Transcript The Owasp Orizon Project Paolo Perego, [email protected] Project Leader Overview • Project started in 2006 • Another opensource alternative in source code static analysis • Not only a.

The Owasp Orizon
Project
Paolo Perego,
[email protected]
Project Leader
Overview
• Project started in 2006
• Another opensource alternative in
source code static analysis
• Not only a tool but a static analysis
framework
• Completely rewritten in the last 9
months
• Web exposure boosted after
Owasp AppSec NYC’08 last
september
Objectives
• Provide a set of APIs that anyone can use in a source code static analysis tool
• Provide a set of security checks to be applied to source code
• Knowledge is open here, so only opensourced security checks will be included
• Best of breed best practices
o Owasp Code Review Guide
o Cigital Java Security Rulepack (http://www.cigital.com/securitypack/view/index.html)
o Custom written security checks
• Language independent
• Use XML as meta-language to describe source code
• Apply security checks to the XML interpreted language
Status and Future Steps
• Project reached version 1.0
• Now the real fun is going to start
• Usable
o To perform basic code reviews
o To build security tools
• Fancy
o Very basic GUI
o Mac OS X standalone application
• Near future (end 2008): version 1.2
• Security library to be consolidated with more checks
• GUI improvement
• Mid term future (2Q 2009): version 1.4
• Integration with:
o Code Crawler (Alessio Marziali)
o O2 (Dinis Cruz)
• Java Bytecode security code review
Closing
• 2009, the turning away year
• Library will be almost complete
• Thanks
• For the criticisms
• Standalone application will be released
for Win32 and Unix too
• For the support
• A network of great security related tools
• For believing
o O2
o Code Crawler
• Marketing
• Blog (http://orizon.sf.net/blog)
• Twitter usage
http://orizon.sourceforge.net
(check OWASPOrizon user)
• AppSecs (Poland ‘09, …)
• Recruiting developers
[email protected]