Flame, Suggestions, Questions are very welcome.




Alessio Marziali

OWASP Code Crawler Project Leader


alessio.marziali at cyphersec.com

www.cyphersec.com <http://www.cyphersec.com/> 


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090331/5ea9eaa0/attachment-0001.html 

More information about the OWASP-Leaders mailing list