[Owasp-leaders] This is how we have to show security vulnerabilities to developers (in real time as they are created)
billchu at uncc.edu
Fri Jun 22 13:03:10 UTC 2012
We have been working on OWASP ASIDE (Application security IDE plug-in) since 2008 with a similar vision. Details can be found at https://www.owasp.org/index.php/OWASP_ASIDE_Project. The interactive code annotation part is really cool, we found CSRF vulnerabilities in Apache Roller and helped them fix them.
From: owasp-leaders-bounces at lists.owasp.org [owasp-leaders-bounces at lists.owasp.org] on behalf of Dinis Cruz [dinis.cruz at owasp.org]
Sent: Thursday, June 21, 2012 3:03 PM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] This is how we have to show security vulnerabilities to developers (in real time as they are created)
I posted a PoC today that represents my vision for O2 and what I have been trying to do for the past 5 years.
You can see the video at Real-time Vulnerability Creation Feedback inside VisualStudio (with Greens and Reds)<http://diniscruz.blogspot.co.uk/2012/06/real-time-vulnerability-creation.html> where every time the user makes a change to the code there is an auto-compilation (using Roslyn<http://msdn.microsoft.com/roslyn>'s C# compiler) and a SAST scan (using Cat.NET<http://www.reddit.com/r/CatNet/>)
What I like the most about this, is that I now get to think about 'the best workflow to present developers the security guidance they need'.
Although this PoC is quite agressive (I do a compilation and scan on every keystoke which is a bit OTT), here is another video that shows a bigger compilation+scan on save: Real-Time C# Solution Compilation and Security Scanning (using Roslyn and Cat.NET)<http://diniscruz.blogspot.co.uk/2012/06/real-time-c-solution-compilation-and.html>
What do you think?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders